HIPAA Administrative Simplification: Standards for Privacy of Individually Identifiable Health Information, 51698-51710 [E9-22492]
Download as PDF
<![CDATA[
51698
Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 / Proposed Rules
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991–AB54
HIPAA Administrative Simplification:
Standards for Privacy of Individually
Identifiable Health Information
Office for Civil Rights, HHS.
Proposed rule.
AGENCY:
erowe on DSK5CLS3C1PROD with PROPOSALS2
ACTION:
SUMMARY: The Department of Health and
Human Services (HHS) proposes to
modify certain provisions of the
‘‘Standards for Privacy of Individually
Identifiable Health Information’’
(Privacy Rule), issued under the Health
Insurance Portability and
Accountability Act of 1996 (HIPAA).
The purpose of these proposed
modifications is to implement section
105 of Title I of the Genetic Information
Nondiscrimination Act of 2008 (GINA)
regarding the privacy and
confidentiality of genetic information,
as well as to make certain other changes
to the HIPAA Privacy Rule.
DATES: Comments on the proposed rule
will be considered if we receive them at
the appropriate address, as provided
below, no later than December 7, 2009.
ADDRESSES: Written comments may be
submitted through any of the methods
specified below. Please do not submit
duplicate comments.
• Federal eRulemaking Portal: You
may submit electronic comments at
https://www.regulations.gov. Follow the
instructions for submitting electronic
comments. Attachments should be in
Microsoft Word, WordPerfect, or Excel;
however, we prefer Microsoft Word.
• Regular, Express, or Overnight Mail:
You may mail written comments (one
original and two copies) to the following
address only: U.S. Department of Health
and Human Services, Office for Civil
Rights, Attention: GINA NPRM (RIN
0991–AB54), Hubert H. Humphrey
Building, Room 509F, 200
Independence Avenue, SW.,
Washington, DC 20201. Mailed
comments may be subject to delivery
delays due to security procedures.
Please allow sufficient time for mailed
comments to be timely received in the
event of delivery delays.
• Hand Delivery or Courier: If you
prefer, you may deliver (by hand or
courier) your written comments (one
original and two copies) to the following
address only: Office for Civil Rights,
Attention: GINA NPRM (RIN 0991–
AB54), Hubert H. Humphrey Building,
VerDate Nov<24>2008
15:44 Oct 06, 2009
Jkt 220001
Room 509F, 200 Independence Avenue,
SW., Washington, DC 20201. (Because
access to the interior of the Hubert H.
Humphrey Building is not readily
available to persons without federal
government identification, commenters
are encouraged to leave their comments
in the mail drop slots located in the
main lobby of the building.)
Inspection of Public Comments: All
comments received before the close of
the comment period will be available for
public inspection, including any
personally identifiable or confidential
business information that is included in
a comment. We will post all comments
received before the close of the
comment period at https://
www.regulations.gov.
FOR FURTHER INFORMATION CONTACT:
Andra Wicks, 202–205–2292.
SUPPLEMENTARY INFORMATION:
I. Background
The ‘‘Standards for Privacy of
Individually Identifiable Health
Information,’’ or ‘‘Privacy Rule’’ was
issued on December 28, 2000 (and later
amended in August 2002), pursuant to
the Administrative Simplification
Provisions of Title II, Subtitle F, of the
Health Insurance Portability and
Accountability Act of 1996 (HIPAA),
Public Law 104–191. Subtitle F of Title
II of HIPAA added a new Part C to Title
XI of the Social Security Act (sections
1171–1179 of the Act, 42 U.S.C. 1320d–
1320d–8). The Privacy Rule is one of a
suite of rules required by the
Administrative Simplification
provisions of HIPAA, and put in place
the first national standards for the
privacy protection of certain
individually identifiable health
information (called ‘‘protected health
information’’ or ‘‘PHI’’). The other
HIPAA Administrative Simplification
Rules provide national standards for
electronic health care transactions and
code sets, unique health identifiers for
employers and health care providers,
and the security of electronic PHI. The
HIPAA Privacy and other
Administrative Simplification Rules
currently apply to three types of covered
entities: health care providers who
conduct covered health care
transactions electronically, health plans,
and health care clearinghouses.
The HIPAA Privacy Rule protects
individuals’ medical records and other
individually identifiable health
information held by HIPAA covered
entities by, among other provisions,
requiring appropriate safeguards to
protect the privacy of such information,
and setting limits and conditions on the
uses and disclosures that may be made
PO 00000
Frm 00001
Fmt 4701
Sfmt 4702
of the information. The Privacy Rule
also gives patients rights over their PHI,
including rights to examine and obtain
a copy of their health records, and to
request corrections.
On May 21, 2008, President Bush
signed into law the Genetic Information
Nondiscrimination Act of 2008
(‘‘GINA’’), Public Law 110–233, 122
Stat. 881. Congress enacted GINA to
‘‘establish [ ] a national and uniform
basic standard [that] is necessary to
fully protect the public from
discrimination and allay their concerns
about the potential for discrimination,
thereby allowing individuals to take
advantage of genetic testing,
technologies, research, and new
therapies.’’ GINA section 2(5). To that
end, GINA generally prohibits
discrimination based on an individual’s
genetic information with respect to both
health coverage and employment.
In particular, with respect to health
coverage, Title I of GINA generally
prohibits discrimination in group
premiums based on genetic information,
proscribes the use of genetic
information as a basis for determining
eligibility or setting premiums in the
individual and Medicare supplemental
policy (Medigap) insurance markets,
and limits the ability of group health
plans, health insurance issuers, and
Medigap issuers to collect genetic
information or to request or require that
individuals undergo genetic testing.
Title II of GINA generally prohibits use
of genetic information in the
employment context, restricts
acquisition of genetic information by
employers and other entities covered by
Title II, and strictly limits such entities
from disclosing genetic information.
The Departments of Labor (Employee
Benefits Security Administration),
Treasury (Internal Revenue Service),
and HHS (Centers for Medicare &
Medicaid Services) are responsible for
administering and enforcing the GINA
Title I nondiscrimination provisions,
and the Equal Employment Opportunity
Commission (EEOC) is responsible for
administering and enforcing the GINA
Title II nondiscrimination provisions.1
1 The Departments of Labor (Employee Benefits
Security Administration), Treasury (Internal
Revenue Service), and HHS (Centers for Medicare
& Medicaid Services (CMS)) have issued regulations
in a separate rulemaking to implement sections
101–103 of GINA, which amended: section 702(b)
of the Employee Retirement Income Security Act of
1974 (29 U.S.C. 1182(b); section 2702(b) of the
Public Health Service Act (42 U.S.C. 300gg–1(b);
and subsection (b) of section 9802 of the Internal
Revenue Code of 1986. Section 104 of GINA applies
to Medigap issuers, which are subject to the
provisions of section 1882 of the Social Security
Act that are implemented by CMS, and which
incorporate by reference certain provisions in a
model regulation of the National Association of
E:\FR\FM\07OCP2.SGM
07OCP2
Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 / Proposed Rules
In addition to these
nondiscrimination provisions, Title I of
GINA contains certain new privacy
protections for genetic information. In
particular, section 105 of GINA, entitled
‘‘Privacy and Confidentiality,’’ amends
Part C of Title XI of the Social Security
Act by adding section 1180 to address
the application of the HIPAA Privacy
Rule to genetic information. Section
1180 requires the Secretary of HHS to
revise the Privacy Rule to clarify that
genetic information is health
information and to prohibit group
health plans, health insurance issuers
(including HMOs), and issuers of
Medicare supplemental policies from
using or disclosing genetic information
for underwriting purposes.
In this proposed rule, HHS is
proposing to implement the
modifications required by GINA section
105, as well as to make certain other
modifications to the HIPAA Privacy
Rule, and seeks public comment on its
proposal. In developing its proposal,
HHS consulted with the Departments of
Labor and Treasury, as required by
section 105(b)(1) of GINA, to ensure, to
the extent practicable, consistency
across the regulations. In addition, HHS
coordinated with the EEOC in the
development of these regulations.
II. Description of Proposed
Modifications
erowe on DSK5CLS3C1PROD with PROPOSALS2
Overview and Scope
In accordance with section 105 of
GINA 2 and the Department’s general
authority under sections 262 and 264 of
HIPAA, the Department proposes to
modify the HIPAA Privacy Rule to: (1)
Explicitly provide that genetic
information is health information for
purposes of the Rule; (2) prohibit health
plans from using or disclosing protected
health information that is genetic
information for underwriting purposes;
(3) revise the provisions relating to the
Notice of Privacy Practices for health
plans that perform underwriting; (4)
make a number of conforming
modifications to definitions and other
provisions of the Rule; and (5) make
technical corrections to update the
definition of ‘‘health plan.’’
Section 105 of GINA requires HHS to
modify the Privacy Rule to prohibit ‘‘a
Insurance Commissioners (NAIC). The NAIC
amended its model regulation on September 24,
2008, to conform to section 104 of GINA, and the
amended regulation was published by CMS in the
Federal Register on April 24, 2009 at 74 FR 18808.
With respect to Title II of GINA, the EEOC issued
a notice of proposed rulemaking on March 2, 2009,
at 74 FR 9056.
2 Any reference in this section of the preamble to
GINA is a reference to Title I of GINA, except as
otherwise indicated.
VerDate Nov<24>2008
15:44 Oct 06, 2009
Jkt 220001
covered entity that is a group health
plan, health insurance issuer that issues
health insurance coverage, or issuer of
a medicare [sic] supplemental policy’’
from using or disclosing genetic
information for underwriting purposes.
GINA section 105 provides that the
terms ‘‘group health plan’’ and ‘‘health
insurance coverage’’ have the meanings
given such terms under section 2791 of
the Public Health Service Act (42 U.S.C.
300gg–91), and that the term ‘‘medicare
[sic] supplemental policy’’ has the
meaning given such term in section
1882(g) of the Social Security Act. In
addition, the term ‘‘health insurance
issuer,’’ as defined at 42 U.S.C. 300gg–
91, includes a health maintenance
organization (HMO). These four types of
health plans (i.e., group health plans,
health insurance issuers, and health
maintenance organizations, as defined
in the Public Health Service Act, as well
as issuers of Medicare supplemental
policies), correspond to the types of
health plans listed at subparagraphs (i)
through (iii) and (vi) of paragraph (1) of
the definition of ‘‘health plan’’ at
§ 160.103 in the HIPAA Privacy Rule.
In addition to these four categories of
health plans, the HIPAA Privacy Rule
also applies to many other types of
health plans, including: (1) Long-term
care policies (excluding nursing home
fixed-indemnity policies); (2) employee
welfare benefit plans or other
arrangements that are established or
maintained for the purpose of offering
or providing health benefits to the
employees of two or more employers (to
the extent that they are not group health
plans or health insurance issuers); (3)
high risk pools that are mechanisms
established under State law to provide
health insurance coverage or
comparable coverage to eligible
individuals; (4) certain public benefit
programs, such as Medicare Part A and
B, Medicaid, the military and veterans
health care programs, the Indian Health
Service program, and others; as well as
(5) any other individual or group plan,
or combination of individual or group
plans that provides or pays for the cost
of medical care (as defined in section
2791(a)(2) of the PHS Act, 42 U.S.C.
300gg–91(a)(2)). This last category
includes, for example, certain ‘‘excepted
benefits’’ plans described at 42 U.S.C.
300gg–91(c)(2), such as limited scope
dental or vision benefits plans. See the
definition of ‘‘health plan’’ at § 160.103.
The Department proposes to apply the
prohibition in GINA on using and
disclosing protected health information
that is genetic information for
underwriting to all health plans that are
subject to the Privacy Rule, rather than
solely to the plans GINA explicitly
PO 00000
Frm 00002
Fmt 4701
Sfmt 4702
51699
requires be subject to the prohibition.
We believe that this interpretation is
consistent with both GINA and the
Secretary’s broad authority under
HIPAA.
Section 264 of HIPAA (42 U.S.C.
1320d–2 note) provides the Secretary
with authority to promulgate privacy
standards that govern:
(1) The rights that an individual who
is a subject of individually identifiable
health information should have.
(2) The procedures that should be
established for the exercise of such
rights.
(3) The uses and disclosures of such
information that should be authorized
or required.
Accordingly, the Secretary has wide
latitude to promulgate privacy standards
that limit the use or disclosure of
individually identifiable health
information, including genetic
information. Furthermore, section 262
of HIPAA, codified at 42 U.S.C. 1320d–
1, states that:
Any standard adopted under this part shall
apply, in whole or in part, to the following
persons:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits
any health information in electronic form in
connection with a transaction referred to in
section 1173(a)(1).
While other portions of HIPAA were
limited to group health plans, see, e.g.,
sections 101 and 102 of HIPAA, the
Administrative Simplification subtitle
governs a substantially broader
definition of ‘‘health plan,’’ 42 U.S.C.
1320d, and instructs that ‘‘any
standard’’ will apply to all such health
plans.
Based on this broad definition of
‘‘health plan,’’ the wide latitude
Congress provided to the Secretary to
promulgate privacy standards, and the
charge that ‘‘any standard’’ should
apply to all health plans, we interpret
that the HIPAA administrative
simplification provisions provide the
Secretary with broad authority to craft
privacy standards that uniformly apply
to all health plans, regardless of whether
such health plans are governed by other
portions of the HIPAA statute.
In GINA, Congress recognized a
privacy interest on the part of
individuals, distinct from the
nondiscrimination provisions, with
respect to the use or disclosure of
individuals’ genetic information in
health coverage decisions. At a
minimum, GINA requires the Secretary
to apply this privacy interest to uses and
disclosures of group health plans, health
insurance issuers that issue health
insurance coverage, and issuers of
E:\FR\FM\07OCP2.SGM
07OCP2
erowe on DSK5CLS3C1PROD with PROPOSALS2
51700
Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 / Proposed Rules
Medicare supplemental policies. Apart
from this required change to the HIPAA
Privacy Rule, however, nothing in GINA
explicitly or implicitly curtails the
broad authority of the Secretary to
promulgate privacy standards for any
and all health plans that are governed
by the HIPAA Administrative
Simplification provisions.
Under the Privacy Rule, consistent
with the HIPAA statutory text discussed
above, an individual’s privacy interests
and rights with respect to the use and
disclosure of PHI are protected
uniformly without regard to the type of
health plan that holds the information.
Thus, under the Privacy Rule,
individuals can expect and benefit from
privacy protections that do not diminish
based on the type of health plan from
which they obtain health coverage.
Therefore, in keeping with a uniform
privacy construct, and pursuant to its
authority under HIPAA sections 262
and 264, the Department proposes to
apply the prohibition on using or
disclosing PHI that is genetic
information for underwriting purposes
to all health plans that are covered
entities as defined by HIPAA section
262, and, correspondingly, by the
Privacy Rule. The Department believes
that individuals’ interests in uniform
protection under the Privacy Rule
against the use or disclosure of their
genetic information for underwriting
purposes outweigh any adverse impact
on health plans that are not covered by
GINA. This is particularly true since we
do not expect that all of the health plans
subject to the Privacy Rule use or
disclose PHI that is genetic information
for underwriting today (or even conduct
underwriting generally, in the case of
some of the public benefit plans).
Consistent with § 160.104(c), the
Department intends to require health
plans to comply with these
modifications to the privacy standards
no later than 180 days from the effective
date of such modifications. Note that the
Department does not propose to extend
the compliance date for small health
plans as the Department believes 180
days is sufficient time for small health
plans to come into compliance with the
proposed requirements.
With this overview and description of
the scope of the proposed rule as
foundation, the following discussion
describes the proposed modifications to
the Privacy Rule section by section.
Those interested in commenting on the
proposed provisions can assist the
Department by preceding discussion of
any particular provision in the comment
with a citation to the section of the
proposed rule being discussed, or, if
submitting a comment relevant to the
VerDate Nov<24>2008
15:44 Oct 06, 2009
Jkt 220001
above discussion, with the term
‘‘Scope.’’
Section 160.103—Definitions
The Department is proposing to
modify § 160.103 to: (1) Explicitly
provide, as required by GINA, that the
definition of ‘‘health information’’
encompasses ‘‘genetic information’’; (2)
add a number of terms used in GINA
Title I for purposes of implementing
GINA’s provisions; and (3) make certain
technical corrections to update the
definition of ‘‘health plan.’’ We note
that with respect to the GINA terms, this
proposed rule proposes to adopt
definitions that are generally consistent
with the definitions of such terms
promulgated in the implementing
regulations for sections 101–103 of
GINA.
1. Health information. The
Department has always maintained that
genetic information is health
information protected by the Privacy
Rule to the extent such information is
individually identifiable and held by a
covered entity (subject to the general
exclusions from the definition of
‘‘protected health information’’).
Frequently Asked Question number 354,
available at https://www.hhs.gov/ocr/
privacy/hipaa/faq/about/354.html,
states:
Question: Does the HIPAA Privacy Rule
protect genetic information?
Answer: Yes, genetic information is health
information protected by the Privacy Rule.
Like other health information, to be protected
it must meet the definition of protected
health information: it must be individually
identifiable and maintained by a covered
health care provider, health plan, or health
care clearinghouse. See 45 CFR 160.103.
Nevertheless, section 105 of GINA
requires the Secretary to revise the
Privacy Rule to make clear that genetic
information is health information under
the Rule. Accordingly, the Department
proposes to modify the definition of
‘‘health information’’ at § 160.103 to
explicitly provide that such term
includes genetic information. We note,
however, that as before, genetic
information, while health information,
is only covered by the Privacy Rule to
the extent that it meets the definition of
‘‘protected health information.’’ That is,
the genetic information must be
individually identifiable and
maintained by a HIPAA covered entity
(or business associate of a covered
entity) (and not otherwise fall within
one of the exceptions to the definition).
See the definition of ‘‘protected health
information’’ at § 160.103.
2. Genetic information. The term
‘‘genetic information’’ is a defined term
in GINA that establishes what
information is protected by the statute.
PO 00000
Frm 00003
Fmt 4701
Sfmt 4702
GINA section 105 provides that the term
‘‘genetic information’’ in section 105
shall have the same meaning given the
term in section 2791 of the Public
Health Service Act (PHSA) (42 U.S.C.
300gg–91), as amended by GINA section
102. Section 102(a)(4) of GINA defines
‘‘genetic information’’ to mean, with
respect to any individual, information
about: (1) Such individual’s genetic
tests; (2) the genetic tests of family
members of such individual; and (3) the
manifestation of a disease or disorder in
family members of such individual (i.e.,
family medical history). GINA also
provides that the term ‘‘genetic
information’’ includes, with respect to
any individual, any request for, or
receipt of, genetic services, or
participation in clinical research which
includes genetic services, by such
individual or family member of such
individual; however, GINA excludes
information about the sex or age of any
individual. The basic definition of
‘‘genetic information’’ in section
102(a)(4) of GINA (and that is to apply
for purposes of section 105) is also
expanded by section 102(a)(3), which
provides that any reference to genetic
information concerning an individual or
family member in the PHSA shall
include: with respect to an individual or
family member of an individual who is
a pregnant woman, the genetic
information of any fetus carried by such
pregnant woman; and with respect to an
individual or family member utilizing
an assisted reproductive technology, the
genetic information of any embryo
legally held by the individual or family
member. The Department proposes to
include this statutory definition of
‘‘genetic information’’ in § 160.103
without substantive change.
3. Genetic test. As indicated above,
GINA provides that the term ‘‘genetic
information’’ includes information
about an individual’s genetic tests or the
genetic tests of family members of such
individual. As with the term ‘‘genetic
information,’’ GINA section 105
provides that the term ‘‘genetic test’’
shall have the same meaning as the term
has in section 2791 of the PHSA (42
U.S.C. 300gg–91), as amended by
section 102 of GINA. Section 102(a)(4)
of GINA amends section 2791 of the
PHSA to define ‘‘genetic test’’ to mean
‘‘an analysis of human DNA, RNA,
chromosomes, proteins, or metabolites,
that detects genotypes, mutations, or
chromosomal changes.’’ GINA further
clarifies that the term ‘‘genetic test’’
does not include an analysis of proteins
or metabolites that does not detect
genotypes, mutations, or chromosomal
changes, or that is directly related to a
E:\FR\FM\07OCP2.SGM
07OCP2
erowe on DSK5CLS3C1PROD with PROPOSALS2
Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 / Proposed Rules
manifested disease, disorder, or
pathological condition that could
reasonably be detected by a health care
professional with appropriate training
and expertise in the field of medicine
involved.
Consistent with the statutory
definition of ‘‘genetic test,’’ the
Department proposes to define ‘‘genetic
test’’ at § 160.103 as an analysis of
human DNA, RNA, chromosomes,
proteins, or metabolites, if the analysis
detects genotypes, mutations or
chromosomal changes, and to provide in
the definition that ‘‘genetic test’’ does
not include an analysis of proteins or
metabolites that is directly related to a
manifested disease, disorder, or
pathological condition. The statute does
not define ‘‘manifestation’’ or
‘‘manifested.’’ Consequently, as
discussed below, the Department
proposes to include a definition of
‘‘manifestation or manifested.’’
Under this proposed definition of
‘‘genetic test,’’ a test to determine
whether an individual has a gene
variant associated with breast cancer
(such as the BRCA1 or BRCA2 variant)
is a genetic test. Similarly, a test to
determine whether an individual has a
genetic variant associated with
hereditary nonpolyposis colorectal
cancer is a genetic test. However,
medical tests that analyze genetic
material that is not of human origin,
such as tests that detect the presence of
viruses or bacteria in an individual, or
tests that do not detect genotypes,
mutations, or chromosomal changes, are
not genetic tests. For example, an HIV
test, complete blood count, cholesterol
test, liver function test, or test for the
presence of alcohol or drugs is not a
genetic test.
4. Genetic services. GINA provides
that the term ‘‘genetic information’’
includes, with respect to any individual,
any request for, or receipt of, genetic
services, or participation in clinical
research which includes genetic
services, by such individual or any
family member of such individual. As
with the definitions above, section 105
of GINA provides that the term ‘‘genetic
services’’ shall have the meaning given
such term in section 2791 of the PHSA
(42 U.S.C. 300gg–91), as amended by
section 102 of GINA. Section 102(a)(4)
of GINA defines ‘‘genetic services’’ to
mean: (1) A genetic test; (2) genetic
counseling (including obtaining,
interpreting, or assessing genetic
information); or (3) genetic education.
Thus, the fact that an individual or a
family member of the individual
requested or received a genetic test,
counseling, or education is information
protected under GINA.
VerDate Nov<24>2008
15:44 Oct 06, 2009
Jkt 220001
Genetic counseling is a means for
individuals to obtain information and
support about potential risks for genetic
diseases and disorders. Genetic
education is also a means for
individuals to obtain information about
potential risks for genetic diseases and
disorders. The Department proposes to
add the statutory definition of ‘‘genetic
services’’ to § 160.103 without
substantive change.
5. Family Member. The term ‘‘family
member’’ is used in the definition of
‘‘genetic information’’ in GINA to
indicate that an individual’s genetic
information also includes information
about the genetic tests of the
individual’s family members, as well as
family medical history. GINA section
105 states that the term ‘‘family
member’’ shall have the meaning given
such term in section 2791 of the PHSA
(42 U.S.C. 300gg–91), as amended by
GINA section 102(a)(4), which defines
‘‘family member’’ to mean, with respect
to any individual: (1) A dependent (as
such term is used for purposes of
section 2701(f)(2) of the PHSA, 42
U.S.C. 300gg(f)(2)) of such individual; or
(2) any other individual who is a firstdegree, second-degree, third-degree, or
fourth-degree relative of such individual
or of a dependent of the individual.
Section 2701(f)(2) of the PHSA uses the
term ‘‘dependent’’ to mean an
individual who is eligible for coverage
under the terms of a group health plan
because of a relationship to the
participant.
The Department proposes to
incorporate the statutory definition of
‘‘family member’’ into § 160.103 but also
to clarify in the regulatory text that
relatives by affinity (such as by marriage
or adoption) are to be treated the same
as relatives by consanguinity (that is,
relatives who share a common
biological ancestor) and that, in
determining the degree of relationship,
relatives by less than full consanguinity
(such as half-siblings, who share only
one parent) are treated the same as
relatives by full consanguinity (such as
siblings who share both parents). This is
consistent with the legislative history of
GINA, which suggests that the term
‘‘family member’’ is to be broadly
construed to provide the maximum
protection against discrimination. See
House Report 110–28, Part 2 at 27. In
addition, the Department proposes to
include in the regulatory definition,
non-exhaustive lists of persons who are
first-, second-, third-, or fourth-degree
relatives. Finally, the Department
proposes in the definition of ‘‘family
member’’ to refer to the definition of
‘‘dependent’’ in the implementing
regulations at 45 CFR 144.103 rather
PO 00000
Frm 00004
Fmt 4701
Sfmt 4702
51701
than to the PHSA directly. The
Department invites public comment on
this definition.
We also note that the term ‘‘family
member’’ is not currently defined in the
Privacy Rule but is used in the Privacy
Rule at § 164.510(b), which provides the
standard for uses and disclosures of an
individual’s PHI to family members and
other persons involved in the
individual’s care and for notification
purposes. It is not expected that adding
to the Privacy Rule the above broad
definition of the term ‘‘family member’’
would impact the scope of these
existing provisions, particularly given
the use in the provisions of the
additional terms ‘‘other relative,’’ ‘‘close
personal friend,’’ ‘‘other person
identified by the individual,’’ ‘‘personal
representative,’’ and ‘‘other person
responsible for the care of the
individual,’’ which would appear to
capture any other person, as
appropriate, who would not qualify as
a ‘‘family member’’ by the new
definition.
In addition to the use of the term
‘‘family member’’ in the Privacy Rule,
the term ‘‘family’’ is used in three other
instances in the Rule: (1) In reference to
the Family Educational Rights and
Privacy Act in the definition of
‘‘protected health information’’ at
§ 160.103; (2) in the definition and
disclosure permission for
psychotherapy notes (at §§ 164.501 and
164.508(a)(2)(B), respectively) where
such notes may be created based upon,
and used to train within, a family
counseling session; and (3) in the
disclosure permission at § 164.512(k)(4)
for medical suitability determinations
by the Department of State for
circumstances where family accompany
a Foreign Service member abroad. It is
also not expected that including a
definition of ‘‘family member’’ in the
Privacy Rule would impact these
provisions, as the scope of the term
‘‘family’’ in each occurrence is
determined independently of the
Privacy Rule.
6. Manifestation or manifested.
Although not separately defined by
GINA, the terms ‘‘manifestation’’ or
‘‘manifested’’ are used in GINA in three
important contexts. First, GINA uses the
term ‘‘manifestation’’ to incorporate
‘‘family medical history’’ into the
definition of ‘‘genetic information’’ by
stating that ‘‘genetic information’’
includes, with respect to an individual,
the manifestation of a disease or
disorder in family members of such
individual. Second, GINA uses the term
‘‘manifested’’ to exclude from the
definition of ‘‘genetic test’’ those tests
that analyze a physical malady rather
E:\FR\FM\07OCP2.SGM
07OCP2
erowe on DSK5CLS3C1PROD with PROPOSALS2
51702
Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 / Proposed Rules
than genetic makeup by excluding from
the definition analyses of proteins or
metabolites that are directly related to a
manifested disease, disorder, or
pathological condition. Third, GINA
uses the term ‘‘manifestation’’ to clarify
that nothing in Title I of GINA should
be construed to limit the ability of a
health plan to adjust premiums or
contribution amounts for a group health
plan based on the manifestation of a
disease or disorder of an individual
enrolled in the plan. However, GINA
provides that, in such case, the
manifestation of a disease or disorder in
one individual cannot also be used as
genetic information about other group
members and to further increase the
premium for the plan. Similarly, for the
individual health insurance market,
GINA clarifies that a health plan is not
prohibited from establishing rules for
eligibility for an individual to enroll in
coverage or from adjusting premium or
contribution amounts for an individual
based on the manifestation of a disease
or disorder in that individual or in a
family member of such individual
where such family member is covered
under the individual’s policy. However,
the manifestation of a disease or
disorder in one individual cannot also
be used as genetic information about
other individuals and to further increase
premiums or contribution amounts.
As noted above, GINA does not define
the terms ‘‘manifestation’’ and
‘‘manifested.’’ However, based on the
exceptions to the statutory definition of
‘‘genetic test,’’ it is clear from the
context of the statute that a manifested
disease or disorder is one ‘‘that could
reasonably be detected by a health care
professional with appropriate training
and expertise in the field of medicine
involved.’’ Thus, given the importance
of the term in the contexts described
above, the Department proposes to
include in § 160.103 a definition of
‘‘manifestation or manifested’’ to mean,
with respect to a disease, disorder, or
pathological condition, that an
individual has been or could reasonably
be diagnosed with the disease, disorder,
or pathological condition by a health
care professional with appropriate
training and expertise in the field of
medicine involved, and to further
provide that a disease, disorder, or
pathological condition is not manifested
if the diagnosis is based principally on
genetic information.
Variants of genes associated with
diseases have varying degrees of
predictive power for later development
of the disease. In some cases, an
individual may have a genetic variant
for a disease and yet never develop the
disease. In other cases, the presence of
VerDate Nov<24>2008
15:44 Oct 06, 2009
Jkt 220001
a genetic variant means that the
individual will eventually develop the
disease. Huntington’s disease is an
example of the latter case. However, an
individual may obtain a positive test
that shows the genetic variant for
Huntington’s disease decades before any
clinical symptoms appear. Under the
above definition, the presence of a
genetic variant alone does not constitute
the diagnosis of a disease even in cases
where it is certain that the individual
possessing the genetic variant will
eventually develop the disease, such as
the case with Huntington’s disease. For
example, an individual may have a
family member that has been diagnosed
with Huntington’s disease and also have
a genetic test result that indicates the
presence of the Huntington’s disease
gene variant in the individual. However,
when the individual is examined by a
neurologist (a physician with
appropriate training and expertise for
diagnosing Huntington’s disease)
because the individual has begun to
suffer from occasional moodiness and
disorientation (symptoms which are
associated with Huntington’s disease),
and the results of the examination do
not support a diagnosis of Huntington’s
disease, then Huntington’s disease is not
manifested with respect to the
individual. In contrast, if the individual
exhibits additional neurological and
behavioral symptoms, and the results of
the examination support a diagnosis of
Huntington’s disease by the neurologist,
then Huntington’s disease is manifested
with respect to the individual.
As another example, an individual
has had several family members with
colon cancer, one of whom underwent
genetic testing which detected a
mutation in the MSH2 gene associated
with hereditary nonpolyposis colorectal
cancer (HNPCC). On the
recommendation of his physician (a
health care professional with
appropriate training and expertise in the
field of medicine involved), the
individual undergoes a targeted genetic
test to look for the specific mutation
found in the family member of the
individual to determine if the
individual himself is at increased risk
for cancer. The genetic test shows that
the individual also carries the mutation
but the individual’s colonoscopy
indicates no signs of disease and the
individual has no symptoms. Because
the individual has no signs or symptoms
of colorectal cancer that could be used
by the individual’s physician to
diagnose the cancer, HNPCC is not a
manifested disease with respect to the
individual. In contrast, if the individual
undergoes a colonoscopy or other
PO 00000
Frm 00005
Fmt 4701
Sfmt 4702
medical tests that indicate the presence
of HNPCC, and the individual’s
physician makes a diagnosis of HNPCC,
HNPCC is a manifested disease with
respect to the individual.
If a health care professional with
appropriate expertise makes a diagnosis
based on the symptoms of the patient,
and uses genetic tests to confirm the
diagnosis, the disease will be
considered manifested, despite the use
of genetic information. For example, if
a neurologist sees a patient with
uncontrolled movements, a loss of
intellectual faculties, and emotional
disturbances, and the neurologist
suspects the presence of Huntington’s
disease, the neurologist may confirm the
diagnosis with a genetic test. While
genetic information is used as part of
the diagnosis, the genetic information is
not the sole or principal basis for the
diagnosis, and, therefore, the
Huntington’s disease would be
considered a manifested disease of the
patient.
7. Health plan. The Department
proposes to make technical corrections
to update the definition of ‘‘health plan’’
by revising and renumbering the
definition to: Include specific reference
to the Voluntary Prescription Drug
Benefit Program under Part D of title
XVIII of the Social Security Act, 42
U.S.C. 1395w–101 through 1395w–152;
remove the specific reference to the
Civilian Health and Medical Program of
the Uniformed Services (CHAMPUS) (as
defined in 10 U.S.C. 1072(4)), as this
program is now part of the TRICARE
health care program under title 10 of the
United States Code, and revise the
reference to the title 10 health care
program accordingly to read more
generally ‘‘health care program for the
uniformed services’’ rather than ‘‘health
care program for active military
personnel’’; and reflect that Part C of
title XVIII of the Social Security Act, 42
U.S.C. 1395w–21 through 1395w–28, is
now called the Medicare Advantage
program.
Section 164.501—Definitions
The Department proposes to modify
§ 164.501 to add a definition of
‘‘underwriting purposes’’ and to make
conforming changes to the definitions of
‘‘payment’’ and ‘‘health care
operations.’’
1. Underwriting Purposes. GINA
section 105 provides that the term
‘‘underwriting purposes’’ means, with
respect to a group health plan, health
insurance coverage, or Medicare
supplemental policy: (A) Rules for, or
determination of, eligibility (including
enrollment and continued eligibility)
for, or determination of, benefits under
E:\FR\FM\07OCP2.SGM
07OCP2
erowe on DSK5CLS3C1PROD with PROPOSALS2
Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 / Proposed Rules
the plan, coverage, or policy; (B) the
computation of premium or
contribution amounts under the plan,
coverage, or policy; (C) the application
of any pre-existing condition exclusion
under the plan, coverage, or policy; and
(D) other activities related to the
creation, renewal, or replacement of a
contract of health insurance or health
benefits.
The Department proposes to adopt the
statutory definition, but also to include
certain clarifications for consistency
with the regulations promulgated
pursuant to GINA sections 101 through
103. Specifically, we include a
parenthetical to explain that the rules
for, or determination of eligibility for, or
determination of, benefits under the
plan include changes in deductibles or
other cost-sharing mechanisms in return
for activities such as completing a
health risk assessment or participating
in a wellness program. Similarly, we
include a parenthetical to make clear
that the computation of premium or
contribution amounts under the plan,
coverage, or policy includes discounts,
rebates, payments in kind, or other
premium differential mechanisms in
return for activities such as completing
a health risk assessment or participating
in a wellness program. Finally, we add
a provision to the definition to clarify
that ‘‘underwriting purposes’’ does not
include determinations of medical
appropriateness where an individual
seeks a benefit under the plan, coverage,
or policy. This provision is intended to
be consistent with the provisions in the
regulations promulgated pursuant to
GINA sections 101 through 103 that
provide that determinations of medical
appropriateness, where the individual
seeks a benefit under the plan, are not
considered ‘‘underwriting purposes.’’
We also note that the specific types of
activities included in the GINA
definition of ‘‘underwriting purposes’’
proposed above fall within the
definitions of ‘‘health care operations’’
and ‘‘payment’’ under the Privacy Rule,
and that the current definition of
‘‘health care operations’’ also includes
the term ‘‘underwriting.’’ Thus, to avoid
confusion, the Department proposes
conforming changes to the definitions of
‘‘health care operations’’ and
‘‘payment,’’ as discussed below.
2. Health care operations. Paragraph
(3) of the definition of ‘‘health care
operations’’ in the Privacy Rule at
§ 164.501 includes ‘‘[u]nderwriting,
premium rating, and other activities
relating to the creation, renewal or
replacement of a contract of health
insurance or health benefits * * *.’’ In
order to avoid confusion with the use of
both ‘‘underwriting’’ and ‘‘underwriting
VerDate Nov<24>2008
15:44 Oct 06, 2009
Jkt 220001
purposes’’ in the Privacy Rule, and in
recognition of the fact that the proposed
definition of ‘‘underwriting purposes’’
includes activities that fall within both
the definitions of ‘‘payment’’ and
‘‘health care operations’’ in the Rule, the
Department proposes to remove the
term ‘‘underwriting’’ from the definition
of ‘‘health care operations.’’ At the same
time, we propose to add the term
‘‘enrollment’’ to the express list of
health care operations activities to make
clear that the removal of the term
‘‘underwriting’’ would not impact the
use or disclosure of PHI that is not
genetic information for enrollment
purposes. We note that these proposed
revisions are not intended to constitute
a substantive change to the definition of
‘‘health care operations.’’ All uses and
disclosures of PHI currently permitted
for any activities related to the creation,
renewal, or replacement of a contract of
health insurance or health benefits
under the definition of ‘‘health care
operations,’’ including what would be
considered ‘‘underwriting’’ as the term
is used in the existing Rule, still would
be permitted under the revised
definition, subject to the prohibition on
using or disclosing PHI that is genetic
information at proposed § 164.502(a)(3).
However, the Department requests
public comment on whether the
removal of the term ‘‘underwriting’’
from the definition of ‘‘health care
operations’’ could have unintended
consequences.
3. Payment. The definition of
‘‘payment’’ in the Privacy Rule at
§ 164.501 includes activities, such as
‘‘determinations of eligibility or
coverage’’ by a health plan, some of
which may also fall within the proposed
definition of ‘‘underwriting purposes’’
in the same section. Thus, to avoid any
implication that a health plan is
permitted to disclose PHI that is genetic
information for ‘‘payment’’ purposes
that are otherwise prohibited by
§ 164.502(a)(3) (i.e., that are also
underwriting purposes), the Department
proposes to include a cross-reference in
the definition of ‘‘payment’’ at § 164.501
to the proposed prohibition at
§ 164.502(a)(3) on health plans using
and disclosing genetic information for
underwriting purposes to exclude such
activities from the ‘‘payment’’
definition.
In addition, the inclusion of a crossreference in the definition of ‘‘payment’’
to the new underwriting prohibition at
§ 164.502(a)(3) is necessary to properly
align the definition of ‘‘payment’’ in the
Privacy Rule with the
nondiscrimination provisions of GINA
Title I, and their implementing
regulations. GINA provides a rule of
PO 00000
Frm 00006
Fmt 4701
Sfmt 4702
51703
construction, in section 102(a)(2), which
adds paragraph 2702(c)(3) of the Public
Health Service Act, to make clear that
health plans are not prohibited from
obtaining and using the results of a
genetic test in making determinations
regarding payment, as such term is
defined by the HIPAA Privacy Rule.
Thus, the proposed exception would
make clear that GINA’s rule of
construction regarding payment does
not allow a health plan to request the
results of genetic tests for activities that
would otherwise constitute
‘‘underwriting purposes,’’ such as for
determinations of eligibility for benefits.
Section 164.502(a)—Uses and
Disclosures of Protected Health
Information: General Rules
The proposed rule includes the new
prohibition on health plans using or
disclosing PHI that is genetic
information for underwriting purposes
at § 164.502(a)(3), and makes clear that
such provision would operate
notwithstanding the other provisions in
the Rule permitting uses and
disclosures. We interpret section 105 of
GINA as requiring us to prohibit a
health plan’s use or disclosure of
genetic information for underwriting
purposes, even if an individual has
signed an authorization for such
purposes pursuant to § 164.508. We thus
also propose a conforming change to
§ 164.502(a)(1)(iv) to make clear that an
authorization could not be used to
permit a use or disclosure of genetic
information for underwriting purposes.
Additionally, we note that this
prohibition applies to all genetic
information from the compliance date of
these modifications forward, regardless
of when or where the genetic
information originated.
Consistent with the statute, however,
this prohibition should not be construed
to limit the ability of a health plan to
adjust premiums or contribution
amounts for a group health plan based
on the manifestation of a disease or
disorder of an individual enrolled in the
plan, even though a health plan cannot
use the manifestation of a disease or
disorder in one individual as genetic
information about other group members
and to further increase the premium for
the plan. Similarly, for the individual
health insurance market, a health plan
is not prohibited from establishing rules
for eligibility for an individual to enroll
in coverage or from adjusting premium
or contribution amounts for an
individual based on the manifestation of
a disease or disorder in that individual
or in a family member of such
individual where such family member is
covered under the individual’s policy,
E:\FR\FM\07OCP2.SGM
07OCP2
51704
Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 / Proposed Rules
erowe on DSK5CLS3C1PROD with PROPOSALS2
even though the health plan cannot use
the manifestation of a disease or
disorder in one individual as genetic
information about other individuals to
further increase premiums or
contribution amounts for those other
individuals.
As an example to demonstrate the
proposed prohibition, if a health
insurance issuer, with respect to an
employer-sponsored group health plan,
uses an individual’s family medical
history or the results of genetic tests
maintained in the group health plan’s
claims experience information to adjust
the plan’s premium rate for the
upcoming year, the issuer would be
using PHI that is genetic information for
underwriting purposes in violation of
proposed § 164.502(a)(3). Similarly, if a
group health plan uses family medical
history provided by an individual
incidental to the collection of other
information on a health risk assessment
to grant a premium reduction to the
individual, the group health plan would
be using genetic information for
underwriting purposes in violation of
§ 164.502(a)(3).
Also, note that the prohibition is
limited to health plans. A health care
provider may use or disclose genetic
information as it sees fit for treatment of
an individual. If a covered entity, such
as an HMO, acts as both a health plan
and health care provider, the covered
entity may use genetic information for
purposes of treatment, to determine the
medical appropriateness of a benefit,
and as otherwise permitted by the
Privacy Rule, but may not use such
genetic information for underwriting
purposes. Such covered entities, in
particular, should ensure that
appropriate staff members are trained on
the permissible and impermissible uses
of genetic information.
Section 164.504(f)(1)(ii)—Requirements
for Group Health Plans
Section 164.504(f)(1)(ii) permits a
group health plan, or health insurance
issuer or HMO with respect to the group
health plan, to disclose summary health
information to the plan sponsor if the
plan sponsor requests the information
for the purpose of obtaining premium
bids from health plans for providing
health insurance coverage under the
group health plan, or for modifying,
amending, or terminating the group
health plan. As this provision permits
activities that constitute ‘‘underwriting
purposes,’’ as defined by GINA and this
proposed rule, we add a cross-reference
to the proposed § 164.502(a)(3)
prohibition on the use or disclosure of
genetic information for underwriting
purposes, to make clear that
VerDate Nov<24>2008
15:44 Oct 06, 2009
Jkt 220001
§ 164.504(f)(1)(ii) would not allow a
disclosure of PHI that is otherwise
prohibited by § 164.502(a)(3).
Section 164.506—Uses and Disclosures
to Carry Out Treatment, Payment, or
Health Care Operations
Section 164.506(a) of the Privacy Rule
sets out the uses and disclosures a
HIPAA covered entity is permitted to
make to carry out treatment, payment,
or health care operations. In light of the
fact that the proposed definition of
‘‘underwriting purposes’’ encompasses
activities that fall both within the
definitions of ‘‘payment’’ and ‘‘health
care operations’’ under the Privacy Rule,
the Department proposes to add a crossreference in § 164.506(a) to the new
prohibition at proposed § 164.502(a)(3)
on health plans using and disclosing
PHI that is genetic information for
underwriting purposes. This crossreference is intended to make clear that
§ 164.506 of the Privacy Rule would not
permit health plans to use or disclose an
individual’s PHI that is genetic
information for underwriting, even
though such a use or disclosure is
considered payment or health care
operations.
Section 164.514(g)—Uses and
Disclosures for Activities Relating to the
Creation, Renewal, or Replacement of a
Contract of Health Insurance or Health
Benefit
Section 164.514(g) of the Privacy Rule
prohibits a health plan that receives PHI
for underwriting, premium rating, or
other activities relating to the creation,
renewal, or replacement of a contract for
health insurance or health benefits, from
using or disclosing such PHI for any
other purpose (except as required by
law) if the health insurance or health
benefits are not placed with the health
plan. The Department proposes
conforming amendments to this
provision to: (1) Remove the term
‘‘underwriting’’ to avoid confusion
given the new definition of
‘‘underwriting purposes’’ in the
proposed rule, which encompasses the
activities described above; and (2) make
clear that a health plan that receives PHI
that is genetic information for the above
purposes is not permitted to use or
disclose such information, in
accordance with proposed
§ 164.502(a)(3). Note that the removal of
the term ‘‘underwriting’’ from this
provision is not intended as a
substantive change to the scope of the
provision.
PO 00000
Frm 00007
Fmt 4701
Sfmt 4702
Section 164.520—Notice of Privacy
Practices for Protected Health
Information
Section 164.520 of the Privacy Rule
sets out the requirements for most
covered entities to have and distribute
a Notice of Privacy Practices (NPP),
which describes the uses and
disclosures of PHI a covered entity is
permitted to make, the covered entity’s
legal duties to protect PHI, and the
individual’s rights with respect to PHI.
With respect to the description of
permitted uses and disclosures,
§ 164.520(b)(1)(iii) requires a covered
entity to include separate statements if
the covered entity intends to use or
disclose PHI for certain treatment,
payment, or health care operations
activities, such as fundraising. The
purpose of these statements is to put
individuals on notice of certain uses
and disclosures a covered entity may
make as part of treatment, payment, or
health care operations that may not
otherwise be apparent in the NPP since
the Privacy Rule does not require the
listing of every permitted use or
disclosure that may fall within
treatment, payment, or health care
operations. In a similar manner, the
Department believes that individuals
have a right to be specifically informed
of the fact that health plans that intend
to use or disclose their PHI for
underwriting nonetheless may not use
or disclose their genetic information for
such purposes. Thus, the Department
proposes to require health plans that use
or disclose PHI for underwriting to
include a statement in their NPP making
clear that they are prohibited from using
or disclosing PHI that is genetic
information about an individual for
such purposes. Without such a specific
statement, individuals would not be
aware of this restriction and the general
statements regarding permitted uses and
disclosures for treatment, payment, and
health care operations in the NPP of a
health plan that performs underwriting
would not be accurate (i.e., the NPP
would state that the health plan may use
or disclose PHI for purposes of payment
and health care operations, which
would not be true with respect to
genetic information when the use or
disclosure is for underwriting
purposes).
The proposed prohibition at
§ 164.502(a)(3) and the proposed
requirement to explicitly include a
statement regarding the prohibition
represent a material change to the NPP
of health plans that perform
underwriting, and the Privacy Rule
requires at § 164.520(c)(1)(i)(C) that
plans provide notice to individuals
E:\FR\FM\07OCP2.SGM
07OCP2
erowe on DSK5CLS3C1PROD with PROPOSALS2
Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 / Proposed Rules
covered by the plan within 60 days of
any material revision to the NPP. The
Department recognizes that revising and
redistributing a NPP may be costly for
health plans that perform underwriting
and thus requests comment on ways to
inform individuals of this change to
privacy practices without unduly
burdening health plans, particularly
given there may be other material
changes to the NPP due to the
modifications to the Privacy Rule
required by the provisions of the Health
Information Technology for Economic
and Clinical Health (HITECH) Act,
enacted as part of the American
Recovery and Reinvestment Act of 2009.
In particular, the Department is
considering a number of options in this
area: (1) Replace the 60-day requirement
with a requirement for health plans to
revise their NPPs and redistribute them
(or at least notify members of the
material change to the NPP and how to
obtain the revised NPP) in their next
annual mailing to members after a
material revision to the NPP, such as at
the beginning of the plan year or during
the open enrollment period; (2) provide
a specified delay or extension of the 60day timeframe for health plans that
perform underwriting to implement and
inform individuals of the underwriting
prohibition; (3) retain the provision
generally to require health plans to
provide notice within 60 days of a
material revision but provide that the
Secretary will waive the 60-day
timeframe in cases where the timing or
substance of modifications to the
Privacy Rule call for such a waiver; or
(4) make no change and thus, require
that health plans that perform
underwriting provide notice to
individuals within 60 days of the
material change to the NPP that would
be required by this proposed rule. The
Department requests comment on these
options, as well as any other options for
informing individuals in a timely
manner of this proposed or other
material changes to the NPP.
The Department also notes that the
obligation to revise the NPP for the
reasons described above would fall only
on health plans that intend to use or
disclose PHI for activities that constitute
‘‘underwriting purposes’’ as defined in
this proposed rule at § 164.501. Thus,
health care providers, as well as health
plans that do not perform underwriting,
would not be required to revise their
NPPs.
VerDate Nov<24>2008
15:44 Oct 06, 2009
Jkt 220001
III. Impact Statement and Other
Required Analyses
Executive Order 12866
Executive Order 12866 (58 FR 51735,
October 4, 1993) directs agencies to
determine whether a regulatory action is
‘‘significant’’ and, therefore, subject to
review by the Office of Management and
Budget and the requirements of the
Executive Order. Executive Order
12866, in section 3(f), defines
‘‘significant regulatory action’’ as one
that is likely to result in a rule that may:
(1) Have an annual effect on the
economy of $100 million or more or
adversely affect in a material way the
economy, a sector of the economy,
productivity, competition, jobs, the
environment, public health or safety, or
state, local, or tribal government or
communities;
(2) Create a serious inconsistency or
otherwise interfere with an action taken
or planned by another agency;
(3) Materially alter the budgetary
impact of entitlements, grants, user fees,
or loan programs or the rights and
obligations of recipients thereof; or
(4) Raise novel legal or policy issues
arising out of legal mandates, the
President’s priorities, or the principles
set forth in the Executive Order.
Executive Order 12866 requires a full
economic impact analysis only for
‘‘economically significant’’ rules under
section 3(f)(1).
The Department has determined that
this proposed rule is a ‘‘significant
regulatory action’’ within the meaning
of section 3(f)(4) of Executive Order
12866, because this action raises novel
policy issues arising out of legal
mandates. However, for the reasons
discussed below, the Department has
determined that the impact of this
proposed regulation is not such that it
would reach the economicallysignificant threshold under section
3(f)(1) of the Executive Order. Therefore,
a detailed cost-benefit assessment of the
proposed rule is not required.
The proposed rule would prohibit
health plans that are HIPAA covered
entities from using or disclosing an
individual’s PHI that is genetic
information for underwriting purposes.
Health plans that do not currently use
or disclose PHI for underwriting
purposes would not be affected at all by
the proposed rule. Further, even with
respect to health plans that perform
underwriting, plans and issuers in the
group market have commented to the
Department that they do not currently
use genetic information for
underwriting purposes because preGINA laws and regulations prohibit
them from discriminating against
PO 00000
Frm 00008
Fmt 4701
Sfmt 4702
51705
individuals based on any health statusrelated factors, including genetic
information.3 With respect to issuers in
the individual market, the Department
acknowledges that there may be more
significant policy changes associated
with the proposed prohibition on using
or disclosing PHI that is genetic
information for underwriting purposes.
However, the Department does not have
sufficient information at this time to
determine the extent of such changes,
that is, to what extent issuers in the
individual market use genetic
information for underwriting purposes,
and thus, requests comment in this area.
In the case of either the individual or
group market, however, the Department
assumes, because a prohibited use or
disclosure of genetic information for
underwriting purposes is also a
discriminatory use of such information
under the nondiscrimination provisions
of GINA Title I and its implementing
regulations, that there would not be
costs associated with conforming a
plan’s practices to comply with the
prohibition proposed at § 164.502(a)(3)
that are above and beyond the costs
associated with complying with the
regulations implementing sections 101–
103 of GINA. With respect to the health
plans not covered by GINA but subject
to the proposed prohibition in the
Privacy Rule, the Department also
assumes that the costs to comply will be
minimal because such plans either: (1)
Do not perform underwriting, as is the
case generally with public benefit plans;
or (2) perform underwriting but do not
in most cases use genetic information
(including family medical history) for
such purposes. The Department requests
comment on its assumptions.
However, because these modifications
would require a change to the privacy
practices of health plans that perform
underwriting, health plans that use or
disclose PHI for underwriting purposes
would be required to undertake a
number of actions to comply with
existing Privacy Rule requirements.
First, these health plans would be
required to change their policies and
procedures as necessary to comply with
the proposed changes to the Privacy
Rule. See 45 CFR 164.530(i)(2). Second,
health plans that use or disclose PHI for
underwriting purposes would be
required to train workforce members
whose functions are affected by the
3 See e.g., Comments from BlueCross BlueShield
Association, pg. 3 (https://www.dol.gov/ebsa/pdf/
cmt-12190808.pdf) and Society for Human Resource
Management, pg. 2 (https://www.dol.gov/ebsa/pdf/
cmt-12190813.pdf) in response to Request for
Information issued by HHS, the Department of
Labor, and Treasury/IRS on October 10, 2008, at 73
FR 70208.
E:\FR\FM\07OCP2.SGM
07OCP2
51706
Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 / Proposed Rules
erowe on DSK5CLS3C1PROD with PROPOSALS2
change to the health plan’s policies and
procedures, within a reasonable period
of time after the material change
becomes effective, and to document the
training. See 45 CFR 164.530(b)(2)(i)(C)
and (ii). Finally, the affected health
plans would be required to revise their
NPPs to reflect the change in the law
and to provide notice of the revision to
individuals covered by the plan within
60 days of the change. See 45 CFR
164.520(c)(1)(i)(C).
The Department estimates that
approximately 630 insurers are affected
by GINA, consisting of approximately
460 insurers offering coverage in
connection with insured group health
plans and approximately 490 health
insurance issuers offering policies in the
individual health insurance market.4
These insurers would be required to
revise their privacy policies and
procedures and train affected workforce
members with respect to the proposed
prohibition on using or disclosing PHI
that is genetic information for
underwriting purposes. However, given
that a prohibited use or disclosure of
genetic information for underwriting
purposes would also be a discriminatory
use of such information under the
nondiscrimination provisions of GINA
Title I and its implementing regulations,
the Department expects the costs
associated with conforming a plan’s
HIPAA policies and procedures and to
conduct training to be a small addition
to the costs otherwise associated with
updating policies and procedures and
developing and conducting the training
needed to comply with the regulations
implementing sections 101–103 of
GINA. Accordingly, the Department
estimates that these plans would need to
spend an additional one hour of a legal
professional’s time at an hourly labor
rate of $116 5 to revise the plan’s privacy
policies and procedures and to ensure
the HIPAA Privacy Rule’s prohibition is
appropriately incorporated into training
materials. This results in an estimated
cost of $73,000. With respect to the
health plans not covered by GINA but
subject to the proposed prohibition in
the Privacy Rule, the Department does
not have sufficient information at this
4 Estimates are from 2007 NAIC financial
statements data and the California Department of
Managed Healthcare. Because most self-insured
plans hire third-party administrators—insurance
companies in most cases—to administer and
provide guidance regarding underwriting the plans,
we assume that the impact on self-insured plans is
addressed in this discussion about the impact of the
rule on insurers. We request comment on this
assumption.
5 Based on the National Occupational
Employment Survey (May 2007, Bureau of Labor
Statistics) and the Employment Cost Index June
2008, Bureau of Labor Statistics).
VerDate Nov<24>2008
15:44 Oct 06, 2009
Jkt 220001
time to determine how many of such
plans perform underwriting and are not
otherwise part of an issuer that already
would be obligated to update policies
and procedures and train staff on these
new provisions. Thus, the Department
requests comment in this area.
We calculate the total cost of revising
and distributing notices of privacy
practices as $83.4 million. This is based
on three components: (1) The cost of
printing and mailing the notice; (2) the
cost of time associated with distributing
the notice; and (3) the cost of time
associated with revising the notice.
1. Based on the U.S. Census Bureau’s
Current Population Survey for 2007,
there were 92.3 million participants in
employer-based health policies, and
18.9 million policyholders of nonemployment related health insurance
policies, leading to a total of 111.2
million policies.6 We use data for
participants and policyholders, rather
than persons covered, since plans are
only expected to provide notice to the
named insured. See 45 CFR
164.520(c)(1)(iii). We limit our analysis
to private insurance, rather than all
insurance, because it is our
understanding that Medicare, Medicaid,
and military health care programs do
not use or disclose PHI for underwriting
purposes, and, therefore, will not need
to change their notices. Our total
number of participants and
policyholders is limited to
comprehensive health insurance plans;
we do not have data on the number of
other types of plans, such as long-term
care insurance, and invite comment on
this issue. Based on our data on the total
number of private health insurance
participants and policyholders, we
expect that health plans will need to
print and distribute approximately
111.2 million notices. As with the
December 2000 preamble to the Privacy
Rule, we are estimating that the printing
cost for each notice is $0.05.7
Accordingly, the cost for printing will
be approximately $5.6 million. The cost
for postage will be approximately $0.44
per notice (although the actual cost may
be less, due to bulk mail discounts),
resulting in a postage cost of
approximately $48.9 million. The total
for printing and postage is $54.5
million.
2. We estimate the time to distribute
notices to be 100 per hour. For 111.2
million notices, this results in
approximately 1,120,000 burden-hours
related to distributing the notice. At an
hourly labor rate of $26 for a clerical
6 Current
Population Survey, March Supplement,
March 2008, using HI and PRIV variables.
7 65 FR 82,770 (Dec. 28, 2000).
PO 00000
Frm 00009
Fmt 4701
Sfmt 4702
staff’s time,8 this leads to an additional
cost of $28.9 million.
3. We estimate that it will take 0.5
hours of a legal professional’s time to
revise the notice to reflect that the
health plan may not use or disclose
genetic information for underwriting
purposes. As referenced above, we
estimate that there are 630 plans
affected by GINA. This results in 315
burden-hours related to revising the
notice. The wage for a legal
professional’s time is $116 per hour.
This leads to an additional cost of
$37,000. We do not have data on the
number of additional plans that would
be required to change the notice because
they are subject to the Privacy Rule’s
prohibition but not otherwise subject to
GINA. As noted above, the Department
requests comment in this area.
Thus, the Department estimates the
total cost to be incurred to implement
these provisions, based on currently
available information, would be $83.5
million. These costs represent costs to
be incurred as one-time, first year
implementation costs.
Regulatory Flexibility Analysis
The Regulatory Flexibility Act (5
U.S.C. 601 et seq.) (RFA) imposes
certain requirements with respect to
federal rules that are subject to the
notice and comment rulemaking
requirements of section 553(b) of the
Administrative Procedure Act (5 U.S.C.
551 et seq.) and that are likely to have
a significant economic impact on a
substantial number of small entities.
As indicated above, plans and issuers
in the group market have indicated that
the immediate impact of GINA and the
rules on both large and small group
health plans and health insurance
issuers should be minimal. Plans and
issuers commented that they do not
currently use genetic information for
underwriting purposes because preGINA laws and regulations prohibit
them from discriminating against
individuals based on any health statusrelated factors, including genetic
information. Further, while there may
be more significant policy changes
associated with compliance by issuers
in the individual market, in the case of
either the individual or group market,
the Department assumes that there
would not be costs associated with
conforming a plan’s practices to comply
with the proposed prohibition in this
proposed rule on using or disclosing
genetic information for underwriting
8 Based on the National Occupational
Employment Survey (May 2007, Bureau of Labor
Statistics) and the Employment Cost Index June
2008, Bureau of Labor Statistics).
E:\FR\FM\07OCP2.SGM
07OCP2
erowe on DSK5CLS3C1PROD with PROPOSALS2
Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 / Proposed Rules
purposes that are above and beyond the
costs associated with complying with
the regulations implementing sections
101–103 of GINA. In addition, as
explained above for health plans not
subject to the regulations implementing
sections 101–103 of GINA but subject to
this proposed rule, the Department
assumes the costs to comply will be
minimal because such plans either do
not perform underwriting or do not use
genetic information for underwriting.
Despite the above, health insurers in
both the group and individual health
insurance markets would have to incur
some cost to comply with this proposed
rule. In particular, such plans would
have to update their policies and
procedures to comply with the proposed
changes to the Privacy Rule; train
workforce members whose functions are
affected by the change to the policies
and procedures; and revise and
redistribute their NPPs to reflect the
change in the law. For this purpose,
using the Small Business
Administration’s definition of a small
insurer as a business with less than $ 7
million in revenues, premiums earned
as a measure of revenue,9 and data
obtained from the National Association
of Insurance Commissioners,10 the
Department estimates that
approximately 75 out of 630 insurers
had revenues of less than $7 million,
and, of these, about 25 had revenues of
less than $1 million.11
However, as discussed above, for all
plans, the Department expects the costs
associated with conforming a plan’s
HIPAA policies and procedures and to
conduct training to be a small addition
to the costs otherwise associated with
updating policies and procedures and
developing and conducting the training
needed to comply with the regulations
implementing sections 101–103 of
GINA. Accordingly, the Department
estimates that each insurer on average
would spend only an additional one
hour of a legal professional’s time at an
hourly labor rate of $116 12 to revise the
plan’s privacy policies and procedures
and to ensure the HIPAA Privacy Rule’s
prohibition is appropriately
incorporated into training materials.
Further, with respect to revising the
NPP, we estimate that it will take 0.5
hours of a legal professional’s time, at
the same $116 an hour, to make the
necessary changes, which results in an
additional cost of $58 per plan.
With respect to redistributing the
revised NPP to the named insured, as
described above, we estimate the cost of
distributing each notice to be
approximately $0.49 for printing and
postage and about $0.26 for labor
associated with the distribution (100
notices per hour at an hourly labor rate
of $26 for a clerical staff’s time 13).
However, because we expect smaller
plans to have fewer participants and
policyholders to whom the plans would
need to send the NPP, we do not expect
the costs of providing the revised NPP
to fall disproportionately on small
insurers.
Thus, for the reasons stated above, it
is not expected that the cost of
compliance would be significant for
small health plans. Nor is it expected
that the cost of compliance would fall
disproportionately on small health
plans. Therefore, the Secretary certifies
that this proposed rule would not have
a significant economic impact on a
substantial number of small entities.
The Department invites public
comments on its certification.
9 U.S. Small Business Administration, ‘‘Table of
Small Business Standards Matched to North
American Industry Classification System Codes,’’
available at https://www.sba.gov/idc/groups/public/
documents/sba_homepage/serv_sstd_tablepdf.pdf.
10 NAIC 2007 financial statements data.
11 These counts could be an overestimate. Only
health insurance premiums from both the group
and individual market were counted. If insurers
also offered other types of insurance, their revenues
could be higher.
12 The Department’s estimates are based on the
National Occupational Employment Survey (May
VerDate Nov<24>2008
15:44 Oct 06, 2009
Jkt 220001
Paperwork Reduction Act
This proposed rule contains
information collections that are subject
to review by OMB under the Paperwork
Reduction Act of 1995 (PRA) (44 U.S.C.
3501–3520). Per section 3507(d) of the
PRA, we have submitted these
information collections to OMB for
review. In order to fairly evaluate
whether an information collection
should be approved by OMB, section
3506(c)(2)(A) of the PRA requires that
we solicit comment on the following
issues:
1. Whether the information collection
is necessary and useful to carry out the
proper functions of the agency;
2. The accuracy of the agency’s
estimate of the information collection
burden;
3. The quality, utility, and clarity of
the information to be collected; and
4. Recommendations to minimize the
information collection burden on the
affected public, including automated
collection techniques.
Under the PRA, the time, effort, and
financial resources necessary to meet
the information collection requirements
referenced in this section are to be
PO 00000
Frm 00010
Fmt 4701
Sfmt 4702
51707
considered. We explicitly seek, and will
consider, public comment on our
assumptions as they relate to the PRA
requirements summarized in this
section. To comment on this collection
of information or to obtain copies of the
supporting statement and any related
forms for the proposed paperwork
collections referenced above, e-mail
your comment or request, including
your address and phone number to
sherette.funncoleman@hhs.gov, or call
the Reports Clearance Office on (202)
690–6162. In making your request and
submitting comments, please reference
this rule and OMB Control Number
0990–0294. Written comments and
recommendations for the proposed
information collections must be directed
to the OS Paperwork Clearance Officer
at the above e-mail address within 60
days.
Abstract
Section 105 of GINA amends Part C of
Title XI of the Social Security Act by
adding section 1180 to address the
application of the HIPAA Privacy Rule
to genetic information. Section 1180
requires the Secretary of HHS to revise
the HIPAA Privacy Rule to clarify that
genetic information is health
information and to prohibit health plans
from using or disclosing genetic
information for underwriting purposes.
In this notice of proposed rulemaking,
we propose to implement the
modifications required by GINA section
105, and seek public comment on its
proposal. The proposed prohibition at
§ 164.502(a)(3) and the proposed
requirement at § 164.520(b)(1)(iii) to
explicitly include a statement regarding
the prohibition represent a material
change to the Notice of Privacy Practices
(NPP) of health plans that perform
underwriting. As such, pursuant to
§ 164.520(c)(1)(i)(C), affected health
plans would be required to revise their
NPP to reflect the change in the law and
to provide notice of the revision to
individuals covered by the plan within
60 days of the change.
The estimated annualized burden
table below was developed using the
same estimates and workload
assumptions in the impact statement in
the section regarding Executive Order
12866, above.
Estimated Annualized Burden Table
2007, Bureau of Labor Statistics) and the
Employment Cost Index (June 2008, Bureau of
Labor Statistics).
13 Based on the National Occupational
Employment Survey (May 2007, Bureau of Labor
Statistics) and the Employment Cost Index (June
2008, Bureau of Labor Statistics).
E:\FR\FM\07OCP2.SGM
07OCP2
51708
Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 / Proposed Rules
ESTIMATED ANNUALIZED BURDEN HOURS
Number of
respondents
Number of
responses per
respondent
Average burden
hours per
response
Total burden
hours
Section
Type of respondent
164.520 .................
630
1
30/60 .....................
315
164.520 .................
Revision of Notice of Privacy Practices for Protected Health Information (health plans).
Dissemination of Notice of Privacy
Practices for Protected Health Information (health plans).
111,200,000
1
1 per 100 ..............
1,112,000
Total ...............
..............................................................
..............................
..............................
...............................
1,112,315
Unfunded Mandates
Section 202 of the Unfunded
Mandates Reform Act of 1995 also
requires that agencies assess anticipated
costs and benefits before issuing any
rule that may result in expenditures by
State, local, or tribal governments, in the
aggregate, or by the private sector, of
$133 million in a single year after
adjusting for inflation from 1995. For
the reasons discussed above, this
proposed rule would not impose a
burden large enough to require a section
202 statement under the Unfunded
Mandates Reform Act of 1995.
Environmental Impact
The Department has determined
under 21 CFR 25.30(k) that this action
is of a type that would not individually
or cumulatively have a significant effect
on the human environment. Therefore,
neither an environmental assessment
nor an environmental impact statement
is required.
erowe on DSK5CLS3C1PROD with PROPOSALS2
Executive Order 13132: Federalism
Executive Order 13132 establishes
certain requirements that an agency
must meet when it promulgates a rule
that imposes substantial direct
requirement costs on State and local
governments, preempts State law, or
otherwise has Federalism implications.
The Federalism implications of the
Privacy Rule were assessed as required
by Executive Order 13132 and
published in the Privacy Rule of
December 28, 2000 (65 FR 82462,
82797). The Department believes that
these proposed modifications to the
Privacy Rule would not significantly
affect the rights, roles, and
responsibilities of States.
List of Subjects
45 CFR Part 160
Administrative practice and
procedure, Computer technology,
Electronic information system,
Electronic transactions, Employer
benefit plan, Health, Health care, Health
facilities, Health insurance, Health
VerDate Nov<24>2008
15:44 Oct 06, 2009
Jkt 220001
records, Hospitals, Investigations,
Medicaid, Medical research, Medicare,
Penalties, Privacy, Reporting and
recordkeeping requirements, Security.
45 CFR Part 164
Administrative practice and
procedure, Computer technology,
Electronic information system,
Electronic transactions, Employer
benefit plan, Health, Health care, Health
facilities, Health insurance, Health
records, Hospitals, Medicaid, Medical
research, Medicare, Privacy, Reporting
and recordkeeping requirements,
Security.
For the reasons set forth in the
preamble, the Department proposes to
amend 45 CFR subtitle A, subchapter C,
parts 160 and 164, as follows:
PART 160—GENERAL
ADMINISTRATIVE REQUIREMENTS
1. The authority citation for part 160
is revised to read as follows:
Authority: 42 U.S.C. 1302(a), 42 U.S.C.
1320d–1320d–9, sec. 264 of Public Law 104–
191, 110 Stat. 2033–2034 (42 U.S.C. 1320d–
2 (note)); 5 U.S.C. 552; and secs. 13400 and
13402, Public Law 111–5, 123 Stat. 258–263.
2. Revise § 160.101 to read as follows:
§ 160.101
Statutory basis and purpose.
The requirements of this subchapter
implement sections 1171 through 1180
of the Social Security Act (the Act), as
added by sections 262 and 264 of Public
Law 104–191 and section 105 of Public
Law 110–233, and section 13402 of
Public Law 111–5.
3. In § 160.103, add in alphabetical
order definitions of ‘‘Family member,’’
‘‘Genetic information,’’ ‘‘Genetic
services,’’ ‘‘Genetic test,’’ and
‘‘Manifestation or manifested,’’ and
revise the introductory text of the
definition of ‘‘Health information’’ and
paragraphs (1)(vi) through (xi), and (xv)
of the definition of ‘‘Health plan’’ as
follows:
§ 160.103
Definitions.
*
*
PO 00000
*
Frm 00011
*
Fmt 4701
*
Sfmt 4702
Family member means, with respect
to an individual:
(1) A dependent (as such term is
defined in 45 CFR 144.103), of the
individual; or
(2) Any other person who is a firstdegree, second-degree, third-degree, or
fourth-degree relative of the individual
or of a dependent of the individual.
Relatives by affinity (such as by
marriage or adoption) are treated the
same as relatives by consanguinity (that
is, relatives who share a common
biological ancestor). In determining the
degree of the relationship, relatives by
less than full consanguinity (such as
half-siblings, who share only one
parent) are treated the same as relatives
by full consanguinity (such as siblings
who share both parents).
(i) First-degree relatives include
parents, spouses, siblings, and children.
(ii) Second-degree relatives include
grandparents, grandchildren, aunts,
uncles, nephews, and nieces.
(iii) Third-degree relatives include
great-grandparents, great-grandchildren,
great aunts, great uncles, and first
cousins.
(iv) Fourth-degree relatives include
great-great grandparents, great-great
grandchildren, and children of first
cousins.
Genetic information means:
(1) Subject to paragraphs (2) and (3)
of this definition, with respect to any
individual, information about:
(i) Such individual’s genetic tests;
(ii) The genetic tests of family
members of the individual;
(iii) The manifestation of a disease or
disorder in family members of such
individual; or
(iv) Any request for, or receipt of,
genetic services, or participation in
clinical research which includes genetic
services, by such individual or any
family member of such individual.
(2) Any reference in this subchapter to
genetic information concerning an
individual or family member of an
individual shall include the genetic
information of:
E:\FR\FM\07OCP2.SGM
07OCP2
erowe on DSK5CLS3C1PROD with PROPOSALS2
Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 / Proposed Rules
(i) A fetus carried by the individual or
family member who is a pregnant
woman; and
(ii) Any embryo legally held by an
individual or family member utilizing
an assisted reproductive technology.
(3) Genetic information excludes
information about the sex or age of any
individual.
Genetic services means:
(1) A genetic test;
(2) Genetic counseling (including
obtaining, interpreting, or assessing
genetic information); or
(3) Genetic education.
Genetic test means an analysis of
human DNA, RNA, chromosomes,
proteins, or metabolites, if the analysis
detects genotypes, mutations, or
chromosomal changes. Genetic test does
not include an analysis of proteins or
metabolites that is directly related to a
manifested disease, disorder, or
pathological condition.
*
*
*
*
*
Health information means any
information, including genetic
information, whether oral or recorded in
any form or medium, that: * * *
*
*
*
*
*
Health plan means * * *
(1) * * *
(vi) The Voluntary Prescription Drug
Benefit Program under Part D of title
XVIII of the Act, 42 U.S.C. 1395w–101
through 1395w–152.
(vii) An issuer of a Medicare
supplemental policy (as defined in
section 1882(g)(1) of the Act, 42 U.S.C.
1395ss(g)(1)).
(viii) An issuer of a long-term care
policy, excluding a nursing home fixed
indemnity policy.
(ix) An employee welfare benefit plan
or any other arrangement that is
established or maintained for the
purpose of offering or providing health
benefits to the employees of two or more
employers.
(x) The health care program for
uniformed services under title 10 of the
United States Code.
(xi) The veterans health care program
under 38 U.S.C. chapter 17.
*
*
*
*
*
(xv) The Medicare Advantage program
under Part C of title XVIII of the Act, 42
U.S.C. 1395w–21 through 1395w–28.
*
*
*
*
*
Manifestation or manifested means,
with respect to a disease, disorder, or
pathological condition, that an
individual has been or could reasonably
be diagnosed with the disease, disorder,
or pathological condition by a health
care professional with appropriate
training and expertise in the field of
medicine involved. For purposes of this
VerDate Nov<24>2008
15:44 Oct 06, 2009
Jkt 220001
subchapter, a disease, disorder, or
pathological condition is not manifested
if the diagnosis is based principally on
genetic information.
*
*
*
*
*
PART 164—SECURITY AND PRIVACY
4. The authority citation for part 164
is revised to read as follows:
Authority: 42 U.S.C. 1320d–1320d–9; sec.
264, Public Law 104–191, 110 Stat. 2033–
2034 (42 U.S.C. 1320d–2 (note)); secs. 13400
and 13402, Public Law No. 111–5, 123 Stat.
258–263.
5. In § 164.501, revise paragraph (3) of
the definition of ‘‘Health care
operations’’ and paragraph (1)(i) of the
definition of ‘‘Payment,’’ and to add in
alphabetical order a definition of
‘‘Underwriting purposes’’ to read as
follows:
§ 164.501
Definitions.
*
*
*
*
*
Health care operations means * * *
(3) Enrollment, premium rating, and
other activities related to the creation,
renewal, or replacement of a contract of
health insurance or health benefits, and
ceding, securing, or placing a contract
for reinsurance of risk relating to claims
for health care (including stop-loss
insurance and excess of loss insurance),
provided that the requirements of
§ 164.514(g) are met, if applicable;
*
*
*
*
*
Payment means:
(1) * * *
(i) Except as prohibited under
§ 164.502(a)(3), a health plan to obtain
premiums or to determine or fulfill its
responsibility for coverage and
provision of benefits under the health
plan; or
*
*
*
*
*
Underwriting purposes means, with
respect to a health plan:
(1) Except as provided in paragraph
(2) of this definition:
(i) Rules for, or determination of,
eligibility (including enrollment and
continued eligibility) for, or
determination of, benefits under the
plan, coverage, or policy (including
changes in deductibles or other costsharing mechanisms in return for
activities such as completing a health
risk assessment or participating in a
wellness program);
(ii) The computation of premium or
contribution amounts under the plan,
coverage, or policy (including
discounts, rebates, payments in kind, or
other premium differential mechanisms
in return for activities such as
completing a health risk assessment or
participating in a wellness program);
PO 00000
Frm 00012
Fmt 4701
Sfmt 4702
51709
(iii) The application of any preexisting condition exclusion under the
plan, coverage, or policy; and
(iv) Other activities related to the
creation, renewal, or replacement of a
contract of health insurance or health
benefits.
(2) Underwriting purposes does not
include determinations of medical
appropriateness where an individual
seeks a benefit under the plan, coverage,
or policy.
*
*
*
*
*
6. In § 164.502, revise paragraph
(a)(1)(iv) and add paragraph (a)(3) to
read as follows:
§ 164.502 Uses and disclosures of
protected health information: General rules.
(a) * * *
(1) * * *
(iv) Except for uses and disclosures
prohibited under § 164.502(a)(3),
pursuant to and in compliance with a
valid authorization under § 164.508;
*
*
*
*
*
(3) Prohibited uses and disclosures.
Notwithstanding any other provision of
this subpart, a health plan shall not use
or disclose protected health information
that is genetic information for
underwriting purposes.
*
*
*
*
*
7. In § 164.504, revise the
introductory text of paragraph (f)(1)(ii)
to read as follows:
§ 164.504 Uses and disclosures:
Organizational requirements.
*
*
*
*
*
(f)(1) * * *
(ii) Except as prohibited by
§ 164.502(a)(3), the group health plan, or
a health insurance issuer or HMO with
respect to the group health plan, may
disclose summary health information to
the plan sponsor, if the plan sponsor
requests the summary health
information for purposes of:
*
*
*
*
*
8. In § 164.506, revise paragraph (a) to
read as follows:
§ 164.506 Uses and disclosures to carry
out treatment, payment, or health care
operations.
(a) Standard: Permitted uses and
disclosures. Except with respect to uses
or disclosures that require an
authorization under § 164.508(a)(2) or
(3) or that are prohibited under
§ 164.502(a)(3), a covered entity may use
or disclose protected health information
for treatment, payment, or health care
operations as set forth in paragraph (c)
of this section, provided that such use
or disclosure is consistent with other
applicable requirements of this subpart.
*
*
*
*
*
E:\FR\FM\07OCP2.SGM
07OCP2
51710
Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 / Proposed Rules
9. In § 164.514, revise paragraph (g) to
read as follows:
§ 164.514 Other requirements relating to
uses and disclosures of protected health
information.
*
*
*
*
*
(g) Standard: Uses and disclosures for
activities relating to the creation,
renewal, or replacement of a contract of
health insurance or health benefits. If a
health plan receives protected health
information for the purpose of premium
rating or other activities relating to the
creation, renewal, or replacement of a
contract of health insurance or health
benefits, and if such health insurance or
health benefits are not placed with the
health plan, such health plan may only
use or disclose such protected health
information for such purpose or as may
be required by law, subject to the
prohibition at § 164.502(a)(3) with
respect to genetic information included
in the protected health information.
*
*
*
*
*
10. In § 164.520, add a new paragraph
(b)(1)(iii)(D) to read as follows:
§ 164.520 Notice of privacy practices for
protected health information.
*
*
*
*
*
(b) * * *
(1) * * *
(iii) * * *
(D) If a covered entity that is a health
plan intends to use or disclose protected
health information for underwriting
purposes, a statement that the covered
entity is prohibited from using or
disclosing protected health information
that is genetic information of an
individual for such purposes.
Dated: June 5, 2009.
Kathleen Sebelius,
Secretary.
[FR Doc. E9–22492 Filed 10–1–09; 11:15 am]
BILLING CODE 4153–01–P
DEPARTMENT OF THE TREASURY
Internal Revenue Service
26 CFR Part 54
[REG–123829–08]
RIN 1545–BI02
erowe on DSK5CLS3C1PROD with PROPOSALS2
Genetic Information Nondiscrimination
Act
AGENCY: Internal Revenue Service (IRS),
Treasury.
ACTION: Notice of proposed rulemaking
by cross-reference to temporary
regulations.
SUMMARY: Elsewhere in this issue of the
Federal Register, the IRS is issuing
VerDate Nov<24>2008
15:44 Oct 06, 2009
Jkt 220001
temporary and final regulations
governing the provisions of the Genetic
Information Nondiscrimination Act
(GINA) prohibiting discrimination based
on genetic information for group health
plans. The IRS is issuing the temporary
and final regulations at the same time
that the Employee Benefits Security
Administration of the U.S. Department
of Labor and the Centers for Medicare &
Medicaid Services of the U.S.
Department of Health and Human
Services are issuing substantially
similar interim final regulations with
respect to GINA for group health plans
and issuers of health insurance coverage
offered in connection with a group
health plan under the Employee
Retirement Income Security Act of 1974
and the Public Health Service Act. The
temporary regulations provide guidance
to employers and group health plans
relating to the group health plan genetic
nondiscrimination requirements. The
text of those temporary regulations also
serves as the text of these proposed
regulations.
DATES: Written or electronic comments
and requests for a public hearing must
be received by January 5, 2010.
ADDRESSES: Send submissions to:
CC:PA:LPD:PR (REG–123829–08), Room
5205, Internal Revenue Service, P.O.
Box 7604, Ben Franklin Station,
Washington, DC 20044. Submissions
may be hand-delivered to:
CC:PA:LPD:PR (REG–123829–08),
Courier’s Desk, Internal Revenue
Service, 1111 Constitution Avenue,
NW., Washington, DC 20224.
Alternatively, taxpayers may submit
comments electronically via the Federal
eRulemaking Portal at https://
www.regulations.gov (IRS REG–123829–
08).
FOR FURTHER INFORMATION CONTACT:
Concerning the regulations, Russ
Weinheimer at 202–622–6080;
concerning submissions of comments,
Oluwafumilayo Taylor at (202) 622–
7180 (not toll-free numbers).
SUPPLEMENTARY INFORMATION:
Paperwork Reduction Act
The collection of information
referenced in this notice of proposed
rulemaking has been submitted to the
Office of Management and Budget for
review in accordance with the
Paperwork Reduction Act of 1995 (44
U.S.C. 3507(d)). Comments on the
collection of information should be sent
to the Office of Management and
Budget, Attn: Desk Officer for the
Department of the Treasury, Office of
Information and Regulatory Affairs,
Washington, DC 20503, with copies to
the Internal Revenue Service, Attn: IRS
PO 00000
Frm 00013
Fmt 4701
Sfmt 4702
Reports Clearance Officer,
SE:W:CAR:MP:T:T:SP, Washington, DC
20224. Comments on the collection of
information should be received by
December 7, 2009. Comments are
specifically requested concerning:
• Whether the proposed collection of
information is necessary for the proper
performance of the functions of the
Internal Revenue Service, including
whether the information will have
practical utility;
• The accuracy of the estimated
burden associated with the proposed
collection of information (see the
preamble to the temporary regulations
published elsewhere in this issue of the
Federal Register);
• How to enhance the quality, utility,
and clarity of the information to be
collected;
• How to minimize the burden of
complying with the proposed collection
of information, including the
application of automated collection
techniques or other forms of information
technology; and
• Estimates of capital or start-up costs
and costs of operation, maintenance,
and purchase of services to provide
information.
The collection of information is in
§ 54.9802–3 (see the temporary
regulations published elsewhere in this
issue of the Federal Register). The
collection of information is required so
that the IRS can be apprised when a
group health plan is conducting
research with respect to genetic
information of plan participants or
beneficiaries to ensure that all the
requirements of the research exception
to GINA are being complied with. The
likely respondents are business or other
for-profit institutions, and nonprofit
institutions. Responses to this collection
of information are required if a plan
wishes to conduct genetic research with
respect to participants or beneficiaries
of the plan.
An agency may not conduct or
sponsor, and a person is not required to
respond to, a collection of information
unless it displays a valid control
number assigned by the Office of
Management and Budget.
Books or records relating to a
collection of information must be
retained as long as their contents may
become material in the administration
of any internal revenue law. Generally
tax returns and tax return information
are confidential, as required by 26
U.S.C. 6103.
Background
The temporary regulations published
elsewhere in this issue of the Federal
Register add a new § 54.9802–3T to the
E:\FR\FM\07OCP2.SGM
07OCP2
]]>Agencies
[Federal Register Volume 74, Number 193 (Wednesday, October 7, 2009)]
[Proposed Rules]
[Pages 51698-51710]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-22492]
��Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 /
Proposed Rules��
[[Page 51698]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991-AB54
HIPAA Administrative Simplification: Standards for Privacy of
Individually Identifiable Health Information
AGENCY: Office for Civil Rights, HHS.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services (HHS) proposes to
modify certain provisions of the ``Standards for Privacy of
Individually Identifiable Health Information'' (Privacy Rule), issued
under the Health Insurance Portability and Accountability Act of 1996
(HIPAA). The purpose of these proposed modifications is to implement
section 105 of Title I of the Genetic Information Nondiscrimination Act
of 2008 (GINA) regarding the privacy and confidentiality of genetic
information, as well as to make certain other changes to the HIPAA
Privacy Rule.
DATES: Comments on the proposed rule will be considered if we receive
them at the appropriate address, as provided below, no later than
December 7, 2009.
ADDRESSES: Written comments may be submitted through any of the methods
specified below. Please do not submit duplicate comments.
Federal eRulemaking Portal: You may submit electronic
comments at https://www.regulations.gov. Follow the instructions for
submitting electronic comments. Attachments should be in Microsoft
Word, WordPerfect, or Excel; however, we prefer Microsoft Word.
Regular, Express, or Overnight Mail: You may mail written
comments (one original and two copies) to the following address only:
U.S. Department of Health and Human Services, Office for Civil Rights,
Attention: GINA NPRM (RIN 0991-AB54), Hubert H. Humphrey Building, Room
509F, 200 Independence Avenue, SW., Washington, DC 20201. Mailed
comments may be subject to delivery delays due to security procedures.
Please allow sufficient time for mailed comments to be timely received
in the event of delivery delays.
Hand Delivery or Courier: If you prefer, you may deliver
(by hand or courier) your written comments (one original and two
copies) to the following address only: Office for Civil Rights,
Attention: GINA NPRM (RIN 0991-AB54), Hubert H. Humphrey Building, Room
509F, 200 Independence Avenue, SW., Washington, DC 20201. (Because
access to the interior of the Hubert H. Humphrey Building is not
readily available to persons without federal government identification,
commenters are encouraged to leave their comments in the mail drop
slots located in the main lobby of the building.)
Inspection of Public Comments: All comments received before the
close of the comment period will be available for public inspection,
including any personally identifiable or confidential business
information that is included in a comment. We will post all comments
received before the close of the comment period at https://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Andra Wicks, 202-205-2292.
SUPPLEMENTARY INFORMATION:
I. Background
The ``Standards for Privacy of Individually Identifiable Health
Information,'' or ``Privacy Rule'' was issued on December 28, 2000 (and
later amended in August 2002), pursuant to the Administrative
Simplification Provisions of Title II, Subtitle F, of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), Public
Law 104-191. Subtitle F of Title II of HIPAA added a new Part C to
Title XI of the Social Security Act (sections 1171-1179 of the Act, 42
U.S.C. 1320d-1320d-8). The Privacy Rule is one of a suite of rules
required by the Administrative Simplification provisions of HIPAA, and
put in place the first national standards for the privacy protection of
certain individually identifiable health information (called
``protected health information'' or ``PHI''). The other HIPAA
Administrative Simplification Rules provide national standards for
electronic health care transactions and code sets, unique health
identifiers for employers and health care providers, and the security
of electronic PHI. The HIPAA Privacy and other Administrative
Simplification Rules currently apply to three types of covered
entities: health care providers who conduct covered health care
transactions electronically, health plans, and health care
clearinghouses.
The HIPAA Privacy Rule protects individuals' medical records and
other individually identifiable health information held by HIPAA
covered entities by, among other provisions, requiring appropriate
safeguards to protect the privacy of such information, and setting
limits and conditions on the uses and disclosures that may be made of
the information. The Privacy Rule also gives patients rights over their
PHI, including rights to examine and obtain a copy of their health
records, and to request corrections.
On May 21, 2008, President Bush signed into law the Genetic
Information Nondiscrimination Act of 2008 (``GINA''), Public Law 110-
233, 122 Stat. 881. Congress enacted GINA to ``establish [ ] a national
and uniform basic standard [that] is necessary to fully protect the
public from discrimination and allay their concerns about the potential
for discrimination, thereby allowing individuals to take advantage of
genetic testing, technologies, research, and new therapies.'' GINA
section 2(5). To that end, GINA generally prohibits discrimination
based on an individual's genetic information with respect to both
health coverage and employment.
In particular, with respect to health coverage, Title I of GINA
generally prohibits discrimination in group premiums based on genetic
information, proscribes the use of genetic information as a basis for
determining eligibility or setting premiums in the individual and
Medicare supplemental policy (Medigap) insurance markets, and limits
the ability of group health plans, health insurance issuers, and
Medigap issuers to collect genetic information or to request or require
that individuals undergo genetic testing. Title II of GINA generally
prohibits use of genetic information in the employment context,
restricts acquisition of genetic information by employers and other
entities covered by Title II, and strictly limits such entities from
disclosing genetic information. The Departments of Labor (Employee
Benefits Security Administration), Treasury (Internal Revenue Service),
and HHS (Centers for Medicare & Medicaid Services) are responsible for
administering and enforcing the GINA Title I nondiscrimination
provisions, and the Equal Employment Opportunity Commission (EEOC) is
responsible for administering and enforcing the GINA Title II
nondiscrimination provisions.\1\
---------------------------------------------------------------------------
\1\ The Departments of Labor (Employee Benefits Security
Administration), Treasury (Internal Revenue Service), and HHS
(Centers for Medicare & Medicaid Services (CMS)) have issued
regulations in a separate rulemaking to implement sections 101-103
of GINA, which amended: section 702(b) of the Employee Retirement
Income Security Act of 1974 (29 U.S.C. 1182(b); section 2702(b) of
the Public Health Service Act (42 U.S.C. 300gg-1(b); and subsection
(b) of section 9802 of the Internal Revenue Code of 1986. Section
104 of GINA applies to Medigap issuers, which are subject to the
provisions of section 1882 of the Social Security Act that are
implemented by CMS, and which incorporate by reference certain
provisions in a model regulation of the National Association of
Insurance Commissioners (NAIC). The NAIC amended its model
regulation on September 24, 2008, to conform to section 104 of GINA,
and the amended regulation was published by CMS in the Federal
Register on April 24, 2009 at 74 FR 18808. With respect to Title II
of GINA, the EEOC issued a notice of proposed rulemaking on March 2,
2009, at 74 FR 9056.
---------------------------------------------------------------------------
[[Page 51699]]
In addition to these nondiscrimination provisions, Title I of GINA
contains certain new privacy protections for genetic information. In
particular, section 105 of GINA, entitled ``Privacy and
Confidentiality,'' amends Part C of Title XI of the Social Security Act
by adding section 1180 to address the application of the HIPAA Privacy
Rule to genetic information. Section 1180 requires the Secretary of HHS
to revise the Privacy Rule to clarify that genetic information is
health information and to prohibit group health plans, health insurance
issuers (including HMOs), and issuers of Medicare supplemental policies
from using or disclosing genetic information for underwriting purposes.
In this proposed rule, HHS is proposing to implement the
modifications required by GINA section 105, as well as to make certain
other modifications to the HIPAA Privacy Rule, and seeks public comment
on its proposal. In developing its proposal, HHS consulted with the
Departments of Labor and Treasury, as required by section 105(b)(1) of
GINA, to ensure, to the extent practicable, consistency across the
regulations. In addition, HHS coordinated with the EEOC in the
development of these regulations.
II. Description of Proposed Modifications
Overview and Scope
In accordance with section 105 of GINA \2\ and the Department's
general authority under sections 262 and 264 of HIPAA, the Department
proposes to modify the HIPAA Privacy Rule to: (1) Explicitly provide
that genetic information is health information for purposes of the
Rule; (2) prohibit health plans from using or disclosing protected
health information that is genetic information for underwriting
purposes; (3) revise the provisions relating to the Notice of Privacy
Practices for health plans that perform underwriting; (4) make a number
of conforming modifications to definitions and other provisions of the
Rule; and (5) make technical corrections to update the definition of
``health plan.''
---------------------------------------------------------------------------
\2\ Any reference in this section of the preamble to GINA is a
reference to Title I of GINA, except as otherwise indicated.
---------------------------------------------------------------------------
Section 105 of GINA requires HHS to modify the Privacy Rule to
prohibit ``a covered entity that is a group health plan, health
insurance issuer that issues health insurance coverage, or issuer of a
medicare [sic] supplemental policy'' from using or disclosing genetic
information for underwriting purposes. GINA section 105 provides that
the terms ``group health plan'' and ``health insurance coverage'' have
the meanings given such terms under section 2791 of the Public Health
Service Act (42 U.S.C. 300gg-91), and that the term ``medicare [sic]
supplemental policy'' has the meaning given such term in section
1882(g) of the Social Security Act. In addition, the term ``health
insurance issuer,'' as defined at 42 U.S.C. 300gg-91, includes a health
maintenance organization (HMO). These four types of health plans (i.e.,
group health plans, health insurance issuers, and health maintenance
organizations, as defined in the Public Health Service Act, as well as
issuers of Medicare supplemental policies), correspond to the types of
health plans listed at subparagraphs (i) through (iii) and (vi) of
paragraph (1) of the definition of ``health plan'' at Sec. 160.103 in
the HIPAA Privacy Rule.
In addition to these four categories of health plans, the HIPAA
Privacy Rule also applies to many other types of health plans,
including: (1) Long-term care policies (excluding nursing home fixed-
indemnity policies); (2) employee welfare benefit plans or other
arrangements that are established or maintained for the purpose of
offering or providing health benefits to the employees of two or more
employers (to the extent that they are not group health plans or health
insurance issuers); (3) high risk pools that are mechanisms established
under State law to provide health insurance coverage or comparable
coverage to eligible individuals; (4) certain public benefit programs,
such as Medicare Part A and B, Medicaid, the military and veterans
health care programs, the Indian Health Service program, and others; as
well as (5) any other individual or group plan, or combination of
individual or group plans that provides or pays for the cost of medical
care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-
91(a)(2)). This last category includes, for example, certain ``excepted
benefits'' plans described at 42 U.S.C. 300gg-91(c)(2), such as limited
scope dental or vision benefits plans. See the definition of ``health
plan'' at Sec. 160.103.
The Department proposes to apply the prohibition in GINA on using
and disclosing protected health information that is genetic information
for underwriting to all health plans that are subject to the Privacy
Rule, rather than solely to the plans GINA explicitly requires be
subject to the prohibition. We believe that this interpretation is
consistent with both GINA and the Secretary's broad authority under
HIPAA.
Section 264 of HIPAA (42 U.S.C. 1320d-2 note) provides the
Secretary with authority to promulgate privacy standards that govern:
(1) The rights that an individual who is a subject of individually
identifiable health information should have.
(2) The procedures that should be established for the exercise of
such rights.
(3) The uses and disclosures of such information that should be
authorized or required.
Accordingly, the Secretary has wide latitude to promulgate privacy
standards that limit the use or disclosure of individually identifiable
health information, including genetic information. Furthermore, section
262 of HIPAA, codified at 42 U.S.C. 1320d-1, states that:
Any standard adopted under this part shall apply, in whole or in
part, to the following persons:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information
in electronic form in connection with a transaction referred to in
section 1173(a)(1).
While other portions of HIPAA were limited to group health plans, see,
e.g., sections 101 and 102 of HIPAA, the Administrative Simplification
subtitle governs a substantially broader definition of ``health plan,''
42 U.S.C. 1320d, and instructs that ``any standard'' will apply to all
such health plans.
Based on this broad definition of ``health plan,'' the wide
latitude Congress provided to the Secretary to promulgate privacy
standards, and the charge that ``any standard'' should apply to all
health plans, we interpret that the HIPAA administrative simplification
provisions provide the Secretary with broad authority to craft privacy
standards that uniformly apply to all health plans, regardless of
whether such health plans are governed by other portions of the HIPAA
statute.
In GINA, Congress recognized a privacy interest on the part of
individuals, distinct from the nondiscrimination provisions, with
respect to the use or disclosure of individuals' genetic information in
health coverage decisions. At a minimum, GINA requires the Secretary to
apply this privacy interest to uses and disclosures of group health
plans, health insurance issuers that issue health insurance coverage,
and issuers of
[[Page 51700]]
Medicare supplemental policies. Apart from this required change to the
HIPAA Privacy Rule, however, nothing in GINA explicitly or implicitly
curtails the broad authority of the Secretary to promulgate privacy
standards for any and all health plans that are governed by the HIPAA
Administrative Simplification provisions.
Under the Privacy Rule, consistent with the HIPAA statutory text
discussed above, an individual's privacy interests and rights with
respect to the use and disclosure of PHI are protected uniformly
without regard to the type of health plan that holds the information.
Thus, under the Privacy Rule, individuals can expect and benefit from
privacy protections that do not diminish based on the type of health
plan from which they obtain health coverage.
Therefore, in keeping with a uniform privacy construct, and
pursuant to its authority under HIPAA sections 262 and 264, the
Department proposes to apply the prohibition on using or disclosing PHI
that is genetic information for underwriting purposes to all health
plans that are covered entities as defined by HIPAA section 262, and,
correspondingly, by the Privacy Rule. The Department believes that
individuals' interests in uniform protection under the Privacy Rule
against the use or disclosure of their genetic information for
underwriting purposes outweigh any adverse impact on health plans that
are not covered by GINA. This is particularly true since we do not
expect that all of the health plans subject to the Privacy Rule use or
disclose PHI that is genetic information for underwriting today (or
even conduct underwriting generally, in the case of some of the public
benefit plans).
Consistent with Sec. 160.104(c), the Department intends to require
health plans to comply with these modifications to the privacy
standards no later than 180 days from the effective date of such
modifications. Note that the Department does not propose to extend the
compliance date for small health plans as the Department believes 180
days is sufficient time for small health plans to come into compliance
with the proposed requirements.
With this overview and description of the scope of the proposed
rule as foundation, the following discussion describes the proposed
modifications to the Privacy Rule section by section. Those interested
in commenting on the proposed provisions can assist the Department by
preceding discussion of any particular provision in the comment with a
citation to the section of the proposed rule being discussed, or, if
submitting a comment relevant to the above discussion, with the term
``Scope.''
Section 160.103--Definitions
The Department is proposing to modify Sec. 160.103 to: (1)
Explicitly provide, as required by GINA, that the definition of
``health information'' encompasses ``genetic information''; (2) add a
number of terms used in GINA Title I for purposes of implementing
GINA's provisions; and (3) make certain technical corrections to update
the definition of ``health plan.'' We note that with respect to the
GINA terms, this proposed rule proposes to adopt definitions that are
generally consistent with the definitions of such terms promulgated in
the implementing regulations for sections 101-103 of GINA.
1. Health information. The Department has always maintained that
genetic information is health information protected by the Privacy Rule
to the extent such information is individually identifiable and held by
a covered entity (subject to the general exclusions from the definition
of ``protected health information''). Frequently Asked Question number
354, available at https://www.hhs.gov/ocr/privacy/hipaa/faq/about/354.html, states:
Question: Does the HIPAA Privacy Rule protect genetic
information?
Answer: Yes, genetic information is health information protected
by the Privacy Rule. Like other health information, to be protected
it must meet the definition of protected health information: it must
be individually identifiable and maintained by a covered health care
provider, health plan, or health care clearinghouse. See 45 CFR
160.103.
Nevertheless, section 105 of GINA requires the Secretary to revise the
Privacy Rule to make clear that genetic information is health
information under the Rule. Accordingly, the Department proposes to
modify the definition of ``health information'' at Sec. 160.103 to
explicitly provide that such term includes genetic information. We
note, however, that as before, genetic information, while health
information, is only covered by the Privacy Rule to the extent that it
meets the definition of ``protected health information.'' That is, the
genetic information must be individually identifiable and maintained by
a HIPAA covered entity (or business associate of a covered entity) (and
not otherwise fall within one of the exceptions to the definition). See
the definition of ``protected health information'' at Sec. 160.103.
2. Genetic information. The term ``genetic information'' is a
defined term in GINA that establishes what information is protected by
the statute. GINA section 105 provides that the term ``genetic
information'' in section 105 shall have the same meaning given the term
in section 2791 of the Public Health Service Act (PHSA) (42 U.S.C.
300gg-91), as amended by GINA section 102. Section 102(a)(4) of GINA
defines ``genetic information'' to mean, with respect to any
individual, information about: (1) Such individual's genetic tests; (2)
the genetic tests of family members of such individual; and (3) the
manifestation of a disease or disorder in family members of such
individual (i.e., family medical history). GINA also provides that the
term ``genetic information'' includes, with respect to any individual,
any request for, or receipt of, genetic services, or participation in
clinical research which includes genetic services, by such individual
or family member of such individual; however, GINA excludes information
about the sex or age of any individual. The basic definition of
``genetic information'' in section 102(a)(4) of GINA (and that is to
apply for purposes of section 105) is also expanded by section
102(a)(3), which provides that any reference to genetic information
concerning an individual or family member in the PHSA shall include:
with respect to an individual or family member of an individual who is
a pregnant woman, the genetic information of any fetus carried by such
pregnant woman; and with respect to an individual or family member
utilizing an assisted reproductive technology, the genetic information
of any embryo legally held by the individual or family member. The
Department proposes to include this statutory definition of ``genetic
information'' in Sec. 160.103 without substantive change.
3. Genetic test. As indicated above, GINA provides that the term
``genetic information'' includes information about an individual's
genetic tests or the genetic tests of family members of such
individual. As with the term ``genetic information,'' GINA section 105
provides that the term ``genetic test'' shall have the same meaning as
the term has in section 2791 of the PHSA (42 U.S.C. 300gg-91), as
amended by section 102 of GINA. Section 102(a)(4) of GINA amends
section 2791 of the PHSA to define ``genetic test'' to mean ``an
analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that
detects genotypes, mutations, or chromosomal changes.'' GINA further
clarifies that the term ``genetic test'' does not include an analysis
of proteins or metabolites that does not detect genotypes, mutations,
or chromosomal changes, or that is directly related to a
[[Page 51701]]
manifested disease, disorder, or pathological condition that could
reasonably be detected by a health care professional with appropriate
training and expertise in the field of medicine involved.
Consistent with the statutory definition of ``genetic test,'' the
Department proposes to define ``genetic test'' at Sec. 160.103 as an
analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if
the analysis detects genotypes, mutations or chromosomal changes, and
to provide in the definition that ``genetic test'' does not include an
analysis of proteins or metabolites that is directly related to a
manifested disease, disorder, or pathological condition. The statute
does not define ``manifestation'' or ``manifested.'' Consequently, as
discussed below, the Department proposes to include a definition of
``manifestation or manifested.''
Under this proposed definition of ``genetic test,'' a test to
determine whether an individual has a gene variant associated with
breast cancer (such as the BRCA1 or BRCA2 variant) is a genetic test.
Similarly, a test to determine whether an individual has a genetic
variant associated with hereditary nonpolyposis colorectal cancer is a
genetic test. However, medical tests that analyze genetic material that
is not of human origin, such as tests that detect the presence of
viruses or bacteria in an individual, or tests that do not detect
genotypes, mutations, or chromosomal changes, are not genetic tests.
For example, an HIV test, complete blood count, cholesterol test, liver
function test, or test for the presence of alcohol or drugs is not a
genetic test.
4. Genetic services. GINA provides that the term ``genetic
information'' includes, with respect to any individual, any request
for, or receipt of, genetic services, or participation in clinical
research which includes genetic services, by such individual or any
family member of such individual. As with the definitions above,
section 105 of GINA provides that the term ``genetic services'' shall
have the meaning given such term in section 2791 of the PHSA (42 U.S.C.
300gg-91), as amended by section 102 of GINA. Section 102(a)(4) of GINA
defines ``genetic services'' to mean: (1) A genetic test; (2) genetic
counseling (including obtaining, interpreting, or assessing genetic
information); or (3) genetic education. Thus, the fact that an
individual or a family member of the individual requested or received a
genetic test, counseling, or education is information protected under
GINA.
Genetic counseling is a means for individuals to obtain information
and support about potential risks for genetic diseases and disorders.
Genetic education is also a means for individuals to obtain information
about potential risks for genetic diseases and disorders. The
Department proposes to add the statutory definition of ``genetic
services'' to Sec. 160.103 without substantive change.
5. Family Member. The term ``family member'' is used in the
definition of ``genetic information'' in GINA to indicate that an
individual's genetic information also includes information about the
genetic tests of the individual's family members, as well as family
medical history. GINA section 105 states that the term ``family
member'' shall have the meaning given such term in section 2791 of the
PHSA (42 U.S.C. 300gg-91), as amended by GINA section 102(a)(4), which
defines ``family member'' to mean, with respect to any individual: (1)
A dependent (as such term is used for purposes of section 2701(f)(2) of
the PHSA, 42 U.S.C. 300gg(f)(2)) of such individual; or (2) any other
individual who is a first-degree, second-degree, third-degree, or
fourth-degree relative of such individual or of a dependent of the
individual. Section 2701(f)(2) of the PHSA uses the term ``dependent''
to mean an individual who is eligible for coverage under the terms of a
group health plan because of a relationship to the participant.
The Department proposes to incorporate the statutory definition of
``family member'' into Sec. 160.103 but also to clarify in the
regulatory text that relatives by affinity (such as by marriage or
adoption) are to be treated the same as relatives by consanguinity
(that is, relatives who share a common biological ancestor) and that,
in determining the degree of relationship, relatives by less than full
consanguinity (such as half-siblings, who share only one parent) are
treated the same as relatives by full consanguinity (such as siblings
who share both parents). This is consistent with the legislative
history of GINA, which suggests that the term ``family member'' is to
be broadly construed to provide the maximum protection against
discrimination. See House Report 110-28, Part 2 at 27. In addition, the
Department proposes to include in the regulatory definition, non-
exhaustive lists of persons who are first-, second-, third-, or fourth-
degree relatives. Finally, the Department proposes in the definition of
``family member'' to refer to the definition of ``dependent'' in the
implementing regulations at 45 CFR 144.103 rather than to the PHSA
directly. The Department invites public comment on this definition.
We also note that the term ``family member'' is not currently
defined in the Privacy Rule but is used in the Privacy Rule at Sec.
164.510(b), which provides the standard for uses and disclosures of an
individual's PHI to family members and other persons involved in the
individual's care and for notification purposes. It is not expected
that adding to the Privacy Rule the above broad definition of the term
``family member'' would impact the scope of these existing provisions,
particularly given the use in the provisions of the additional terms
``other relative,'' ``close personal friend,'' ``other person
identified by the individual,'' ``personal representative,'' and
``other person responsible for the care of the individual,'' which
would appear to capture any other person, as appropriate, who would not
qualify as a ``family member'' by the new definition.
In addition to the use of the term ``family member'' in the Privacy
Rule, the term ``family'' is used in three other instances in the Rule:
(1) In reference to the Family Educational Rights and Privacy Act in
the definition of ``protected health information'' at Sec. 160.103;
(2) in the definition and disclosure permission for psychotherapy notes
(at Sec. Sec. 164.501 and 164.508(a)(2)(B), respectively) where such
notes may be created based upon, and used to train within, a family
counseling session; and (3) in the disclosure permission at Sec.
164.512(k)(4) for medical suitability determinations by the Department
of State for circumstances where family accompany a Foreign Service
member abroad. It is also not expected that including a definition of
``family member'' in the Privacy Rule would impact these provisions, as
the scope of the term ``family'' in each occurrence is determined
independently of the Privacy Rule.
6. Manifestation or manifested. Although not separately defined by
GINA, the terms ``manifestation'' or ``manifested'' are used in GINA in
three important contexts. First, GINA uses the term ``manifestation''
to incorporate ``family medical history'' into the definition of
``genetic information'' by stating that ``genetic information''
includes, with respect to an individual, the manifestation of a disease
or disorder in family members of such individual. Second, GINA uses the
term ``manifested'' to exclude from the definition of ``genetic test''
those tests that analyze a physical malady rather
[[Page 51702]]
than genetic makeup by excluding from the definition analyses of
proteins or metabolites that are directly related to a manifested
disease, disorder, or pathological condition. Third, GINA uses the term
``manifestation'' to clarify that nothing in Title I of GINA should be
construed to limit the ability of a health plan to adjust premiums or
contribution amounts for a group health plan based on the manifestation
of a disease or disorder of an individual enrolled in the plan.
However, GINA provides that, in such case, the manifestation of a
disease or disorder in one individual cannot also be used as genetic
information about other group members and to further increase the
premium for the plan. Similarly, for the individual health insurance
market, GINA clarifies that a health plan is not prohibited from
establishing rules for eligibility for an individual to enroll in
coverage or from adjusting premium or contribution amounts for an
individual based on the manifestation of a disease or disorder in that
individual or in a family member of such individual where such family
member is covered under the individual's policy. However, the
manifestation of a disease or disorder in one individual cannot also be
used as genetic information about other individuals and to further
increase premiums or contribution amounts.
As noted above, GINA does not define the terms ``manifestation''
and ``manifested.'' However, based on the exceptions to the statutory
definition of ``genetic test,'' it is clear from the context of the
statute that a manifested disease or disorder is one ``that could
reasonably be detected by a health care professional with appropriate
training and expertise in the field of medicine involved.'' Thus, given
the importance of the term in the contexts described above, the
Department proposes to include in Sec. 160.103 a definition of
``manifestation or manifested'' to mean, with respect to a disease,
disorder, or pathological condition, that an individual has been or
could reasonably be diagnosed with the disease, disorder, or
pathological condition by a health care professional with appropriate
training and expertise in the field of medicine involved, and to
further provide that a disease, disorder, or pathological condition is
not manifested if the diagnosis is based principally on genetic
information.
Variants of genes associated with diseases have varying degrees of
predictive power for later development of the disease. In some cases,
an individual may have a genetic variant for a disease and yet never
develop the disease. In other cases, the presence of a genetic variant
means that the individual will eventually develop the disease.
Huntington's disease is an example of the latter case. However, an
individual may obtain a positive test that shows the genetic variant
for Huntington's disease decades before any clinical symptoms appear.
Under the above definition, the presence of a genetic variant alone
does not constitute the diagnosis of a disease even in cases where it
is certain that the individual possessing the genetic variant will
eventually develop the disease, such as the case with Huntington's
disease. For example, an individual may have a family member that has
been diagnosed with Huntington's disease and also have a genetic test
result that indicates the presence of the Huntington's disease gene
variant in the individual. However, when the individual is examined by
a neurologist (a physician with appropriate training and expertise for
diagnosing Huntington's disease) because the individual has begun to
suffer from occasional moodiness and disorientation (symptoms which are
associated with Huntington's disease), and the results of the
examination do not support a diagnosis of Huntington's disease, then
Huntington's disease is not manifested with respect to the individual.
In contrast, if the individual exhibits additional neurological and
behavioral symptoms, and the results of the examination support a
diagnosis of Huntington's disease by the neurologist, then Huntington's
disease is manifested with respect to the individual.
As another example, an individual has had several family members
with colon cancer, one of whom underwent genetic testing which detected
a mutation in the MSH2 gene associated with hereditary nonpolyposis
colorectal cancer (HNPCC). On the recommendation of his physician (a
health care professional with appropriate training and expertise in the
field of medicine involved), the individual undergoes a targeted
genetic test to look for the specific mutation found in the family
member of the individual to determine if the individual himself is at
increased risk for cancer. The genetic test shows that the individual
also carries the mutation but the individual's colonoscopy indicates no
signs of disease and the individual has no symptoms. Because the
individual has no signs or symptoms of colorectal cancer that could be
used by the individual's physician to diagnose the cancer, HNPCC is not
a manifested disease with respect to the individual. In contrast, if
the individual undergoes a colonoscopy or other medical tests that
indicate the presence of HNPCC, and the individual's physician makes a
diagnosis of HNPCC, HNPCC is a manifested disease with respect to the
individual.
If a health care professional with appropriate expertise makes a
diagnosis based on the symptoms of the patient, and uses genetic tests
to confirm the diagnosis, the disease will be considered manifested,
despite the use of genetic information. For example, if a neurologist
sees a patient with uncontrolled movements, a loss of intellectual
faculties, and emotional disturbances, and the neurologist suspects the
presence of Huntington's disease, the neurologist may confirm the
diagnosis with a genetic test. While genetic information is used as
part of the diagnosis, the genetic information is not the sole or
principal basis for the diagnosis, and, therefore, the Huntington's
disease would be considered a manifested disease of the patient.
7. Health plan. The Department proposes to make technical
corrections to update the definition of ``health plan'' by revising and
renumbering the definition to: Include specific reference to the
Voluntary Prescription Drug Benefit Program under Part D of title XVIII
of the Social Security Act, 42 U.S.C. 1395w-101 through 1395w-152;
remove the specific reference to the Civilian Health and Medical
Program of the Uniformed Services (CHAMPUS) (as defined in 10 U.S.C.
1072(4)), as this program is now part of the TRICARE health care
program under title 10 of the United States Code, and revise the
reference to the title 10 health care program accordingly to read more
generally ``health care program for the uniformed services'' rather
than ``health care program for active military personnel''; and reflect
that Part C of title XVIII of the Social Security Act, 42 U.S.C. 1395w-
21 through 1395w-28, is now called the Medicare Advantage program.
Section 164.501--Definitions
The Department proposes to modify Sec. 164.501 to add a definition
of ``underwriting purposes'' and to make conforming changes to the
definitions of ``payment'' and ``health care operations.''
1. Underwriting Purposes. GINA section 105 provides that the term
``underwriting purposes'' means, with respect to a group health plan,
health insurance coverage, or Medicare supplemental policy: (A) Rules
for, or determination of, eligibility (including enrollment and
continued eligibility) for, or determination of, benefits under
[[Page 51703]]
the plan, coverage, or policy; (B) the computation of premium or
contribution amounts under the plan, coverage, or policy; (C) the
application of any pre-existing condition exclusion under the plan,
coverage, or policy; and (D) other activities related to the creation,
renewal, or replacement of a contract of health insurance or health
benefits.
The Department proposes to adopt the statutory definition, but also
to include certain clarifications for consistency with the regulations
promulgated pursuant to GINA sections 101 through 103. Specifically, we
include a parenthetical to explain that the rules for, or determination
of eligibility for, or determination of, benefits under the plan
include changes in deductibles or other cost-sharing mechanisms in
return for activities such as completing a health risk assessment or
participating in a wellness program. Similarly, we include a
parenthetical to make clear that the computation of premium or
contribution amounts under the plan, coverage, or policy includes
discounts, rebates, payments in kind, or other premium differential
mechanisms in return for activities such as completing a health risk
assessment or participating in a wellness program. Finally, we add a
provision to the definition to clarify that ``underwriting purposes''
does not include determinations of medical appropriateness where an
individual seeks a benefit under the plan, coverage, or policy. This
provision is intended to be consistent with the provisions in the
regulations promulgated pursuant to GINA sections 101 through 103 that
provide that determinations of medical appropriateness, where the
individual seeks a benefit under the plan, are not considered
``underwriting purposes.''
We also note that the specific types of activities included in the
GINA definition of ``underwriting purposes'' proposed above fall within
the definitions of ``health care operations'' and ``payment'' under the
Privacy Rule, and that the current definition of ``health care
operations'' also includes the term ``underwriting.'' Thus, to avoid
confusion, the Department proposes conforming changes to the
definitions of ``health care operations'' and ``payment,'' as discussed
below.
2. Health care operations. Paragraph (3) of the definition of
``health care operations'' in the Privacy Rule at Sec. 164.501
includes ``[u]nderwriting, premium rating, and other activities
relating to the creation, renewal or replacement of a contract of
health insurance or health benefits * * *.'' In order to avoid
confusion with the use of both ``underwriting'' and ``underwriting
purposes'' in the Privacy Rule, and in recognition of the fact that the
proposed definition of ``underwriting purposes'' includes activities
that fall within both the definitions of ``payment'' and ``health care
operations'' in the Rule, the Department proposes to remove the term
``underwriting'' from the definition of ``health care operations.'' At
the same time, we propose to add the term ``enrollment'' to the express
list of health care operations activities to make clear that the
removal of the term ``underwriting'' would not impact the use or
disclosure of PHI that is not genetic information for enrollment
purposes. We note that these proposed revisions are not intended to
constitute a substantive change to the definition of ``health care
operations.'' All uses and disclosures of PHI currently permitted for
any activities related to the creation, renewal, or replacement of a
contract of health insurance or health benefits under the definition of
``health care operations,'' including what would be considered
``underwriting'' as the term is used in the existing Rule, still would
be permitted under the revised definition, subject to the prohibition
on using or disclosing PHI that is genetic information at proposed
Sec. 164.502(a)(3). However, the Department requests public comment on
whether the removal of the term ``underwriting'' from the definition of
``health care operations'' could have unintended consequences.
3. Payment. The definition of ``payment'' in the Privacy Rule at
Sec. 164.501 includes activities, such as ``determinations of
eligibility or coverage'' by a health plan, some of which may also fall
within the proposed definition of ``underwriting purposes'' in the same
section. Thus, to avoid any implication that a health plan is permitted
to disclose PHI that is genetic information for ``payment'' purposes
that are otherwise prohibited by Sec. 164.502(a)(3) (i.e., that are
also underwriting purposes), the Department proposes to include a
cross-reference in the definition of ``payment'' at Sec. 164.501 to
the proposed prohibition at Sec. 164.502(a)(3) on health plans using
and disclosing genetic information for underwriting purposes to exclude
such activities from the ``payment'' definition.
In addition, the inclusion of a cross-reference in the definition
of ``payment'' to the new underwriting prohibition at Sec.
164.502(a)(3) is necessary to properly align the definition of
``payment'' in the Privacy Rule with the nondiscrimination provisions
of GINA Title I, and their implementing regulations. GINA provides a
rule of construction, in section 102(a)(2), which adds paragraph
2702(c)(3) of the Public Health Service Act, to make clear that health
plans are not prohibited from obtaining and using the results of a
genetic test in making determinations regarding payment, as such term
is defined by the HIPAA Privacy Rule. Thus, the proposed exception
would make clear that GINA's rule of construction regarding payment
does not allow a health plan to request the results of genetic tests
for activities that would otherwise constitute ``underwriting
purposes,'' such as for determinations of eligibility for benefits.
Section 164.502(a)--Uses and Disclosures of Protected Health
Information: General Rules
The proposed rule includes the new prohibition on health plans
using or disclosing PHI that is genetic information for underwriting
purposes at Sec. 164.502(a)(3), and makes clear that such provision
would operate notwithstanding the other provisions in the Rule
permitting uses and disclosures. We interpret section 105 of GINA as
requiring us to prohibit a health plan's use or disclosure of genetic
information for underwriting purposes, even if an individual has signed
an authorization for such purposes pursuant to Sec. 164.508. We thus
also propose a conforming change to Sec. 164.502(a)(1)(iv) to make
clear that an authorization could not be used to permit a use or
disclosure of genetic information for underwriting purposes.
Additionally, we note that this prohibition applies to all genetic
information from the compliance date of these modifications forward,
regardless of when or where the genetic information originated.
Consistent with the statute, however, this prohibition should not
be construed to limit the ability of a health plan to adjust premiums
or contribution amounts for a group health plan based on the
manifestation of a disease or disorder of an individual enrolled in the
plan, even though a health plan cannot use the manifestation of a
disease or disorder in one individual as genetic information about
other group members and to further increase the premium for the plan.
Similarly, for the individual health insurance market, a health plan is
not prohibited from establishing rules for eligibility for an
individual to enroll in coverage or from adjusting premium or
contribution amounts for an individual based on the manifestation of a
disease or disorder in that individual or in a family member of such
individual where such family member is covered under the individual's
policy,
[[Page 51704]]
even though the health plan cannot use the manifestation of a disease
or disorder in one individual as genetic information about other
individuals to further increase premiums or contribution amounts for
those other individuals.
As an example to demonstrate the proposed prohibition, if a health
insurance issuer, with respect to an employer-sponsored group health
plan, uses an individual's family medical history or the results of
genetic tests maintained in the group health plan's claims experience
information to adjust the plan's premium rate for the upcoming year,
the issuer would be using PHI that is genetic information for
underwriting purposes in violation of proposed Sec. 164.502(a)(3).
Similarly, if a group health plan uses family medical history provided
by an individual incidental to the collection of other information on a
health risk assessment to grant a premium reduction to the individual,
the group health plan would be using genetic information for
underwriting purposes in violation of Sec. 164.502(a)(3).
Also, note that the prohibition is limited to health plans. A
health care provider may use or disclose genetic information as it sees
fit for treatment of an individual. If a covered entity, such as an
HMO, acts as both a health plan and health care provider, the covered
entity may use genetic information for purposes of treatment, to
determine the medical appropriateness of a benefit, and as otherwise
permitted by the Privacy Rule, but may not use such genetic information
for underwriting purposes. Such covered entities, in particular, should
ensure that appropriate staff members are trained on the permissible
and impermissible uses of genetic information.
Section 164.504(f)(1)(ii)--Requirements for Group Health Plans
Section 164.504(f)(1)(ii) permits a group health plan, or health
insurance issuer or HMO with respect to the group health plan, to
disclose summary health information to the plan sponsor if the plan
sponsor requests the information for the purpose of obtaining premium
bids from health plans for providing health insurance coverage under
the group health plan, or for modifying, amending, or terminating the
group health plan. As this provision permits activities that constitute
``underwriting purposes,'' as defined by GINA and this proposed rule,
we add a cross-reference to the proposed Sec. 164.502(a)(3)
prohibition on the use or disclosure of genetic information for
underwriting purposes, to make clear that Sec. 164.504(f)(1)(ii) would
not allow a disclosure of PHI that is otherwise prohibited by Sec.
164.502(a)(3).
Section 164.506--Uses and Disclosures to Carry Out Treatment, Payment,
or Health Care Operations
Section 164.506(a) of the Privacy Rule sets out the uses and
disclosures a HIPAA covered entity is permitted to make to carry out
treatment, payment, or health care operations. In light of the fact
that the proposed definition of ``underwriting purposes'' encompasses
activities that fall both within the definitions of ``payment'' and
``health care operations'' under the Privacy Rule, the Department
proposes to add a cross-reference in Sec. 164.506(a) to the new
prohibition at proposed Sec. 164.502(a)(3) on health plans using and
disclosing PHI that is genetic information for underwriting purposes.
This cross-reference is intended to make clear that Sec. 164.506 of
the Privacy Rule would not permit health plans to use or disclose an
individual's PHI that is genetic information for underwriting, even
though such a use or disclosure is considered payment or health care
operations.
Section 164.514(g)--Uses and Disclosures for Activities Relating to the
Creation, Renewal, or Replacement of a Contract of Health Insurance or
Health Benefit
Section 164.514(g) of the Privacy Rule prohibits a health plan that
receives PHI for underwriting, premium rating, or other activities
relating to the creation, renewal, or replacement of a contract for
health insurance or health benefits, from using or disclosing such PHI
for any other purpose (except as required by law) if the health
insurance or health benefits are not placed with the health plan. The
Department proposes conforming amendments to this provision to: (1)
Remove the term ``underwriting'' to avoid confusion given the new
definition of ``underwriting purposes'' in the proposed rule, which
encompasses the activities described above; and (2) make clear that a
health plan that receives PHI that is genetic information for the above
purposes is not permitted to use or disclose such information, in
accordance with proposed Sec. 164.502(a)(3). Note that the removal of
the term ``underwriting'' from this provision is not intended as a
substantive change to the scope of the provision.
Section 164.520--Notice of Privacy Practices for Protected Health
Information
Section 164.520 of the Privacy Rule sets out the requirements for
most covered entities to have and distribute a Notice of Privacy
Practices (NPP), which describes the uses and disclosures of PHI a
covered entity is permitted to make, the covered entity's legal duties
to protect PHI, and the individual's rights with respect to PHI. With
respect to the description of permitted uses and disclosures, Sec.
164.520(b)(1)(iii) requires a covered entity to include separate
statements if the covered entity intends to use or disclose PHI for
certain treatment, payment, or health care operations activities, such
as fundraising. The purpose of these statements is to put individuals
on notice of certain uses and disclosures a covered entity may make as
part of treatment, payment, or health care operations that may not
otherwise be apparent in the NPP since the Privacy Rule does not
require the listing of every permitted use or disclosure that may fall
within treatment, payment, or health care operations. In a similar
manner, the Department believes that individuals have a right to be
specifically informed of the fact that health plans that intend to use
or disclose their PHI for underwriting nonetheless may not use or
disclose their genetic information for such purposes. Thus, the
Department proposes to require health plans that use or disclose PHI
for underwriting to include a statement in their NPP making clear that
they are prohibited from using or disclosing PHI that is genetic
information about an individual for such purposes. Without such a
specific statement, individuals would not be aware of this restriction
and the general statements regarding permitted uses and disclosures for
treatment, payment, and health care operations in the NPP of a health
plan that performs underwriting would not be accurate (i.e., the NPP
would state that the health plan may use or disclose PHI for purposes
of payment and health care operations, which would not be true with
respect to genetic information when the use or disclosure is for
underwriting purposes).
The proposed prohibition at Sec. 164.502(a)(3) and the proposed
requirement to explicitly include a statement regarding the prohibition
represent a material change to the NPP of health plans that perform
underwriting, and the Privacy Rule requires at Sec.
164.520(c)(1)(i)(C) that plans provide notice to individuals
[[Page 51705]]
covered by the plan within 60 days of any material revision to the NPP.
The Department recognizes that revising and redistributing a NPP may be
costly for health plans that perform underwriting and thus requests
comment on ways to inform individuals of this change to privacy
practices without unduly burdening health plans, particularly given
there may be other material changes to the NPP due to the modifications
to the Privacy Rule required by the provisions of the Health
Information Technology for Economic and Clinical Health (HITECH) Act,
enacted as part of the American Recovery and Reinvestment Act of 2009.
In particular, the Department is considering a number of options in
this area: (1) Replace the 60-day requirement with a requirement for
health plans to revise their NPPs and redistribute them (or at least
notify members of the material change to the NPP and how to obtain the
revised NPP) in their next annual mailing to members after a material
revision to the NPP, such as at the beginning of the plan year or
during the open enrollment period; (2) provide a specified delay or
extension of the 60-day timeframe for health plans that perform
underwriting to implement and inform individuals of the underwriting
prohibition; (3) retain the provision generally to require health plans
to provide notice within 60 days of a material revision but provide
that the Secretary will waive the 60-day timeframe in cases where the
timing or substance of modifications to the Privacy Rule call for such
a waiver; or (4) make no change and thus, require that health plans
that perform underwriting provide notice to individuals within 60 days
of the material change to the NPP that would be required by this
proposed rule. The Department requests comment on these options, as
well as any other options for informing individuals in a timely manner
of this proposed or other material changes to the NPP.
The Department also notes that the obligation to revise the NPP for
the reasons described above would fall only on health plans that intend
to use or disclose PHI for activities that constitute ``underwriting
purposes'' as defined in this proposed rule at Sec. 164.501. Thus,
health care providers, as well as health plans that do not perform
underwriting, would not be required to revise their NPPs.
III. Impact Statement and Other Required Analyses
Executive Order 12866
Executive Order 12866 (58 FR 51735, October 4, 1993) directs
agencies to determine whether a regulatory action is ``significant''
and, therefore, subject to review by the Office of Management and
Budget and the requirements of the Executive Order. Executive Order
12866, in section 3(f), defines ``significant regulatory action'' as
one that is likely to result in a rule that may:
(1) Have an annual effect on the economy of $100 million or more or
adversely affect in a material way the economy, a sector of the
economy, productivity, competition, jobs, the environment, public
health or safety, or state, local, or tribal government or communities;
(2) Create a serious inconsistency or otherwise interfere with an
action taken or planned by another agency;
(3) Materially alter the budgetary impact of entitlements, grants,
user fees, or loan programs or the rights and obligations of recipients
thereof; or
(4) Raise novel legal or policy issues arising out of legal
mandates, the President's priorities, or the principles set forth in
the Executive Order.
Executive Order 12866 requires a full economic impact analysis only
for ``economically significant'' rules under section 3(f)(1).
The Department has determined that this proposed rule is a
``significant regulatory action'' within the meaning of section 3(f)(4)
of Executive Order 12866, because this action raises novel policy
issues arising out of legal mandates. However, for the reasons
discussed below, the Department has determined that the impact of this
proposed regulation is not such that it would reach the economically-
significant threshold under section 3(f)(1) of the Executive Order.
Therefore, a detailed cost-benefit assessment of the proposed rule is
not required.
The proposed rule would prohibit health plans that are HIPAA
covered entities from using or disclosing an individual's PHI that is
genetic information for underwriting purposes. Health plans that do not
currently use or disclose PHI for underwriting purposes would not be
affected at all by the proposed rule. Further, even with respect to
health plans that perform underwriting, plans and issuers in the group
market have commented to the Department that they do not currently use
genetic information for underwriting purposes because pre-GINA laws and
regulations prohibit them from discriminating against individuals based
on any health status-related factors, including genetic information.\3\
With respect to issuers in the individual market, the Department
acknowledges that there may be more significant policy changes
associated with the proposed prohibition on using or disclosing PHI
that is genetic information for underwriting purposes. However, the
Department does not have sufficient information at this time to
determine the extent of such changes, that is, to what extent issuers
in the individual market use genetic information for underwriting
purposes, and thus, requests comment in this area. In the case of
either the individual or group market, however, the Department assumes,
because a prohibited use or disclosure of genetic information for
underwriting purposes is also a discriminatory use of such information
under the nondiscrimination provisions of GINA Title I and its
implementing regulations, that there would not be costs associated with
conforming a plan's practices to comply with the prohibition proposed
at Sec. 164.502(a)(3) that are above and beyond the costs associated
with complying with the regulations implementing sections 101-103 of
GINA. With respect to the health plans not covered by GINA but subject
to the proposed prohibition in the Privacy Rule, the Department also
assumes that the costs to comply will be minimal because such plans
either: (1) Do not perform underwriting, as is the case generally with
public benefit plans; or (2) perform underwriting but do not in most
cases use genetic information (including family medical history) for
such purposes. The Department requests comment on its assumptions.
---------------------------------------------------------------------------
\3\ See e.g., Comments from BlueCross BlueShield Association,
pg. 3 (https://www.dol.gov/ebsa/pdf/cmt-12190808.pdf) and Society for
Human Resource Management, pg. 2 (https://www.dol.gov/ebsa/pdf/cmt-12190813.pdf) in response to Request for Information issued by HHS,
the Department of Labor, and Treasury/IRS on October 10, 2008, at 73
FR 70208.
---------------------------------------------------------------------------
However, because these modifications would require a change to the
privacy practices of health plans that perform underwriting, health
plans that use or disclose PHI for underwriting purposes would be
required to undertake a number of actions to comply with existing
Privacy Rule requirements. First, these health plans would be required
to change their policies and procedures as necessary to comply with the
proposed changes to the Privacy Rule. See 45 CFR 164.530(i)(2). Second,
health plans that use or disclose PHI for underwriting purposes would
be required to train workforce members whose functions are affected by
the
[[Page 51706]]
change to the health plan's policies and procedures, within a
reasonable period of time after the material change becomes effective,
and to document the training. See 45 CFR 164.530(b)(2)(i)(C) and (ii).
Finally, the affected health plans would be required to revise their
NPPs to reflect the change in the law and to provide notice of the
revision to individuals covered by the plan within 60 days of the
change. See 45 CFR 164.520(c)(1)(i)(C).
The Department estimates that approximately 630 insurers are
affected by GINA, consisting of approximately 460 insurers offering
coverage in connection with insured group health plans and
approximately 490 health insurance issuers offering policies in the
individual health insurance market.\4\ These insurers would be required
to revise their privacy policies and procedures and train affected
workforce members with respect to the proposed prohibition on using or
disclosing PHI that is genetic information for underwriting purposes.
However, given that a prohibited use or disclosure of genetic
information for underwriting purposes would also be a discriminatory
use of such information under the nondiscrimination provisions of GINA
Title I and its implementing regulations, the Department expects the
costs associated with conforming a plan's HIPAA policies and procedures
and to conduct training to be a small addition to the costs otherwise
associated with updating policies and procedures and developing and
conducting the training needed to comply with the regulations
implementing sections 101-103 of GINA. Accordingly, the Department
estimates that these plans would need to spend an additional one hour
of a legal professional's time at an hourly labor rate of $116 \5\ to
revise the plan's privacy policies and procedures and to ensure the
HIPAA Privacy Rule's prohibition is appropriately incorporated into
training materials. This results in an estimated cost of $73,000. With
respect to the health plans not covered by GINA but subject to the
proposed prohibition in the Privacy Rule, the Department does not have
sufficient information at this time to determine how many of such plans
perform underwriting and are not otherwise part of an issuer that
already would be obligated to update policies and procedures and train
staff on these new provisions. Thus, the Department requests comment in
this area.
---------------------------------------------------------------------------
\4\ Estimates are from 2007 NAIC financial statements data and
the California Department of Managed Healthcare. Because most self-
insured plans hire third-party administrators--insurance companies
in most cases--to administer and provide guidance regarding
underwriting the plans, we assume that the impact on self-insured
plans is addressed in this discussion about the impact of the rule
on insurers. We request comment on this assumption.
\5\ Based on the National Occupational Employment Survey (May
2007, Bureau of Labor Statistics) and the Employment Cost Index June
2008, Bureau of L
