The Illinois Genetic Information Privacy Act, 410 ILCS 513/1, et seq. (“GIPA”), which was passed in 1998 and amended in 2008, had until recently received little attention from the plaintiffs’ bar. That changed last August, after a court granted certification in a federal GIPA class action involving alleged unauthorized disclosure of consumers’ genetic information to unknown third-party developers by a website that sold DNA analysis reports. See c, LLC, 344 F.R.D. 231, 233 (N.D. Ill. 2023). Over 50 GIPA cases were filed in 2023 alone in the wake of that ruling, with many more now pending in Illinois state and federal courts. As this litigation trend continues almost a year following the granting of class certification in Melvin, companies are asking: what is GIPA, are we subject to it, and what should we do to mitigate litigation risk? Employers, insurance companies, and others that collect health- and genetic-related information should read on to learn more.
Overview of the Illinois Genetic Information Privacy Act
The Illinois legislature passed GIPA to enact privacy protections prohibiting the unauthorized disclosure and use of an individual’s genetic information. See 410 ILCS 513/5. In furtherance of this objective, GIPA provides that “genetic testing and information derived from genetic testing is confidential and privileged and may be released only to the individual tested and to persons specifically authorized, in writing in accordance with Section 30, by that individual to receive the information.” 410 ILCS 513/15(a). Under GIPA, “genetic information” is defined to include an individual’s genetic tests, the genetic tests of family members of an individual, the manifestation of a disease or disorder in family members of such individual, and “[a]ny request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by the individual or any family member of the individual.” See 410 ILCS 513/10 (adopting the definitions of “genetic information,” “genetic test,” and “protected health information,” set forth in the Health Insurance Portability and Accountability Act (“HIPAA”) regulations, 45 C.F.R. § 160.103). “Genetic test” is defined through HIPAA regulations as “an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if the analysis detects genotypes, mutations, or chromosomal changes” but excludes “an analysis of proteins or metabolites that is directly related to a manifested disease, disorder, or pathological condition.” 45 C.F.R. § 160.103.
With respect to genetic tests, under GIPA Section 30, “[n]o person may disclose … the identity of any person upon whom a genetic test is performed or the results of a genetic test in a manner that permits identification of the subject of the test, except to … [a]ny person designated in a specific written legally effective authorization for release of the test results executed by the subject of the test …” 410 ILCS 513/30(a)(2).
GIPA limits the use of “genetic information” by employers and insurers. Section 25 of GIPA prohibits employers from:
- Soliciting, requesting, requiring, or purchasing genetic testing or genetic information of a person or a family member of the person, or administering a genetic test to a person or a family member of the person, as a condition of employment, preemployment application, labor organization membership, or licensure;
- Affecting the terms, conditions, or privileges of employment, preemployment application, labor organization membership, or licensure—including by termination—because of genetic testing or genetic information with respect to the employee or family member, or information about a request for or the receipt of genetic testing by such employee or family member of such employee;
- Limiting, segregating, or classifying employees in any way that would deprive or tend to deprive any employee of employment opportunities or otherwise adversely affect the status of the employee as an employee because of genetic testing or genetic information with respect to the employee or a family member, or information about a request for or the receipt of genetic testing or genetic information by such employee or family member of such employee; and
- Retaliating through discharge or in any other manner against any person alleging a violation of GIPA or participating in any manner in a proceeding under GIPA.
See 15 ILCS 513/25(c)(1)-(4). Similarly, Section 20 restricts the use of genetic information in the insurance context, prohibiting insurers from: (1) seeking information derived from genetic testing for use in connection with a policy of accident and health insurance, or (2) using or disclosing protected health information that is genetic information for underwriting purposes. See 15 ILCS 513/20(a)-(b).
GIPA Section 35 prohibits further dissemination of genetic information beyond authorized recipients, stating that “[n]o person to whom the results of a test have been disclosed may disclose the test results to another person except as authorized under this Act.” 410 ILCS 513/35.
GIPA Contains a Private Right of Action and Liquidated Statutory Damages
As is the case with another frequently litigated Illinois privacy statute, the Illinois Biometric Information Privacy Act (“BIPA”) (covered extensively on Privacy World), persons “aggrieved by a violation” of GIPA are authorized to bring an action to recover statutory or actual damages, whichever is greater, and for injunctive relief. 410 ILCS 513/40(a). GIPA allows a prevailing party to recover $2,500 in statutory damages per negligent violation, $15,000 in statutory damages per intentional or reckless violation, and reasonable attorney’s fees and costs, including expert witness fees and other litigation expenses.
Early GIPA Litigation Trends
Recently commenced GIPA litigation has focused, understandably, on entities purportedly involved in the sale or transfer of genetic information in violation of Section 30. For example, several putative class actions have been brought against employers that allegedly require medical examinations or disclosure of medical family history as part of the hiring process. Litigations have also been filed against insurance companies, where plaintiffs allege that life insurance applications requiring the disclosure of family medical history and the use of that information for underwriting decisions violates Section 20 of GIPA. See, e.g., Thompson, No. 3:23-cv-03904 (N.D. Ill. Dec. 11, 2023).
As the Seventh Circuit recently observed, GIPA is “[l]ess known and litigated” than similar statutes, and therefore many of the potential defenses to these claims are yet to be tested. See Bridges, 66 F.4th 687, 689 (7th Cir. 2023). However, several of these potential defenses are consistently implicated in these early cases and the developing GIPA case law will shape the contours of future litigation.
The Majority of GIPA Litigations Are Pending in Federal, Not State Courts
As a threshold issue, many of the putative class action lawsuits filed in Illinois state courts have been removed to federal court under the Class Action Fairness Act (“CAFA”). See 28 U.S.C. § 1332(d). For instance, in Bridges, following removal to the Southern District of Illinois under CAFA, the defendant successfully moved to dismiss, under Fed. R. Civ. P. 12(b)(6), a claim that it violated Section 30 of GIPA by allegedly compelling the disclosure of the plaintiffs’ genetic testing data in connection with the defendant’s acquisition of a genealogy and genetic testing company. 66 F.4th at 688. In its motion, the defendant denied that its alleged conduct amounted to compelling the disclosure of GIPA-protected data and that a recipient of data cannot be held liable under Section 30. The Seventh Circuit, without deciding whether the statute supports holding a recipient of data liable, affirmed the dismissal, holding that, “without more,” the defendant’s “run-of-the-mill corporate acquisition” was insufficient to state a claim that it unlawfully compelled the disclosure of the genealogy company’s customers’ genetic information.
Recall however that the presence of Article III standing is a requirement for all cases proceeding in federal court. Given the focus—and differing rulings—on standing for BIPA cases, it is likely that the question of what constitutes an injury-in-fact for purposes of Article III will be an area of focus. This is particularly so given GIPA’s incorporation of a private right of action for any person “aggrieved by a violation,” which mirrors that of BIPA.
Insurance Companies Are Common GIPA Defendants, But Does GIPA Apply to Life Insurers?
Another issue is that Section 20(b), by its terms, does not expressly apply to life insurance companies, raising a question regarding whether GIPA applies to life insurers or merely other insurance companies. See 410 ILCS 513/20(b). For example, in Thompson, the defendant life insurance companies moved to dismiss plaintiff’s GIPA claims, arguing that Section 20 does not apply to information received or created by life insurers. Mem. in Support of Mot. to Dismiss, Thompson, No. 3:23-cv-03904 (S.D. Ill. Jan. 31, 2024).
Recall that Section 20(b) prohibits an insurer from using or disclosing “protected health information that is genetic information” for underwriting. Part of the life insurers’ arguments raised on this issue relate to the definition of “protected health information,” as adopted from HIPAA regulations, which define “protected health information” as “individually identifiable health information,” further defined as “information that is a subset of health information, including demographic information collected from an individual,” that is “created or received by a health care provider, health plan, employer, or health care clearinghouse.” 45 C.F.R. § 160.103 (emphasis supplied). The life insurer defendants in Thompson argue that GIPA Section 20(b)(4) establishes that all preceding subsections of Section 20(b) apply only to health insurance companies and health plans—not life insurance companies. See Mem. in Support of Mot. to Dismiss, Thompson, No. 3:23-cv-03904 at 5–16 (S.D. Ill. Mar. 27, 2024); see also Mem. in Support of Mot. to Dismiss, Johnson, No. 1:24-cv-01057 at 11–22 (N.D. Ill. Apr. 11, 2024). This motion is still pending.
What Is “Genetic Information” Under GIPA?
A threshold issue that will be litigated in many of the pending cases is what exactly constitutes “genetic information” under the statute. As with the question of whether GIPA’s requirements extend to life insurers, this issue will likely be informed by HIPAA’s regulations as a matter of plain statutory interpretation. This is because GIPA specifies that “‘genetic information’ has the meaning ascribed to it under HIPAA, as specified in 45 CFR 160.103.” HIPPA’s regulations, in turn, define “genetic information” to extend to information about “the manifestation of a disease or disorder in family members of such individual.” 45 CFR § 160.103(1)(iii).
This issue has arisen in several GIPA suits arising in the employment context. Plaintiffs have alleged in these cases their employers violated GIPA by soliciting and obtaining lead plaintiff’s and the class members’ genetic information as a precondition of employment. See, e.g., Ross v. Compass Group USA, Inc., No. 1:24-cv-00052 (N.D. Ill.).
Applicable Statute of Limitations
Another looming issue with pending GIPA claims concerns the applicable statute of limitations. As with BIPA, the act does not have a limitations period. BIPA claims, however, have been held to fall within “the five-year catchall limitations period codified in section 13-205 of the [Illinois Code of Civil Procedure].” Tims v. Black Horse Carriers, Inc., 2023 IL 12780, ¶ 30. It is anticipated that members of the plaintiffs’ bar will seek to have a five-year statute of limitations apply to GIPA claims relying on this BIPA precedent. However, this issue has yet to be squarely addressed by any Illinois state or federal court.
Conclusion
In light of the fact that GIPA’s liquidated statutory damages are even higher than those set forth in BIPA, combined with the fact that courts have yet to interpret much of the statute’s language, the number of filed GIPA cases is anticipated to grow as we approach Q3 2024 and beyond. To mitigate risk, employers, insurers, and others that collect and process genetic or similar information should inventory and evaluate these practices, and consider implementation of consent and other potential requirements under GIPA.