The Office for Civil Rights of the Department of Health and Human Services (HHS) recently issued a proposed regulation implementing certain provisions of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA) that clarifies the status of genetic information as protected health information under the HIPAA Privacy Rule. (To access a copy of the proposed regulation, click here.) This proposal was issued at the same time as, but is separate from and should not be confused with, the interim final rule jointly issued by HHS, the Treasury Department (Treasury), and the Department of Labor (DOL) (the "joint interim final rule") implementing the substantive provisions of Title I of GINA. (Click here to access a copy of our client advisory explaining the joint interim final rule.)

Background

Among other things, HIPAA established national standards for the protection of "protected health information" (PHI) that apply to "covered entities" (consisting of health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses). The HIPAA privacy rule protects individuals' medical records and other individually identifiable health information held by covered entities by, among other provisions, requiring appropriate safeguards to protect the privacy of such information, and setting limits and conditions on the uses and disclosures that may be made of the information. The privacy rule also gives patients rights over their PHI, including rights to examine and obtain a copy of their health records, and to request corrections.

GINA prohibits discrimination based on an individual's genetic information with respect to both health insurance coverage (Title I) and employment (Title II). GINA Title I generally prohibits discrimination in group health insurance premiums based on genetic information and bars the use of genetic information as a basis for determining eligibility, or setting premiums in the individual and Medicare supplemental markets. It also limits the ability of group health plans, and health insurance and Medicare supplement issuers, to collect genetic information or to request or require that individuals undergo genetic testing.

GINA instructs HHS to revise the HIPAA privacy rule to clarify that genetic information is health information, and to prohibit group health plans, health insurance issuers (including HMOs), and issuers of Medicare supplemental policies from using or disclosing genetic information for underwriting purposes. The proposed regulation is in response to this Congressional directive.

The Proposed Regulation

HHS proposes to modify the HIPAA privacy rule in three particulars. The proposed regulation would:

  • Explicitly provide that genetic information is "health information"
  • Prohibit health plans from using or disclosing protected health information that is genetic information for underwriting purposes
  • Mandate conforming changes to the Notice of Privacy Practices.

The proposed regulation also makes changes to certain definitions and other provisions of the privacy rule, including technical corrections to the definition of what constitutes a "health plan."

Genetic information as "health information"

GINA § 105 requires HHS to modify the privacy rule to prohibit group health plans and health insurance issuers (i.e., carriers) from using or disclosing genetic information for underwriting purposes. Group health plans and health insurance issuers are, of course, HIPAA-covered entities that are subject to the privacy rule. There are, however, other covered entities, such as certain long-term care policies, multiple employer welfare arrangements, state high-risk pools, certain public benefit programs (e.g., Medicare Part A and B, TRICARE, and the Indian Health Service program), and other combinations of individual or group plans that provide or pay for the cost of medical care. While GINA addresses only group health plans, health insurance issuers, and Medicare supplement issuers, the proposed regulation applies the GINA prohibition on using and disclosing protected health information that is genetic information for underwriting purposes to all health plans that are subject to the HIPAA privacy rule. This expansive reading of the statute is based on HHS's belief that its "interpretation is consistent with both GINA and the Secretary's broad authority under HIPAA."

Bar on using or disclosing genetic information for underwriting purposes

The proposed regulation provides that the definition of "health information" encompasses "genetic information." In doing so, it adds some new definitions and makes certain technical corrections to the definition of "health plan." The proposed regulation modifies the definition of "health information" to explicitly include genetic information to the extent that such information is individually identifiable and maintained by a HIPAA-covered entity or business associate of a covered entity (and not otherwise the subject of an applicable exception).

Genetic information for purposes of the underwriting bar means, with respect to any individual, information about (i) such individual's genetic tests, (ii) the genetic tests of family members of such individual, and (iii) the manifestation of a disease or disorder in family members of such individual (i.e., family medical history). It also includes the collection of genetic information for clinical research purposes, but excludes information about the sex or age of any individual.

The proposed regulation defines a series of other terms, such as "genetic test," "genetic services," "family member," and "manifested," which track definitions set out in the joint interim final rule. Thus, for example, if a health care professional with appropriate expertise makes a diagnosis based on the symptoms of a patient, and uses genetic tests to confirm the diagnosis, the disease will be considered manifested (and information about it can therefore be "used"), despite that the use would otherwise be barred under GINA.

The proposed change to the definition of "underwriting purposes" merits particular attention. GINA § 105 defines the term "underwriting purposes" to mean:

With respect to a group health plan [or] health insurance coverage ... : (A) Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy; (B) the computation of premium or contribution amounts under the plan, coverage, or policy; (C) the application of any pre-existing condition exclusion under the plan, coverage, or policy; and (D) other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.

The proposed regulation adopts this definition, but it adds clarifications that have the effect of limiting the use of health risk assessment wellness programs. In the preamble to the proposed regulation, HHS explains that the purpose of the clarifications is to make certain that the regulation is consistent with the provisions of the joint interim final rule. As we explained in our advisory on that rule, HHS, Treasury, and DOL have sharply limited the usefulness of health risk assessments, wellness programs, and disease management regimes by treating their use of genetic information (e.g., family histories) as "underwriting" (and thus generally barred by GINA).

The proposed rule also makes conforming changes to the HIPAA definitions of "health care operations" and "payment." The privacy rule generally prohibits the use or disclosure of PHI without a patient's authorization, but covered entities (and their business associates) are permitted to use or disclose PHI for "treatment, payment, and health care operations." Pre-GINA, "health care operations" included the term "underwriting" but it did not include a definition of "underwriting purposes." To avoid confusion, the proposed regulation removes the term "underwriting" from the definition of "health care operations" but it adds the term "enrollment." In the preamble to the proposed regulations, HHS clarifies that the removal of the term "underwriting" "would not impact the use or disclosure of PHI that is not genetic information for enrollment purposes." (HHS asked for comments concerning whether the removal of the term "underwriting" could have unintended consequences.)

Similar issues arise in connection with the definition of the term "payment." The current definition includes determinations of eligibility or coverage by a health plan which may overlap with "underwriting purposes." Under GINA, a health plan is not permitted to disclose PHI that is genetic information for "payment" purposes. The proposed regulation includes an express ban on health plans using and disclosing genetic information for underwriting purposes by excluding such activities from the definition of "payment."

The proposed regulation prohibits health plans from using or disclosing PHI that is genetic information for underwriting despite other HIPAA-permitted uses and disclosures. Thus, for example, a health plan could not use or disclosure genetic information for underwriting purposes, even if an individual has signed an authorization for such purpose. This prohibition applies to all genetic information regardless of when the genetic information originated.

Mandate conforming changes to the Notice of Privacy Practices

HIPAA established rules requiring each covered entity to prepare and disseminate a Notice of Privacy Practices (NPP), which describes (i) the permitted uses and disclosures of PHI, (ii) the covered entity's legal duties to protect PHI, and (iii) the individual's rights with respect to PHI. GINA's required changes must be reflected in the NPP to make clear that covered entities are prohibited from using or disclosing PHI that is genetic information about an individual for underwriting purposes. Under current law, this notice would need to be provided to individuals within 60 days of the change. Recognizing that revising and redistributing a NPP may be costly for health plans, and also recognizing that other requirements of law (such as the breach-notice rules under the HITECT Act) may require changes to NPPs, HHS has asked for comments on ways to inform individuals of this change to privacy practices without unduly burdening health plans.

Effective Date

GINA § 105 takes effect May 20, 2010. HHS will require health plans to comply with regulatory modifications 180 days following the effective date of the final rule. HHS has invited comments on the proposed regulation, which must be submitted no later than December 7, 2009.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.