Today’s post focuses on the treatment of genetic information under the new regulations for the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Ogletree Deakins has previously released a blog post describing the omnibus regulations and an article detailing the revised breach notification rules.
The new regulations finalize changes made to reflect the Genetic Information Nondiscrimination Act of 2008 (GINA). The changes are in addition to the revisions made for Health Information Technology for Economic and Clinical Health Act (HITECH Act).
The new regulations largely adopt 2009 proposed HIPAA regulations on plan use of genetic information with a few key changes. GINA bars a health plan from using genetic information for underwriting purposes. The new regulations define “genetic information,” “health plans,” and “underwriting purposes” broadly. As a result, the amount of information protected as genetic information can be quite significant. The new regulations clarify certain issues regarding each definition:
- Genetic Information – The regulations define health information as including genetic information, meaning an individual’s individually identifiable genetic information generally will be protected health information (PHI) for covered entities and their business associates. Genetic information includes the genetic tests, genetic counseling, and genetic education of an individual and his or her family members, and the medical history of those family members. A family member includes any dependent or relation to the fourth degree (e.g., great-great-grandparents or grandchildren, children of first cousins) or closer, without reference to the existence of biological ties. The preamble states that all genetic information is protected, whether the information originated before or after the compliance date for the final regulations.
- Health Plan – All plans and insurers, including long term care insurers, must protect genetic information as PHI under the Privacy Rule. The final regulations expand GINA’s scope to provide that all plans and insurers covered by the HIPAA Privacy Rule are subject to the new regulation’s ban on the use of genetic information for underwriting purposes. This definition carves out long term care insurers because the government needs to assess the impact of restrictions on that industry. Future guidance may revisit this exception.
- Underwriting Purposes – Under the new regulations, underwriters are health plans, including employer-sponsored health plans, not just insurers, and underwriting is more than an insurer’s determination of whether to extend an insurance contract to an individual or group, although it certainly includes such activities. Any plan or insurer may not factor genetic information when determining eligibility and measuring premiums, contributions, cost-sharing, or benefits. The new regulations exclude from underwriting an evaluation of an individual’s right to a benefit when the determination is based on medical appropriateness. A plan or insurer may use genetic information (e.g., genetic tests, relevant family medical history) if that information is necessary for its evaluation, but must limit such use to the minimum genetic information necessary to make the determination.
Since health plans cannot use genetic information for underwriting purposes, plan administrators must scrub genetic information from “summary health information” shared with plan sponsors and insurers during the underwriting process. As the preamble to the final regulations makes clear, the prohibition against the use or disclosure of genetic information for underwriting purposes is a material change that must be reflected in a plan’s privacy notice if the plan performs underwriting. This and other regulatory changes may also require revisions to health plan documents, policies, procedures, and forms required to comply with HIPAA and its Privacy and Security Rule obligations.
In many cases, an employer should avoid collecting genetic information wherever possible. Many employers and plans have already eliminated requests for health information about family members and other genetic information from their health risk assessments and other forms. Given the amount of genetic information present in health records, however, and the role genetic information plays in medical assessments, plans cannot eliminate all use of genetic information from their operations. Plans should implement a comprehensive strategy to identify and manage genetic information where such information is part of a plan’s documentary record and to limit its use as required by the new regulations.
Stephen A. Riga is an associate in the Indianapolis office of Ogletree Deakins.