This website provides readers an historical perspective on the evolution of various healthcare laws and regulations affecting healthcare freedom and privacy.
For updated information about healthcare freedom and privacy issues, visit Citizens' Council for Health Freedom's website
Browse by Topic

Health Freedom Watch
May 2008


Anti-Discrimination Bill Inadvertently Legalizes Sharing of Genetic Information Without Patient Consent

“While authors of the recently passed Genetic Information Nondiscrimination Act of 2008 (H.R. 493) had good intentions, the bill inadvertently legalizes the sharing of genetic information without patient consent,” says Sue Blevins, president of the Institute for Health Freedom (IHF). “It does so by applying HIPAA regulations to genetic data.”

Blevins points out, “HIPAA regulations permit data sharing without patient consent in connection with treatment, payment, and oversight of the health-care system (‘health-care operations’). Thus, by passing a bill that says HIPAA regulations apply to genetic information, Congress unintentionally legalized the sharing of information among many health-care ‘covered entities’ without patient permission.”

The bill passed the Senate late last month, a year after the House approved its own version.  Differences between the two were resolved May 1, and the final bill has been sent to President Bush.

In a letter published in the Baltimore Sun regarding the Senate’s vote on the anti-discrimination bill, Janis G. Chester, M.D., president of the American Association of Practicing Psychiatrists, stressed: “…A person’s genetic test results, and all of his or her medical data, should not be available to anyone without the patient’s consent. One’s employer should not even know he or she has had testing done, let alone know the results.  The sad fact is that the regulations under the Health Insurance Portability and Accountability Act [HIPAA], which were intended to extend patient privacy as we moved from a paper-based system of medical records to a digital system, are a sham.  HIPAA allows the routine release of personal health information without patient consent or knowledge, and even over a patient’s objection….”

Amending HIPAA Privacy Regulations Without Public Input

H.R. 493 forbids the “use or disclosure” of genetic information for underwriting purposes by insurers under HIPAA regulations.  But the bill fails to give individuals the final say on whether their genetic data can be shared for many other purposes permitted under the HIPAA rule.  In fact, it requires the [HHS] Secretary to amend the HIPAA regulations to cover genetic information, so that genetic information “shall” be treated as health information.  And the bill says that the revised HIPAA rule “shall be effective upon publication [in the Federal Register], without opportunity for any prior public comment, but may be revised, consistent with this section, after opportunity for public comment.” (Emphasis added.) In effect, this means:

  • HHS must publish a notice in the Federal Register to amend the HIPAA regulations without an opportunity for public comment.
  • Once the amended HIPAA regulations take effect, then the public may comment on the revised rule.
  • At that point, the rule may (or may not) be revised again.
  • In the meantime, genetic information will be defined legally as “health information” under HIPAA regulations, which permit the sharing of health information for many purposes without patient consent. 
Health Plans Permitted to Obtain Genetic Data for Making Payment Determinations 

The bill amends the Employee Retirement Income Security Act of 1974 (ERISA), the Public Health Service Act (PHSA), and the Internal Revenue Code to “prohibit a group health plan from adjusting premium or contribution amounts for a group on the basis of genetic information.”  Also, group health plans are prohibited from requesting or requiring individuals or their family members from undergoing genetic testing.  However, the legislation says that such prohibition may not “limit the authority of a health care professional to request an individual to undergo a genetic test” or “preclude a group health plan from obtaining and using the results of a genetic test in making a determination regarding payment.”  In other words, insurers cannot establish insurance rates on the basis of genetics, but they can determine payment amounts on that basis.

Do Exceptions Nullify Genetic Privacy Guarantees?

H.R. 493 also makes it illegal for employers to discriminate based on employees’ genetic information.  And it supposedly makes it unlawful for employers to acquire employees’ genetic data.  The bill states, “It shall be an unlawful employment practice for an employer to request, require, or purchase genetic information with respect to an employee or a family member of the employee except…” It then goes on to list six exceptions.  For example, an exception to the nondiscrimination clause includes: “Where an employer inadvertently requests or requires family medical history of the employee or family member of the employee.” (Emphasis added.)

History of Genetic Data Abuses

The legislation includes these findings (among others) regarding abuse of genetic information:

  • “The early science of genetics became the basis of State laws that provided for the sterilization of persons having presumed genetic ‘defects’ such as mental retardation, mental disease, epilepsy, blindness, and hearing loss, among other conditions. The first sterilization law was enacted in the State of Indiana in 1907. By 1981, a majority of States adopted sterilization laws to ‘correct’ apparent genetic traits or tendencies. Many of these State laws have since been repealed, and many have been modified to include essential constitutional requirements of due process and equal protection. However, the current explosion in the science of genetics, and the history of sterilization laws by the States based on early genetic science, compels Congressional action in this area.”
  • “Although genes are facially neutral markers, many genetic conditions and disorders are associated with particular racial and ethnic groups and gender. Because some genetic traits are most prevalent in particular groups, members of a particular group may be stigmatized or discriminated against as a result of that genetic information. This form of discrimination was evident in the 1970s, which saw the advent of programs to screen and identify carriers of sickle cell anemia, a disease which afflicts African-Americans. Once again, State legislatures began to enact discriminatory laws in [this] area, and in the early 1970s began mandating genetic screening of all African Americans for sickle cell anemia, leading to discrimination and unnecessary fear. To alleviate some of this stigma, Congress in 1972 passed the National Sickle Cell Anemia Control Act, which withholds Federal funding from States unless sickle cell testing is voluntary.” (Emphasis added.)
  • “Congress has been informed of examples of genetic discrimination in the workplace. These include the use of pre-employment genetic screening at Lawrence Berkeley Laboratory, which led to a court decision in favor of the employees in [the] case Norman-Bloodsaw v. Lawrence Berkeley Laboratory (135 F.3d 1260, 1269 (9th Cir. 1998)). Congress clearly has a compelling public interest in relieving the fear of discrimination and in prohibiting its actual practice in employment and health insurance.”
Consent, Ownership and Genetic-Privacy Rights Still Needed

If Congress and President Bush want to ensure that unethical uses of genetic information are not repeated in years to come, they should pass a law that states clearly:

  • Genetic testing is voluntary.
  • Individuals own their genetic information.
  • Genetic information may not be shared without the individual’s consent.
“Unfortunately, the recently passed Genetic Information Nondiscrimination Act of 2008 falls short of upholding the ethics of consent, ownership and genetic privacy,” Blevins said. 


  • “Genetic Information Nondiscrimination Act of 2008.”  To read the complete bill, visit the congressional legislative database and search for bill number H.R. 493: (
  • “Medical Privacy Still Isn’t Protected,” Baltimore Sun, letter to the editor by Janis G. Chester, president of the American Association of Practicing Psychiatrists, May 1, 2008.
  • “The Final Federal Medical Privacy Rule: The Definitive Guide,” Institute for Health Freedom, March 6, 2003:

[Back to Contents]

Large Employers Push Health IT Legislation

S. 1693 Threatens Individuals’ Privacy and Control over Their Personal Health Information

A group of the nation’s largest employers is lobbying Congress to swiftly pass the Wired for Health Care Quality Act (S. 1693), a bill to foster a nationwide interoperable health-information network.  In an April 2 release, the Business Roundtable indicated that the widespread usage of health IT could save some $165 billion annually through improved efficiency and health outcomes.  The Business Roundtable, a major association of CEOs of U.S. companies with $4.5 trillion in annual revenues and nearly ten million employees, stressed that its members provide health insurance to 35 million Americans, a quarter of all who have private employer-sponsored health insurance or group coverage in the United States.

Senator Edward M. Kennedy (D-MA) is the lead sponsor of bill.  The Kaiser Daily Health Policy Report noted that Kennedy said health IT would produce savings that “would be enormously important with a Democratic president implementing universal health coverage.”

The Institute for Health Freedom previously reported that S. 1693 threatens individuals’ privacy and control over their personal health information (see  The legislation declares that an operator of an electronic health database would be deemed a “covered entity” under HIPAA regulations.  “This means such an operator would be permitted to share patient information with over 600,000 other covered entities (such as insurers) without consent, as permitted under the privacy regulations,” we pointed out.

Meanwhile, the American Psychoanalytic Association (APA) has informed its members that “Congress is now working to craft health information technology (HIT) legislation over the next ten days.  It is imperative that any bill promoting electronic medical records must also contain strong privacy protections for patients.  The House Energy and Commerce Committee will be working with proposed pieces of legislation to craft a single bill.”  The APA encourages its members and those concerned about privacy to contact their congressional representatives to demand that patient privacy be included in any such legislation.  The organization emphasizes among other things that:

1.  Patient privacy is the cornerstone of effective treatment.
2.  Americans have a right to health-information privacy, and this must be explicitly recognized in any HIT legislation.
3.  The use of health information technology increases the risks of privacy violations.
4.  The TRUST Act (H.R. 5442), as introduced by Rep. Markey (D-MA), protects patient privacy and patient consent.
5.  The principles contained in the TRUST Act must be incorporated into any HIT legislation.

Finally, the APA encourages citizens to share examples of why health privacy is so important with their members of Congress and staff.


  • “Senators and CEOs Urge Passage of Health IT Bill Now,” Business Roundtable press release, April 2, 2008.
  • “Capitol Hill Watch: Roll Call Examines Prospects for Health Care Legislation This Year in Congress,” Kaiser Daily Health Policy Report, Mar 10, 2008.
  • “‘Wired for Health Care Quality Act’ Threatens Privacy and Control over Personal Information,” Health Freedom Watch, Institute for Health Freedom, January 2008:
  • Email alert from representatives of the American Psychoanalytic Association, May 1, 2008 (quoted with permission).

[Back to Contents]

Will Individuals Store Their Medical Information in a National Health Information Network?

The following press release is from the American Association for the Advancement of Science’s online global news service, EurekAlert!:

Who owns your medical tests results and your personal health data? Such a vexing question cuts to the core of personal liberty and freedom of information. Now, researchers writing in the International Journal of Healthcare Technology and Management have introduced the notion of ownership of medical information and present a basic research model for the adoption of personal health records.

Personal health records (PHRs) have been developed in the U.S. as part of the Institute of Medicine’s goal of improving healthcare quality and making it more patient-centered as well as through patient pressure to have greater control of their health data. The PHR is also integral to the U.S. National Health Information Network (NHIN), which will give all Americans access to their electronic health records by 2014. However, little research has been published on how PHRs compare with other types of medical records or how privacy concerns are to be addressed.

Melinda Whetstone and Ebrahim Randeree of the College of Information, at Florida State University, Tallahassee explain that employers, insurance companies, healthcare providers and independent entities have increasing access to PHRs. However, whether the PHR, and other types of electronic records [Electronic Medical Record (EMR) and Electronic Health Record (EHR)], have been adopted and implemented successfully remains unclear.

One of the aims of adopting the PHR is to reduce the chances of medical errors caused by overuse, under use or misuse of a patient’s medical data. The Institute of Medicine estimated that there are almost 100,000 deaths each year caused by such preventable mistakes.

Nevertheless, from the patient perspective, the adoption of PHRs must provide benefits that outweigh any trust and privacy issues, the researchers say. Fundamentally, a PHR will be an electronic, lifelong resource containing an individual’s health information, which they and authorized healthcare workers can access at any time, to allow them to make appropriate health decisions. The Tallahassee team suggests that individuals will own and manage the information in the PHR.

Data in a PHR would include a patient’s immunizations, allergies and adverse drug reactions, medications, herbal remedies taken, past and present illnesses and hospitalizations, surgeries and other procedures, laboratory test results, and family history.

The PHR might also contain living wills and advance directives, organ donor authorization, recent physical examination data, healthcare workers’ opinions, other test results, eye and dental records, permission and consent forms, and even lifestyle information, such as details of smoking, drinking, drug use, exercise and diet.

The benefits of adopting a secure, online PHR system include allowing access to a comprehensive personal health history that can be used by healthcare workers. Additionally, it could give patients the means to become their own health advocate, provide benchmarks and prompts for maintenance.

“The ability to create a PHR is available. The desire and need for patients to utilize this technology is real. The intangible question of ‘Will they come?’ has yet to be answered.”

Source: “Breaking Personal Health Records,” news release by Inderscience Publishers, posted at, April 16, 2008.

[Back to Contents]

Health Freedom Watch is published by the Insitute for Health Freedom. Editor: Sue Blevins; Assistant Editor: Deborah Grady. Copyright 2008 Institute for Health Freedom.