29 CFR 1635.9 - Confidentiality.
(a) Treatment of genetic information. (1) A covered entity that possesses genetic information in writing about an employee or member must maintain such information on forms and in medical files (including where the information exists in electronic forms and files) that are separate from personnel files and treat such information as a confidential medical record.
(2) A covered entity may maintain genetic information about an employee or member in the same file in which it maintains confidential medical information subject to section 102(d)(3)(B) of the Americans with Disabilities Act, 42 U.S.C. 12112(d)(3)(B).
(3) Genetic information that a covered entity receives orally need not be reduced to writing, but may not be disclosed, except as permitted by this part.
(4) Genetic information that a covered entity acquires through sources that are commercially and publicly available, as provided by, and subject to the limitations in, 1635.8(b)(4) of this part, is not considered confidential genetic information, but may not be used to discriminate against an individual as described in §§ 1635.4, 1635.5, or 1635.6 of this part.
(5) Genetic information placed in personnel files prior to November 21, 2009 need not be removed and a covered entity will not be liable under this part for the mere existence of the information in the file. However, the prohibitions on use and disclosure of genetic information apply to all genetic information that meets the statutory definition, including genetic information requested, required, or purchased prior to November 21, 2009.
(b) Exceptions to limitations on disclosure. A covered entity that possesses any genetic information, regardless of how the entity obtained the information (except for genetic information acquired through commercially and publicly available sources), may not disclose it except:
(1) To the employee or member (or family member if the family member is receiving the genetic services) about whom the information pertains upon receipt of the employee's or member's written request;
(2) To an occupational or other health researcher if the research is conducted in compliance with the regulations and protections provided for under 45 CFR part 46;
(3) In response to an order of a court, except that the covered entity may disclose only the genetic information expressly authorized by such order; and if the court order was secured without the knowledge of the employee or member to whom the information refers, the covered entity shall inform the employee or member of the court order and any genetic information that was disclosed pursuant to such order;
(4) To government officials investigating compliance with this title if the information is relevant to the investigation;
(5) To the extent that such disclosure is made in support of an employee's compliance with the certification provisions of section 103 of the Family and Medical Leave Act of 1993 (29 U.S.C. 2613) or such requirements under State family and medical leave laws; or
(6) To a Federal, State, or local public health agency only with regard to information about the manifestation of a disease or disorder that concerns a contagious disease that presents an imminent hazard of death or life-threatening illness, provided that the individual whose family member is the subject of the disclosure is notified of such disclosure.
(c) Relationship to HIPAA Privacy Regulations. Pursuant to § 1635.11(d) of this part, nothing in this section shall be construed as applying to the use or disclosure of genetic information that is protected health information subject to the regulations issued pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996.