Section 105 of the Genetic Information Nondiscrimination Act of 2008 (“GINA”) provides that a group health plan or health insurer may not use or disclose genetic information for purposes of underwriting. These provisions became effective on May 20, 2009. (For background on this issue, please see our prior Legal Alert entitled, Landmark Genetic Nondiscrimination Legislation, May 21, 2008.) On October 7, 2009, the Department of Health and Human Services (“HHS”) issued proposed regulations on how Section 105 will impact the HIPAA privacy regulations and HIPAA covered entities. Additional regulations issued on October 7, 2009 interpreting other health plan aspects of GINA are discussed in a separate Legal Alert.
In general, the proposed regulations are in response to the provisions in GINA requiring HHS to revise the HIPAA privacy regulations to clarify that genetic information is protected health information (“PHI”) and to prohibit group health plans, health insurance issuers and issuers of Medicare supplemental policies from using or disclosing genetic information for underwriting purposes. Health plans must comply with these modifications no later than 180 days after final regulations are published.
The proposed regulations to the HIPAA privacy regulations –
- Make explicit that genetic information is health information;
- Prohibit health plans from using or disclosing PHI that is genetic information for underwriting purposes;
- Revise the provisions relating to the Notice of Privacy Practices for health plans that perform underwriting;
- Make certain conforming changes to definitions and other related provisions; and
- Make technical corrections to the definition of “health plan.”
The proposed regulations would extend GINA’s prohibition on using and disclosing genetic information for underwriting purposes to all health plans that are subject to the HIPAA privacy regulations, not solely to those plans GINA explicitly requires be subject to the prohibition. For example, the prohibition would be extended to long-term care policies, certain public benefit programs, such as Medicare and Medicaid, military health care programs, and limited scope dental and vision benefits so that all provisions would apply uniformly to all health plans covered by the HIPAA privacy regulations.
Prohibition with Respect to Underwriting Purposes
The proposed regulations clarify that genetic information cannot be used or disclosed for underwriting purposes, notwithstanding any other provisions in the HIPAA privacy regulations to the contrary (for example, even if an individual has signed an authorization for such use or disclosure). Examples of violations of this requirement provided by HHS are –
- With respect to an employer group plan, a health insurance issuer uses an individual’s family history or results of genetic tests maintained in the plan’s claims experience information to adjust the plan’s premium rate for the upcoming year; and
- A group health plan uses family medical history provided by an individual in a health risk assessment to grant a premium reduction to the individual.
Notice of Privacy Practices
HHS has determined that individuals should be specifically notified that health plans may not use or disclose their genetic information for underwriting purposes. Therefore, if a health plan does use or disclose PHI for underwriting, it must revise its notice to include a statement making this prohibition clear. (Note that because of the expansive definition of PHI in the HIPAA privacy regulations, substantially all health plans will use PHI for underwriting, thereby becoming subject to this revised notice rule.) The general rule is that a notice must be distributed within 60 days of a material change. Due to the additional cost of this disclosure, and the fact that additional changes to the notice may be required under the provisions of HITECH in the near future, HHS is considering various options. These options include replacing the 60-day rule with a requirement that notices be distributed in the next annual mailing after a material revision (such as during annual enrollment); extending the 60-day rule solely for notifying individuals of the underwriting rule; retaining the 60-day requirement but allowing the Secretary to waive the timeframe in certain situations; or making no change to the requirement. Because the GINA privacy provisions were effective May 20, 2009, many health plans have already updated their notices on this issue.
Impact on Other Documents
Based on the proposed regulations, other documents should also be updated to reflect the new GINA provisions, including the health plan’s policies and procedures. Depending on the services that are provided by a business associate and the language of existing business associate agreements, applicable business associate agreements may also need to be updated. Last, health plan sponsors should also consider whether adding protective language in their health plan documents is also appropriate.