Skip to Content
Proposed Rule

HIPAA Administrative Simplification: Standards for Privacy of Individually Identifiable Health Information

Action

Proposed Rule.

Summary

The Department of Health and Human Services (HHS) proposes to modify certain provisions of the “Standards for Privacy of Individually Identifiable Health Information” (Privacy Rule), issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The purpose of these proposed modifications is to implement section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA) regarding the privacy and confidentiality of genetic information, as well as to make certain other changes to the HIPAA Privacy Rule.

Unified Agenda

Modifications to the HIPAA Privacy Rule Required by the Genetic Information Nondiscrimination Act of 2008

3 actions from October 7th, 2009 to March 2nd, 2011

  • October 7th, 2009
  • December 7th, 2009
    • NPRM Comment Period End
  • March 2nd, 2011
 

Table of Contents Back to Top

Tables Back to Top

DATES: Back to Top

Comments on the proposed rule will be considered if we receive them at the appropriate address, as provided below, no later than December 7, 2009.

ADDRESSES: Back to Top

Written comments may be submitted through any of the methods specified below. Please do not submit duplicate comments.

  • Federal eRulemaking Portal: You may submit electronic comments at http://www.regulations.gov. Follow the instructions for submitting electronic comments. Attachments should be in Microsoft Word, WordPerfect, or Excel; however, we prefer Microsoft Word.
  • Regular, Express, or Overnight Mail: You may mail written comments (one original and two copies) to the following address only: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: GINA NPRM (RIN 0991-AB54), Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington, DC 20201. Mailed comments may be subject to delivery delays due to security procedures. Please allow sufficient time for mailed comments to be timely received in the event of delivery delays.
  • Hand Delivery or Courier: If you prefer, you may deliver (by hand or courier) your written comments (one original and two copies) to the following address only: Office for Civil Rights, Attention: GINA NPRM (RIN 0991-AB54), Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington, DC 20201. (Because access to the interior of the Hubert H. Humphrey Building is not readily available to persons without federal government identification, commenters are encouraged to leave their comments in the mail drop slots located in the main lobby of the building.)

Inspection of Public Comments: All comments received before the close of the comment period will be available for public inspection, including any personally identifiable or confidential business information that is included in a comment. We will post all comments received before the close of the comment period at http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Back to Top

Andra Wicks, 202-205-2292.

SUPPLEMENTARY INFORMATION: Back to Top

I. Background Back to Top

The “Standards for Privacy of Individually Identifiable Health Information,” or “Privacy Rule” was issued on December 28, 2000 (and later amended in August 2002), pursuant to the Administrative Simplification Provisions of Title II, Subtitle F, of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191. Subtitle F of Title II of HIPAA added a new Part C to Title XI of the Social Security Act (sections 1171-1179 of the Act, 42 U.S.C. 1320d-1320d-8). The Privacy Rule is one of a suite of rules required by the Administrative Simplification provisions of HIPAA, and put in place the first national standards for the privacy protection of certain individually identifiable health information (called “protected health information” or “PHI”). The other HIPAA Administrative Simplification Rules provide national standards for electronic health care transactions and code sets, unique health identifiers for employers and health care providers, and the security of electronic PHI. The HIPAA Privacy and other Administrative Simplification Rules currently apply to three types of covered entities: health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses.

The HIPAA Privacy Rule protects individuals' medical records and other individually identifiable health information held by HIPAA covered entities by, among other provisions, requiring appropriate safeguards to protect the privacy of such information, and setting limits and conditions on the uses and disclosures that may be made of the information. The Privacy Rule also gives patients rights over their PHI, including rights to examine and obtain a copy of their health records, and to request corrections.

On May 21, 2008, President Bush signed into law the Genetic Information Nondiscrimination Act of 2008 (“GINA”), Public Law 110-233, 122 Stat. 881. Congress enacted GINA to “establish [ ] a national and uniform basic standard [that] is necessary to fully protect the public from discrimination and allay their concerns about the potential for discrimination, thereby allowing individuals to take advantage of genetic testing, technologies, research, and new therapies.” GINA section 2(5). To that end, GINA generally prohibits discrimination based on an individual's genetic information with respect to both health coverage and employment.

In particular, with respect to health coverage, Title I of GINA generally prohibits discrimination in group premiums based on genetic information, proscribes the use of genetic information as a basis for determining eligibility or setting premiums in the individual and Medicare supplemental policy (Medigap) insurance markets, and limits the ability of group health plans, health insurance issuers, and Medigap issuers to collect genetic information or to request or require that individuals undergo genetic testing. Title II of GINA generally prohibits use of genetic information in the employment context, restricts acquisition of genetic information by employers and other entities covered by Title II, and strictly limits such entities from disclosing genetic information. The Departments of Labor (Employee Benefits Security Administration), Treasury (Internal Revenue Service), and HHS (Centers for Medicare Medicaid Services) are responsible for administering and enforcing the GINA Title I nondiscrimination provisions, and the Equal Employment Opportunity Commission (EEOC) is responsible for administering and enforcing the GINA Title II nondiscrimination provisions. [1]

In addition to these nondiscrimination provisions, Title I of GINA contains certain new privacy protections for genetic information. In particular, section 105 of GINA, entitled “Privacy and Confidentiality,” amends Part C of Title XI of the Social Security Act by adding section 1180 to address the application of the HIPAA Privacy Rule to genetic information. Section 1180 requires the Secretary of HHS to revise the Privacy Rule to clarify that genetic information is health information and to prohibit group health plans, health insurance issuers (including HMOs), and issuers of Medicare supplemental policies from using or disclosing genetic information for underwriting purposes.

In this proposed rule, HHS is proposing to implement the modifications required by GINA section 105, as well as to make certain other modifications to the HIPAA Privacy Rule, and seeks public comment on its proposal. In developing its proposal, HHS consulted with the Departments of Labor and Treasury, as required by section 105(b)(1) of GINA, to ensure, to the extent practicable, consistency across the regulations. In addition, HHS coordinated with the EEOC in the development of these regulations.

II. Description of Proposed Modifications Back to Top

Overview and Scope

In accordance with section 105 of GINA [2] and the Department's general authority under sections 262 and 264 of HIPAA, the Department proposes to modify the HIPAA Privacy Rule to: (1) Explicitly provide that genetic information is health information for purposes of the Rule; (2) prohibit health plans from using or disclosing protected health information that is genetic information for underwriting purposes; (3) revise the provisions relating to the Notice of Privacy Practices for health plans that perform underwriting; (4) make a number of conforming modifications to definitions and other provisions of the Rule; and (5) make technical corrections to update the definition of “health plan.”

Section 105 of GINA requires HHS to modify the Privacy Rule to prohibit “a covered entity that is a group health plan, health insurance issuer that issues health insurance coverage, or issuer of a medicare [sic] supplemental policy” from using or disclosing genetic information for underwriting purposes. GINA section 105 provides that the terms “group health plan” and “health insurance coverage” have the meanings given such terms under section 2791 of the Public Health Service Act (42 U.S.C. 300gg-91), and that the term “medicare [sic] supplemental policy” has the meaning given such term in section 1882(g) of the Social Security Act. In addition, the term “health insurance issuer,” as defined at 42 U.S.C. 300gg-91, includes a health maintenance organization (HMO). These four types of health plans (i.e., group health plans, health insurance issuers, and health maintenance organizations, as defined in the Public Health Service Act, as well as issuers of Medicare supplemental policies), correspond to the types of health plans listed at subparagraphs (i) through (iii) and (vi) of paragraph (1) of the definition of “health plan” at § 160.103 in the HIPAA Privacy Rule.

In addition to these four categories of health plans, the HIPAA Privacy Rule also applies to many other types of health plans, including: (1) Long-term care policies (excluding nursing home fixed-indemnity policies); (2) employee welfare benefit plans or other arrangements that are established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers (to the extent that they are not group health plans or health insurance issuers); (3) high risk pools that are mechanisms established under State law to provide health insurance coverage or comparable coverage to eligible individuals; (4) certain public benefit programs, such as Medicare Part A and B, Medicaid, the military and veterans health care programs, the Indian Health Service program, and others; as well as (5) any other individual or group plan, or combination of individual or group plans that provides or pays for the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)). This last category includes, for example, certain “excepted benefits” plans described at 42 U.S.C. 300gg-91(c)(2), such as limited scope dental or vision benefits plans. See the definition of “health plan” at § 160.103.

The Department proposes to apply the prohibition in GINA on using and disclosing protected health information that is genetic information for underwriting to all health plans that are subject to the Privacy Rule, rather than solely to the plans GINA explicitly requires be subject to the prohibition. We believe that this interpretation is consistent with both GINA and the Secretary's broad authority under HIPAA.

Section 264 of HIPAA (42 U.S.C. 1320d-2 note) provides the Secretary with authority to promulgate privacy standards that govern:

(1) The rights that an individual who is a subject of individually identifiable health information should have.

(2) The procedures that should be established for the exercise of such rights.

(3) The uses and disclosures of such information that should be authorized or required.

Accordingly, the Secretary has wide latitude to promulgate privacy standards that limit the use or disclosure of individually identifiable health information, including genetic information. Furthermore, section 262 of HIPAA, codified at 42 U.S.C. 1320d-1, states that:

Any standard adopted under this part shall apply, in whole or in part, to the following persons:

(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1173(a)(1).

While other portions of HIPAA were limited to group health plans, see, e.g., sections 101 and 102 of HIPAA, the Administrative Simplification subtitle governs a substantially broader definition of “health plan,” 42 U.S.C. 1320d, and instructs that “any standard” will apply to all such health plans.

Based on this broad definition of “health plan,” the wide latitude Congress provided to the Secretary to promulgate privacy standards, and the charge that “any standard” should apply to all health plans, we interpret that the HIPAA administrative simplification provisions provide the Secretary with broad authority to craft privacy standards that uniformly apply to all health plans, regardless of whether such health plans are governed by other portions of the HIPAA statute.

In GINA, Congress recognized a privacy interest on the part of individuals, distinct from the nondiscrimination provisions, with respect to the use or disclosure of individuals' genetic information in health coverage decisions. At a minimum, GINA requires the Secretary to apply this privacy interest to uses and disclosures of group health plans, health insurance issuers that issue health insurance coverage, and issuers of Medicare supplemental policies. Apart from this required change to the HIPAA Privacy Rule, however, nothing in GINA explicitly or implicitly curtails the broad authority of the Secretary to promulgate privacy standards for any and all health plans that are governed by the HIPAA Administrative Simplification provisions.

Under the Privacy Rule, consistent with the HIPAA statutory text discussed above, an individual's privacy interests and rights with respect to the use and disclosure of PHI are protected uniformly without regard to the type of health plan that holds the information. Thus, under the Privacy Rule, individuals can expect and benefit from privacy protections that do not diminish based on the type of health plan from which they obtain health coverage.

Therefore, in keeping with a uniform privacy construct, and pursuant to its authority under HIPAA sections 262 and 264, the Department proposes to apply the prohibition on using or disclosing PHI that is genetic information for underwriting purposes to all health plans that are covered entities as defined by HIPAA section 262, and, correspondingly, by the Privacy Rule. The Department believes that individuals' interests in uniform protection under the Privacy Rule against the use or disclosure of their genetic information for underwriting purposes outweigh any adverse impact on health plans that are not covered by GINA. This is particularly true since we do not expect that all of the health plans subject to the Privacy Rule use or disclose PHI that is genetic information for underwriting today (or even conduct underwriting generally, in the case of some of the public benefit plans).

Consistent with § 160.104(c), the Department intends to require health plans to comply with these modifications to the privacy standards no later than 180 days from the effective date of such modifications. Note that the Department does not propose to extend the compliance date for small health plans as the Department believes 180 days is sufficient time for small health plans to come into compliance with the proposed requirements.

With this overview and description of the scope of the proposed rule as foundation, the following discussion describes the proposed modifications to the Privacy Rule section by section. Those interested in commenting on the proposed provisions can assist the Department by preceding discussion of any particular provision in the comment with a citation to the section of the proposed rule being discussed, or, if submitting a comment relevant to the above discussion, with the term “Scope.”

Section 160.103—Definitions

The Department is proposing to modify § 160.103 to: (1) Explicitly provide, as required by GINA, that the definition of “health information” encompasses “genetic information”; (2) add a number of terms used in GINA Title I for purposes of implementing GINA's provisions; and (3) make certain technical corrections to update the definition of “health plan.” We note that with respect to the GINA terms, this proposed rule proposes to adopt definitions that are generally consistent with the definitions of such terms promulgated in the implementing regulations for sections 101-103 of GINA.

1. Health information. The Department has always maintained that genetic information is health information protected by the Privacy Rule to the extent such information is individually identifiable and held by a covered entity (subject to the general exclusions from the definition of “protected health information”). Frequently Asked Question number 354, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/about/354.html, states:

Question: Does the HIPAA Privacy Rule protect genetic information?

Answer: Yes, genetic information is health information protected by the Privacy Rule. Like other health information, to be protected it must meet the definition of protected health information: it must be individually identifiable and maintained by a covered health care provider, health plan, or health care clearinghouse. See 45 CFR 160.103.

Nevertheless, section 105 of GINA requires the Secretary to revise the Privacy Rule to make clear that genetic information is health information under the Rule. Accordingly, the Department proposes to modify the definition of “health information” at § 160.103 to explicitly provide that such term includes genetic information. We note, however, that as before, genetic information, while health information, is only covered by the Privacy Rule to the extent that it meets the definition of “protected health information.” That is, the genetic information must be individually identifiable and maintained by a HIPAA covered entity (or business associate of a covered entity) (and not otherwise fall within one of the exceptions to the definition). See the definition of “protected health information” at § 160.103.

2. Genetic information. The term “genetic information” is a defined term in GINA that establishes what information is protected by the statute. GINA section 105 provides that the term “genetic information” in section 105 shall have the same meaning given the term in section 2791 of the Public Health Service Act (PHSA) (42 U.S.C. 300gg-91), as amended by GINA section 102. Section 102(a)(4) of GINA defines “genetic information” to mean, with respect to any individual, information about: (1) Such individual's genetic tests; (2) the genetic tests of family members of such individual; and (3) the manifestation of a disease or disorder in family members of such individual (i.e., family medical history). GINA also provides that the term “genetic information” includes, with respect to any individual, any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by such individual or family member of such individual; however, GINA excludes information about the sex or age of any individual. The basic definition of “genetic information” in section 102(a)(4) of GINA (and that is to apply for purposes of section 105) is also expanded by section 102(a)(3), which provides that any reference to genetic information concerning an individual or family member in the PHSA shall include: with respect to an individual or family member of an individual who is a pregnant woman, the genetic information of any fetus carried by such pregnant woman; and with respect to an individual or family member utilizing an assisted reproductive technology, the genetic information of any embryo legally held by the individual or family member. The Department proposes to include this statutory definition of “genetic information” in § 160.103 without substantive change.

3. Genetic test. As indicated above, GINA provides that the term “genetic information” includes information about an individual's genetic tests or the genetic tests of family members of such individual. As with the term “genetic information,” GINA section 105 provides that the term “genetic test” shall have the same meaning as the term has in section 2791 of the PHSA (42 U.S.C. 300gg-91), as amended by section 102 of GINA. Section 102(a)(4) of GINA amends section 2791 of the PHSA to define “genetic test” to mean “an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that detects genotypes, mutations, or chromosomal changes.” GINA further clarifies that the term “genetic test” does not include an analysis of proteins or metabolites that does not detect genotypes, mutations, or chromosomal changes, or that is directly related to a manifested disease, disorder, or pathological condition that could reasonably be detected by a health care professional with appropriate training and expertise in the field of medicine involved.

Consistent with the statutory definition of “genetic test,” the Department proposes to define “genetic test” at § 160.103 as an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if the analysis detects genotypes, mutations or chromosomal changes, and to provide in the definition that “genetic test” does not include an analysis of proteins or metabolites that is directly related to a manifested disease, disorder, or pathological condition. The statute does not define “manifestation” or “manifested.” Consequently, as discussed below, the Department proposes to include a definition of “manifestation or manifested.”

Under this proposed definition of “genetic test,” a test to determine whether an individual has a gene variant associated with breast cancer (such as the BRCA1 or BRCA2 variant) is a genetic test. Similarly, a test to determine whether an individual has a genetic variant associated with hereditary nonpolyposis colorectal cancer is a genetic test. However, medical tests that analyze genetic material that is not of human origin, such as tests that detect the presence of viruses or bacteria in an individual, or tests that do not detect genotypes, mutations, or chromosomal changes, are not genetic tests. For example, an HIV test, complete blood count, cholesterol test, liver function test, or test for the presence of alcohol or drugs is not a genetic test.

4. Genetic services. GINA provides that the term “genetic information” includes, with respect to any individual, any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by such individual or any family member of such individual. As with the definitions above, section 105 of GINA provides that the term “genetic services” shall have the meaning given such term in section 2791 of the PHSA (42 U.S.C. 300gg-91), as amended by section 102 of GINA. Section 102(a)(4) of GINA defines “genetic services” to mean: (1) A genetic test; (2) genetic counseling (including obtaining, interpreting, or assessing genetic information); or (3) genetic education. Thus, the fact that an individual or a family member of the individual requested or received a genetic test, counseling, or education is information protected under GINA.

Genetic counseling is a means for individuals to obtain information and support about potential risks for genetic diseases and disorders. Genetic education is also a means for individuals to obtain information about potential risks for genetic diseases and disorders. The Department proposes to add the statutory definition of “genetic services” to § 160.103 without substantive change.

5. Family Member. The term “family member” is used in the definition of “genetic information” in GINA to indicate that an individual's genetic information also includes information about the genetic tests of the individual's family members, as well as family medical history. GINA section 105 states that the term “family member” shall have the meaning given such term in section 2791 of the PHSA (42 U.S.C. 300gg-91), as amended by GINA section 102(a)(4), which defines “family member” to mean, with respect to any individual: (1) A dependent (as such term is used for purposes of section 2701(f)(2) of the PHSA, 42 U.S.C. 300gg(f)(2)) of such individual; or (2) any other individual who is a first-degree, second-degree, third-degree, or fourth-degree relative of such individual or of a dependent of the individual. Section 2701(f)(2) of the PHSA uses the term “dependent” to mean an individual who is eligible for coverage under the terms of a group health plan because of a relationship to the participant.

The Department proposes to incorporate the statutory definition of “family member” into § 160.103 but also to clarify in the regulatory text that relatives by affinity (such as by marriage or adoption) are to be treated the same as relatives by consanguinity (that is, relatives who share a common biological ancestor) and that, in determining the degree of relationship, relatives by less than full consanguinity (such as half-siblings, who share only one parent) are treated the same as relatives by full consanguinity (such as siblings who share both parents). This is consistent with the legislative history of GINA, which suggests that the term “family member” is to be broadly construed to provide the maximum protection against discrimination. See House Report 110-28, Part 2 at 27. In addition, the Department proposes to include in the regulatory definition, non-exhaustive lists of persons who are first-, second-, third-, or fourth-degree relatives. Finally, the Department proposes in the definition of “family member” to refer to the definition of “dependent” in the implementing regulations at 45 CFR 144.103 rather than to the PHSA directly. The Department invites public comment on this definition.

We also note that the term “family member” is not currently defined in the Privacy Rule but is used in the Privacy Rule at § 164.510(b), which provides the standard for uses and disclosures of an individual's PHI to family members and other persons involved in the individual's care and for notification purposes. It is not expected that adding to the Privacy Rule the above broad definition of the term “family member” would impact the scope of these existing provisions, particularly given the use in the provisions of the additional terms “other relative,” “close personal friend,” “other person identified by the individual,” “personal representative,” and “other person responsible for the care of the individual,” which would appear to capture any other person, as appropriate, who would not qualify as a “family member” by the new definition.

In addition to the use of the term “family member” in the Privacy Rule, the term “family” is used in three other instances in the Rule: (1) In reference to the Family Educational Rights and Privacy Act in the definition of “protected health information” at § 160.103; (2) in the definition and disclosure permission for psychotherapy notes (at §§ 164.501 and 164.508(a)(2)(B), respectively) where such notes may be created based upon, and used to train within, a family counseling session; and (3) in the disclosure permission at § 164.512(k)(4) for medical suitability determinations by the Department of State for circumstances where family accompany a Foreign Service member abroad. It is also not expected that including a definition of “family member” in the Privacy Rule would impact these provisions, as the scope of the term “family” in each occurrence is determined independently of the Privacy Rule.

6. Manifestation or manifested. Although not separately defined by GINA, the terms “manifestation” or “manifested” are used in GINA in three important contexts. First, GINA uses the term “manifestation” to incorporate “family medical history” into the definition of “genetic information” by stating that “genetic information” includes, with respect to an individual, the manifestation of a disease or disorder in family members of such individual. Second, GINA uses the term “manifested” to exclude from the definition of “genetic test” those tests that analyze a physical malady rather than genetic makeup by excluding from the definition analyses of proteins or metabolites that are directly related to a manifested disease, disorder, or pathological condition. Third, GINA uses the term “manifestation” to clarify that nothing in Title I of GINA should be construed to limit the ability of a health plan to adjust premiums or contribution amounts for a group health plan based on the manifestation of a disease or disorder of an individual enrolled in the plan. However, GINA provides that, in such case, the manifestation of a disease or disorder in one individual cannot also be used as genetic information about other group members and to further increase the premium for the plan. Similarly, for the individual health insurance market, GINA clarifies that a health plan is not prohibited from establishing rules for eligibility for an individual to enroll in coverage or from adjusting premium or contribution amounts for an individual based on the manifestation of a disease or disorder in that individual or in a family member of such individual where such family member is covered under the individual's policy. However, the manifestation of a disease or disorder in one individual cannot also be used as genetic information about other individuals and to further increase premiums or contribution amounts.

As noted above, GINA does not define the terms “manifestation” and “manifested.” However, based on the exceptions to the statutory definition of “genetic test,” it is clear from the context of the statute that a manifested disease or disorder is one “that could reasonably be detected by a health care professional with appropriate training and expertise in the field of medicine involved.” Thus, given the importance of the term in the contexts described above, the Department proposes to include in § 160.103 a definition of “manifestation or manifested” to mean, with respect to a disease, disorder, or pathological condition, that an individual has been or could reasonably be diagnosed with the disease, disorder, or pathological condition by a health care professional with appropriate training and expertise in the field of medicine involved, and to further provide that a disease, disorder, or pathological condition is not manifested if the diagnosis is based principally on genetic information.

Variants of genes associated with diseases have varying degrees of predictive power for later development of the disease. In some cases, an individual may have a genetic variant for a disease and yet never develop the disease. In other cases, the presence of a genetic variant means that the individual will eventually develop the disease. Huntington's disease is an example of the latter case. However, an individual may obtain a positive test that shows the genetic variant for Huntington's disease decades before any clinical symptoms appear. Under the above definition, the presence of a genetic variant alone does not constitute the diagnosis of a disease even in cases where it is certain that the individual possessing the genetic variant will eventually develop the disease, such as the case with Huntington's disease. For example, an individual may have a family member that has been diagnosed with Huntington's disease and also have a genetic test result that indicates the presence of the Huntington's disease gene variant in the individual. However, when the individual is examined by a neurologist (a physician with appropriate training and expertise for diagnosing Huntington's disease) because the individual has begun to suffer from occasional moodiness and disorientation (symptoms which are associated with Huntington's disease), and the results of the examination do not support a diagnosis of Huntington's disease, then Huntington's disease is not manifested with respect to the individual. In contrast, if the individual exhibits additional neurological and behavioral symptoms, and the results of the examination support a diagnosis of Huntington's disease by the neurologist, then Huntington's disease is manifested with respect to the individual.

As another example, an individual has had several family members with colon cancer, one of whom underwent genetic testing which detected a mutation in the MSH2 gene associated with hereditary nonpolyposis colorectal cancer (HNPCC). On the recommendation of his physician (a health care professional with appropriate training and expertise in the field of medicine involved), the individual undergoes a targeted genetic test to look for the specific mutation found in the family member of the individual to determine if the individual himself is at increased risk for cancer. The genetic test shows that the individual also carries the mutation but the individual's colonoscopy indicates no signs of disease and the individual has no symptoms. Because the individual has no signs or symptoms of colorectal cancer that could be used by the individual's physician to diagnose the cancer, HNPCC is not a manifested disease with respect to the individual. In contrast, if the individual undergoes a colonoscopy or other medical tests that indicate the presence of HNPCC, and the individual's physician makes a diagnosis of HNPCC, HNPCC is a manifested disease with respect to the individual.

If a health care professional with appropriate expertise makes a diagnosis based on the symptoms of the patient, and uses genetic tests to confirm the diagnosis, the disease will be considered manifested, despite the use of genetic information. For example, if a neurologist sees a patient with uncontrolled movements, a loss of intellectual faculties, and emotional disturbances, and the neurologist suspects the presence of Huntington's disease, the neurologist may confirm the diagnosis with a genetic test. While genetic information is used as part of the diagnosis, the genetic information is not the sole or principal basis for the diagnosis, and, therefore, the Huntington's disease would be considered a manifested disease of the patient.

7. Health plan. The Department proposes to make technical corrections to update the definition of “health plan” by revising and renumbering the definition to: Include specific reference to the Voluntary Prescription Drug Benefit Program under Part D of title XVIII of the Social Security Act, 42 U.S.C. 1395w-101 through 1395w-152; remove the specific reference to the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) (as defined in 10 U.S.C. 1072(4)), as this program is now part of the TRICARE health care program under title 10 of the United States Code, and revise the reference to the title 10 health care program accordingly to read more generally “health care program for the uniformed services” rather than “health care program for active military personnel”; and reflect that Part C of title XVIII of the Social Security Act, 42 U.S.C. 1395w-21 through 1395w-28, is now called the Medicare Advantage program.

Section 164.501—Definitions

The Department proposes to modify § 164.501 to add a definition of “underwriting purposes” and to make conforming changes to the definitions of “payment” and “health care operations.”

1. Underwriting Purposes. GINA section 105 provides that the term “underwriting purposes” means, with respect to a group health plan, health insurance coverage, or Medicare supplemental policy: (A) Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy; (B) the computation of premium or contribution amounts under the plan, coverage, or policy; (C) the application of any pre-existing condition exclusion under the plan, coverage, or policy; and (D) other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.

The Department proposes to adopt the statutory definition, but also to include certain clarifications for consistency with the regulations promulgated pursuant to GINA sections 101 through 103. Specifically, we include a parenthetical to explain that the rules for, or determination of eligibility for, or determination of, benefits under the plan include changes in deductibles or other cost-sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program. Similarly, we include a parenthetical to make clear that the computation of premium or contribution amounts under the plan, coverage, or policy includes discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program. Finally, we add a provision to the definition to clarify that “underwriting purposes” does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage, or policy. This provision is intended to be consistent with the provisions in the regulations promulgated pursuant to GINA sections 101 through 103 that provide that determinations of medical appropriateness, where the individual seeks a benefit under the plan, are not considered “underwriting purposes.”

We also note that the specific types of activities included in the GINA definition of “underwriting purposes” proposed above fall within the definitions of “health care operations” and “payment” under the Privacy Rule, and that the current definition of “health care operations” also includes the term “underwriting.” Thus, to avoid confusion, the Department proposes conforming changes to the definitions of “health care operations” and “payment,” as discussed below.

2. Health care operations. Paragraph (3) of the definition of “health care operations” in the Privacy Rule at § 164.501 includes “[u]nderwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits * * *.” In order to avoid confusion with the use of both “underwriting” and “underwriting purposes” in the Privacy Rule, and in recognition of the fact that the proposed definition of “underwriting purposes” includes activities that fall within both the definitions of “payment” and “health care operations” in the Rule, the Department proposes to remove the term “underwriting” from the definition of “health care operations.” At the same time, we propose to add the term “enrollment” to the express list of health care operations activities to make clear that the removal of the term “underwriting” would not impact the use or disclosure of PHI that is not genetic information for enrollment purposes. We note that these proposed revisions are not intended to constitute a substantive change to the definition of “health care operations.” All uses and disclosures of PHI currently permitted for any activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits under the definition of “health care operations,” including what would be considered “underwriting” as the term is used in the existing Rule, still would be permitted under the revised definition, subject to the prohibition on using or disclosing PHI that is genetic information at proposed § 164.502(a)(3). However, the Department requests public comment on whether the removal of the term “underwriting” from the definition of “health care operations” could have unintended consequences.

3. Payment. The definition of “payment” in the Privacy Rule at § 164.501 includes activities, such as “determinations of eligibility or coverage” by a health plan, some of which may also fall within the proposed definition of “underwriting purposes” in the same section. Thus, to avoid any implication that a health plan is permitted to disclose PHI that is genetic information for “payment” purposes that are otherwise prohibited by § 164.502(a)(3) (i.e., that are also underwriting purposes), the Department proposes to include a cross-reference in the definition of “payment” at § 164.501 to the proposed prohibition at § 164.502(a)(3) on health plans using and disclosing genetic information for underwriting purposes to exclude such activities from the “payment” definition.

In addition, the inclusion of a cross-reference in the definition of “payment” to the new underwriting prohibition at § 164.502(a)(3) is necessary to properly align the definition of “payment” in the Privacy Rule with the nondiscrimination provisions of GINA Title I, and their implementing regulations. GINA provides a rule of construction, in section 102(a)(2), which adds paragraph 2702(c)(3) of the Public Health Service Act, to make clear that health plans are not prohibited from obtaining and using the results of a genetic test in making determinations regarding payment, as such term is defined by the HIPAA Privacy Rule. Thus, the proposed exception would make clear that GINA's rule of construction regarding payment does not allow a health plan to request the results of genetic tests for activities that would otherwise constitute “underwriting purposes,” such as for determinations of eligibility for benefits.

Section 164.502(a)—Uses and Disclosures of Protected Health Information: General Rules

The proposed rule includes the new prohibition on health plans using or disclosing PHI that is genetic information for underwriting purposes at § 164.502(a)(3), and makes clear that such provision would operate notwithstanding the other provisions in the Rule permitting uses and disclosures. We interpret section 105 of GINA as requiring us to prohibit a health plan's use or disclosure of genetic information for underwriting purposes, even if an individual has signed an authorization for such purposes pursuant to § 164.508. We thus also propose a conforming change to § 164.502(a)(1)(iv) to make clear that an authorization could not be used to permit a use or disclosure of genetic information for underwriting purposes. Additionally, we note that this prohibition applies to all genetic information from the compliance date of these modifications forward, regardless of when or where the genetic information originated.

Consistent with the statute, however, this prohibition should not be construed to limit the ability of a health plan to adjust premiums or contribution amounts for a group health plan based on the manifestation of a disease or disorder of an individual enrolled in the plan, even though a health plan cannot use the manifestation of a disease or disorder in one individual as genetic information about other group members and to further increase the premium for the plan. Similarly, for the individual health insurance market, a health plan is not prohibited from establishing rules for eligibility for an individual to enroll in coverage or from adjusting premium or contribution amounts for an individual based on the manifestation of a disease or disorder in that individual or in a family member of such individual where such family member is covered under the individual's policy, even though the health plan cannot use the manifestation of a disease or disorder in one individual as genetic information about other individuals to further increase premiums or contribution amounts for those other individuals.

As an example to demonstrate the proposed prohibition, if a health insurance issuer, with respect to an employer-sponsored group health plan, uses an individual's family medical history or the results of genetic tests maintained in the group health plan's claims experience information to adjust the plan's premium rate for the upcoming year, the issuer would be using PHI that is genetic information for underwriting purposes in violation of proposed § 164.502(a)(3). Similarly, if a group health plan uses family medical history provided by an individual incidental to the collection of other information on a health risk assessment to grant a premium reduction to the individual, the group health plan would be using genetic information for underwriting purposes in violation of § 164.502(a)(3).

Also, note that the prohibition is limited to health plans. A health care provider may use or disclose genetic information as it sees fit for treatment of an individual. If a covered entity, such as an HMO, acts as both a health plan and health care provider, the covered entity may use genetic information for purposes of treatment, to determine the medical appropriateness of a benefit, and as otherwise permitted by the Privacy Rule, but may not use such genetic information for underwriting purposes. Such covered entities, in particular, should ensure that appropriate staff members are trained on the permissible and impermissible uses of genetic information.

Section 164.504(f)(1)(ii)—Requirements for Group Health Plans

Section 164.504(f)(1)(ii) permits a group health plan, or health insurance issuer or HMO with respect to the group health plan, to disclose summary health information to the plan sponsor if the plan sponsor requests the information for the purpose of obtaining premium bids from health plans for providing health insurance coverage under the group health plan, or for modifying, amending, or terminating the group health plan. As this provision permits activities that constitute “underwriting purposes,” as defined by GINA and this proposed rule, we add a cross-reference to the proposed § 164.502(a)(3) prohibition on the use or disclosure of genetic information for underwriting purposes, to make clear that § 164.504(f)(1)(ii) would not allow a disclosure of PHI that is otherwise prohibited by § 164.502(a)(3).

Section 164.506—Uses and Disclosures to Carry Out Treatment, Payment, or Health Care Operations

Section 164.506(a) of the Privacy Rule sets out the uses and disclosures a HIPAA covered entity is permitted to make to carry out treatment, payment, or health care operations. In light of the fact that the proposed definition of “underwriting purposes” encompasses activities that fall both within the definitions of “payment” and “health care operations” under the Privacy Rule, the Department proposes to add a cross-reference in § 164.506(a) to the new prohibition at proposed § 164.502(a)(3) on health plans using and disclosing PHI that is genetic information for underwriting purposes. This cross-reference is intended to make clear that § 164.506 of the Privacy Rule would not permit health plans to use or disclose an individual's PHI that is genetic information for underwriting, even though such a use or disclosure is considered payment or health care operations.

Section 164.514(g)—Uses and Disclosures for Activities Relating to the Creation, Renewal, or Replacement of a Contract of Health Insurance or Health Benefit

Section 164.514(g) of the Privacy Rule prohibits a health plan that receives PHI for underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract for health insurance or health benefits, from using or disclosing such PHI for any other purpose (except as required by law) if the health insurance or health benefits are not placed with the health plan. The Department proposes conforming amendments to this provision to: (1) Remove the term “underwriting” to avoid confusion given the new definition of “underwriting purposes” in the proposed rule, which encompasses the activities described above; and (2) make clear that a health plan that receives PHI that is genetic information for the above purposes is not permitted to use or disclose such information, in accordance with proposed § 164.502(a)(3). Note that the removal of the term “underwriting” from this provision is not intended as a substantive change to the scope of the provision.

Section 164.520—Notice of Privacy Practices for Protected Health Information

Section 164.520 of the Privacy Rule sets out the requirements for most covered entities to have and distribute a Notice of Privacy Practices (NPP), which describes the uses and disclosures of PHI a covered entity is permitted to make, the covered entity's legal duties to protect PHI, and the individual's rights with respect to PHI. With respect to the description of permitted uses and disclosures, § 164.520(b)(1)(iii) requires a covered entity to include separate statements if the covered entity intends to use or disclose PHI for certain treatment, payment, or health care operations activities, such as fundraising. The purpose of these statements is to put individuals on notice of certain uses and disclosures a covered entity may make as part of treatment, payment, or health care operations that may not otherwise be apparent in the NPP since the Privacy Rule does not require the listing of every permitted use or disclosure that may fall within treatment, payment, or health care operations. In a similar manner, the Department believes that individuals have a right to be specifically informed of the fact that health plans that intend to use or disclose their PHI for underwriting nonetheless may not use or disclose their genetic information for such purposes. Thus, the Department proposes to require health plans that use or disclose PHI for underwriting to include a statement in their NPP making clear that they are prohibited from using or disclosing PHI that is genetic information about an individual for such purposes. Without such a specific statement, individuals would not be aware of this restriction and the general statements regarding permitted uses and disclosures for treatment, payment, and health care operations in the NPP of a health plan that performs underwriting would not be accurate (i.e., the NPP would state that the health plan may use or disclose PHI for purposes of payment and health care operations, which would not be true with respect to genetic information when the use or disclosure is for underwriting purposes).

The proposed prohibition at § 164.502(a)(3) and the proposed requirement to explicitly include a statement regarding the prohibition represent a material change to the NPP of health plans that perform underwriting, and the Privacy Rule requires at § 164.520(c)(1)(i)(C) that plans provide notice to individuals covered by the plan within 60 days of any material revision to the NPP. The Department recognizes that revising and redistributing a NPP may be costly for health plans that perform underwriting and thus requests comment on ways to inform individuals of this change to privacy practices without unduly burdening health plans, particularly given there may be other material changes to the NPP due to the modifications to the Privacy Rule required by the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. In particular, the Department is considering a number of options in this area: (1) Replace the 60-day requirement with a requirement for health plans to revise their NPPs and redistribute them (or at least notify members of the material change to the NPP and how to obtain the revised NPP) in their next annual mailing to members after a material revision to the NPP, such as at the beginning of the plan year or during the open enrollment period; (2) provide a specified delay or extension of the 60-day timeframe for health plans that perform underwriting to implement and inform individuals of the underwriting prohibition; (3) retain the provision generally to require health plans to provide notice within 60 days of a material revision but provide that the Secretary will waive the 60-day timeframe in cases where the timing or substance of modifications to the Privacy Rule call for such a waiver; or (4) make no change and thus, require that health plans that perform underwriting provide notice to individuals within 60 days of the material change to the NPP that would be required by this proposed rule. The Department requests comment on these options, as well as any other options for informing individuals in a timely manner of this proposed or other material changes to the NPP.

The Department also notes that the obligation to revise the NPP for the reasons described above would fall only on health plans that intend to use or disclose PHI for activities that constitute “underwriting purposes” as defined in this proposed rule at § 164.501. Thus, health care providers, as well as health plans that do not perform underwriting, would not be required to revise their NPPs.

III. Impact Statement and Other Required Analyses Back to Top

Executive Order 12866

Executive Order 12866 (58 FR 51735, October 4, 1993) directs agencies to determine whether a regulatory action is “significant” and, therefore, subject to review by the Office of Management and Budget and the requirements of the Executive Order. Executive Order 12866, in section 3(f), defines “significant regulatory action” as one that is likely to result in a rule that may:

(1) Have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or state, local, or tribal government or communities;

(2) Create a serious inconsistency or otherwise interfere with an action taken or planned by another agency;

(3) Materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof; or

(4) Raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.

Executive Order 12866 requires a full economic impact analysis only for “economically significant” rules under section 3(f)(1).

The Department has determined that this proposed rule is a “significant regulatory action” within the meaning of section 3(f)(4) of Executive Order 12866, because this action raises novel policy issues arising out of legal mandates. However, for the reasons discussed below, the Department has determined that the impact of this proposed regulation is not such that it would reach the economically-significant threshold under section 3(f)(1) of the Executive Order. Therefore, a detailed cost-benefit assessment of the proposed rule is not required.

The proposed rule would prohibit health plans that are HIPAA covered entities from using or disclosing an individual's PHI that is genetic information for underwriting purposes. Health plans that do not currently use or disclose PHI for underwriting purposes would not be affected at all by the proposed rule. Further, even with respect to health plans that perform underwriting, plans and issuers in the group market have commented to the Department that they do not currently use genetic information for underwriting purposes because pre-GINA laws and regulations prohibit them from discriminating against individuals based on any health status-related factors, including genetic information. [3] With respect to issuers in the individual market, the Department acknowledges that there may be more significant policy changes associated with the proposed prohibition on using or disclosing PHI that is genetic information for underwriting purposes. However, the Department does not have sufficient information at this time to determine the extent of such changes, that is, to what extent issuers in the individual market use genetic information for underwriting purposes, and thus, requests comment in this area. In the case of either the individual or group market, however, the Department assumes, because a prohibited use or disclosure of genetic information for underwriting purposes is also a discriminatory use of such information under the nondiscrimination provisions of GINA Title I and its implementing regulations, that there would not be costs associated with conforming a plan's practices to comply with the prohibition proposed at § 164.502(a)(3) that are above and beyond the costs associated with complying with the regulations implementing sections 101-103 of GINA. With respect to the health plans not covered by GINA but subject to the proposed prohibition in the Privacy Rule, the Department also assumes that the costs to comply will be minimal because such plans either: (1) Do not perform underwriting, as is the case generally with public benefit plans; or (2) perform underwriting but do not in most cases use genetic information (including family medical history) for such purposes. The Department requests comment on its assumptions.

However, because these modifications would require a change to the privacy practices of health plans that perform underwriting, health plans that use or disclose PHI for underwriting purposes would be required to undertake a number of actions to comply with existing Privacy Rule requirements. First, these health plans would be required to change their policies and procedures as necessary to comply with the proposed changes to the Privacy Rule. See 45 CFR 164.530(i)(2). Second, health plans that use or disclose PHI for underwriting purposes would be required to train workforce members whose functions are affected by the change to the health plan's policies and procedures, within a reasonable period of time after the material change becomes effective, and to document the training. See 45 CFR 164.530(b)(2)(i)(C) and (ii). Finally, the affected health plans would be required to revise their NPPs to reflect the change in the law and to provide notice of the revision to individuals covered by the plan within 60 days of the change. See 45 CFR 164.520(c)(1)(i)(C).

The Department estimates that approximately 630 insurers are affected by GINA, consisting of approximately 460 insurers offering coverage in connection with insured group health plans and approximately 490 health insurance issuers offering policies in the individual health insurance market. [4] These insurers would be required to revise their privacy policies and procedures and train affected workforce members with respect to the proposed prohibition on using or disclosing PHI that is genetic information for underwriting purposes. However, given that a prohibited use or disclosure of genetic information for underwriting purposes would also be a discriminatory use of such information under the nondiscrimination provisions of GINA Title I and its implementing regulations, the Department expects the costs associated with conforming a plan's HIPAA policies and procedures and to conduct training to be a small addition to the costs otherwise associated with updating policies and procedures and developing and conducting the training needed to comply with the regulations implementing sections 101-103 of GINA. Accordingly, the Department estimates that these plans would need to spend an additional one hour of a legal professional's time at an hourly labor rate of $116 [5] to revise the plan's privacy policies and procedures and to ensure the HIPAA Privacy Rule's prohibition is appropriately incorporated into training materials. This results in an estimated cost of $73,000. With respect to the health plans not covered by GINA but subject to the proposed prohibition in the Privacy Rule, the Department does not have sufficient information at this time to determine how many of such plans perform underwriting and are not otherwise part of an issuer that already would be obligated to update policies and procedures and train staff on these new provisions. Thus, the Department requests comment in this area.

We calculate the total cost of revising and distributing notices of privacy practices as $83.4 million. This is based on three components: (1) The cost of printing and mailing the notice; (2) the cost of time associated with distributing the notice; and (3) the cost of time associated with revising the notice.

1. Based on the U.S. Census Bureau's Current Population Survey for 2007, there were 92.3 million participants in employer-based health policies, and 18.9 million policyholders of non-employment related health insurance policies, leading to a total of 111.2 million policies. [6] We use data for participants and policyholders, rather than persons covered, since plans are only expected to provide notice to the named insured. See 45 CFR 164.520(c)(1)(iii). We limit our analysis to private insurance, rather than all insurance, because it is our understanding that Medicare, Medicaid, and military health care programs do not use or disclose PHI for underwriting purposes, and, therefore, will not need to change their notices. Our total number of participants and policyholders is limited to comprehensive health insurance plans; we do not have data on the number of other types of plans, such as long-term care insurance, and invite comment on this issue. Based on our data on the total number of private health insurance participants and policyholders, we expect that health plans will need to print and distribute approximately 111.2 million notices. As with the December 2000 preamble to the Privacy Rule, we are estimating that the printing cost for each notice is $0.05. [7] Accordingly, the cost for printing will be approximately $5.6 million. The cost for postage will be approximately $0.44 per notice (although the actual cost may be less, due to bulk mail discounts), resulting in a postage cost of approximately $48.9 million. The total for printing and postage is $54.5 million.

2. We estimate the time to distribute notices to be 100 per hour. For 111.2 million notices, this results in approximately 1,120,000 burden-hours related to distributing the notice. At an hourly labor rate of $26 for a clerical staff's time, [8] this leads to an additional cost of $28.9 million.

3. We estimate that it will take 0.5 hours of a legal professional's time to revise the notice to reflect that the health plan may not use or disclose genetic information for underwriting purposes. As referenced above, we estimate that there are 630 plans affected by GINA. This results in 315 burden-hours related to revising the notice. The wage for a legal professional's time is $116 per hour. This leads to an additional cost of $37,000. We do not have data on the number of additional plans that would be required to change the notice because they are subject to the Privacy Rule's prohibition but not otherwise subject to GINA. As noted above, the Department requests comment in this area.

Thus, the Department estimates the total cost to be incurred to implement these provisions, based on currently available information, would be $83.5 million. These costs represent costs to be incurred as one-time, first year implementation costs.

Regulatory Flexibility Analysis

The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) (RFA) imposes certain requirements with respect to federal rules that are subject to the notice and comment rulemaking requirements of section 553(b) of the Administrative Procedure Act (5 U.S.C. 551 et seq.) and that are likely to have a significant economic impact on a substantial number of small entities.

As indicated above, plans and issuers in the group market have indicated that the immediate impact of GINA and the rules on both large and small group health plans and health insurance issuers should be minimal. Plans and issuers commented that they do not currently use genetic information for underwriting purposes because pre-GINA laws and regulations prohibit them from discriminating against individuals based on any health status-related factors, including genetic information. Further, while there may be more significant policy changes associated with compliance by issuers in the individual market, in the case of either the individual or group market, the Department assumes that there would not be costs associated with conforming a plan's practices to comply with the proposed prohibition in this proposed rule on using or disclosing genetic information for underwriting purposes that are above and beyond the costs associated with complying with the regulations implementing sections 101-103 of GINA. In addition, as explained above for health plans not subject to the regulations implementing sections 101-103 of GINA but subject to this proposed rule, the Department assumes the costs to comply will be minimal because such plans either do not perform underwriting or do not use genetic information for underwriting.

Despite the above, health insurers in both the group and individual health insurance markets would have to incur some cost to comply with this proposed rule. In particular, such plans would have to update their policies and procedures to comply with the proposed changes to the Privacy Rule; train workforce members whose functions are affected by the change to the policies and procedures; and revise and redistribute their NPPs to reflect the change in the law. For this purpose, using the Small Business Administration's definition of a small insurer as a business with less than $ 7 million in revenues, premiums earned as a measure of revenue, [9] and data obtained from the National Association of Insurance Commissioners, [10] the Department estimates that approximately 75 out of 630 insurers had revenues of less than $7 million, and, of these, about 25 had revenues of less than $1 million. [11]

However, as discussed above, for all plans, the Department expects the costs associated with conforming a plan's HIPAA policies and procedures and to conduct training to be a small addition to the costs otherwise associated with updating policies and procedures and developing and conducting the training needed to comply with the regulations implementing sections 101-103 of GINA. Accordingly, the Department estimates that each insurer on average would spend only an additional one hour of a legal professional's time at an hourly labor rate of $116 [12] to revise the plan's privacy policies and procedures and to ensure the HIPAA Privacy Rule's prohibition is appropriately incorporated into training materials. Further, with respect to revising the NPP, we estimate that it will take 0.5 hours of a legal professional's time, at the same $116 an hour, to make the necessary changes, which results in an additional cost of $58 per plan.

With respect to redistributing the revised NPP to the named insured, as described above, we estimate the cost of distributing each notice to be approximately $0.49 for printing and postage and about $0.26 for labor associated with the distribution (100 notices per hour at an hourly labor rate of $26 for a clerical staff's time [13] ). However, because we expect smaller plans to have fewer participants and policyholders to whom the plans would need to send the NPP, we do not expect the costs of providing the revised NPP to fall disproportionately on small insurers.

Thus, for the reasons stated above, it is not expected that the cost of compliance would be significant for small health plans. Nor is it expected that the cost of compliance would fall disproportionately on small health plans. Therefore, the Secretary certifies that this proposed rule would not have a significant economic impact on a substantial number of small entities. The Department invites public comments on its certification.

Paperwork Reduction Act

This proposed rule contains information collections that are subject to review by OMB under the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501-3520). Per section 3507(d) of the PRA, we have submitted these information collections to OMB for review. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the PRA requires that we solicit comment on the following issues:

1. Whether the information collection is necessary and useful to carry out the proper functions of the agency;

2. The accuracy of the agency's estimate of the information collection burden;

3. The quality, utility, and clarity of the information to be collected; and

4. Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.

Under the PRA, the time, effort, and financial resources necessary to meet the information collection requirements referenced in this section are to be considered. We explicitly seek, and will consider, public comment on our assumptions as they relate to the PRA requirements summarized in this section. To comment on this collection of information or to obtain copies of the supporting statement and any related forms for the proposed paperwork collections referenced above, e-mail your comment or request, including your address and phone number to sherette.funncoleman@hhs.gov, or call the Reports Clearance Office on (202) 690-6162. In making your request and submitting comments, please reference this rule and OMB Control Number 0990-0294. Written comments and recommendations for the proposed information collections must be directed to the OS Paperwork Clearance Officer at the above e-mail address within 60 days.

Abstract

Section 105 of GINA amends Part C of Title XI of the Social Security Act by adding section 1180 to address the application of the HIPAA Privacy Rule to genetic information. Section 1180 requires the Secretary of HHS to revise the HIPAA Privacy Rule to clarify that genetic information is health information and to prohibit health plans from using or disclosing genetic information for underwriting purposes. In this notice of proposed rulemaking, we propose to implement the modifications required by GINA section 105, and seek public comment on its proposal. The proposed prohibition at § 164.502(a)(3) and the proposed requirement at § 164.520(b)(1)(iii) to explicitly include a statement regarding the prohibition represent a material change to the Notice of Privacy Practices (NPP) of health plans that perform underwriting. As such, pursuant to § 164.520(c)(1)(i)(C), affected health plans would be required to revise their NPP to reflect the change in the law and to provide notice of the revision to individuals covered by the plan within 60 days of the change.

The estimated annualized burden table below was developed using the same estimates and workload assumptions in the impact statement in the section regarding Executive Order 12866, above.

Estimated Annualized Burden Table

Estimated Annualized Burden Hours Back to Top
Section Type of respondent Number of respondents Number of responses per respondent Average burden hours per response Total burden hours
164.520 Revision of Notice of Privacy Practices for Protected Health Information (health plans) 630 1 30/60 315
164.520 Dissemination of Notice of Privacy Practices for Protected Health Information (health plans) 111,200,000 1 1 per 100 1,112,000
Total 1,112,315

Unfunded Mandates

Section 202 of the Unfunded Mandates Reform Act of 1995 also requires that agencies assess anticipated costs and benefits before issuing any rule that may result in expenditures by State, local, or tribal governments, in the aggregate, or by the private sector, of $133 million in a single year after adjusting for inflation from 1995. For the reasons discussed above, this proposed rule would not impose a burden large enough to require a section 202 statement under the Unfunded Mandates Reform Act of 1995.

Environmental Impact

The Department has determined under 21 CFR 25.30(k) that this action is of a type that would not individually or cumulatively have a significant effect on the human environment. Therefore, neither an environmental assessment nor an environmental impact statement is required.

Executive Order 13132: Federalism

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a rule that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has Federalism implications. The Federalism implications of the Privacy Rule were assessed as required by Executive Order 13132 and published in the Privacy Rule of December 28, 2000 (65 FR 82462, 82797). The Department believes that these proposed modifications to the Privacy Rule would not significantly affect the rights, roles, and responsibilities of States.

List of Subjects Back to Top

45 CFR Part 160

45 CFR Part 164

For the reasons set forth in the preamble, the Department proposes to amend 45 CFR subtitle A, subchapter C, parts 160 and 164, as follows:

begin regulatory text

PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS Back to Top

1. The authority citation for part 160 is revised to read as follows:

Authority:

42 U.S.C. 1302(a), 42 U.S.C. 1320d-1320d-9, sec. 264 of Public Law 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); 5 U.S.C. 552; and secs. 13400 and 13402, Public Law 111-5, 123 Stat. 258-263.

2. Revise § 160.101 to read as follows:

§ 160.101 Statutory basis and purpose.

The requirements of this subchapter implement sections 1171 through 1180 of the Social Security Act (the Act), as added by sections 262 and 264 of Public Law 104-191 and section 105 of Public Law 110-233, and section 13402 of Public Law 111-5.

3. In § 160.103, add in alphabetical order definitions of “Family member,” “Genetic information,” “Genetic services,” “Genetic test,” and “Manifestation or manifested,” and revise the introductory text of the definition of “Health information” and paragraphs (1)(vi) through (xi), and (xv) of the definition of “Health plan” as follows:

§ 160.103 Definitions.

* * * * *

Family member means, with respect to an individual:

(1) A dependent (as such term is defined in 45 CFR 144.103), of the individual; or

(2) Any other person who is a first-degree, second-degree, third-degree, or fourth-degree relative of the individual or of a dependent of the individual. Relatives by affinity (such as by marriage or adoption) are treated the same as relatives by consanguinity (that is, relatives who share a common biological ancestor). In determining the degree of the relationship, relatives by less than full consanguinity (such as half-siblings, who share only one parent) are treated the same as relatives by full consanguinity (such as siblings who share both parents).

(i) First-degree relatives include parents, spouses, siblings, and children.

(ii) Second-degree relatives include grandparents, grandchildren, aunts, uncles, nephews, and nieces.

(iii) Third-degree relatives include great-grandparents, great-grandchildren, great aunts, great uncles, and first cousins.

(iv) Fourth-degree relatives include great-great grandparents, great-great grandchildren, and children of first cousins.

Genetic information means:

(1) Subject to paragraphs (2) and (3) of this definition, with respect to any individual, information about:

(i) Such individual's genetic tests;

(ii) The genetic tests of family members of the individual;

(iii) The manifestation of a disease or disorder in family members of such individual; or

(iv) Any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by such individual or any family member of such individual.

(2) Any reference in this subchapter to genetic information concerning an individual or family member of an individual shall include the genetic information of:

(i) A fetus carried by the individual or family member who is a pregnant woman; and

(ii) Any embryo legally held by an individual or family member utilizing an assisted reproductive technology.

(3) Genetic information excludes information about the sex or age of any individual.

Genetic services means:

(1) A genetic test;

(2) Genetic counseling (including obtaining, interpreting, or assessing genetic information); or

(3) Genetic education.

Genetic test means an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if the analysis detects genotypes, mutations, or chromosomal changes. Genetic test does not include an analysis of proteins or metabolites that is directly related to a manifested disease, disorder, or pathological condition.

* * * * *

Health information means any information, including genetic information, whether oral or recorded in any form or medium, that: * * *

* * * * *

Health plan means * * *

(1) * * *

(vi) The Voluntary Prescription Drug Benefit Program under Part D of title XVIII of the Act, 42 U.S.C. 1395w-101 through 1395w-152.

(vii) An issuer of a Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).

(viii) An issuer of a long-term care policy, excluding a nursing home fixed indemnity policy.

(ix) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers.

(x) The health care program for uniformed services under title 10 of the United States Code.

(xi) The veterans health care program under 38 U.S.C. chapter 17.

* * * * *

(xv) The Medicare Advantage program under Part C of title XVIII of the Act, 42 U.S.C. 1395w-21 through 1395w-28.

* * * * *

Manifestation or manifested means, with respect to a disease, disorder, or pathological condition, that an individual has been or could reasonably be diagnosed with the disease, disorder, or pathological condition by a health care professional with appropriate training and expertise in the field of medicine involved. For purposes of this subchapter, a disease, disorder, or pathological condition is not manifested if the diagnosis is based principally on genetic information.

* * * * *

PART 164—SECURITY AND PRIVACY Back to Top

4. The authority citation for part 164 is revised to read as follows:

Authority:

42 U.S.C. 1320d-1320d-9; sec. 264, Public Law 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); secs. 13400 and 13402, Public Law No. 111-5, 123 Stat. 258-263.

5. In § 164.501, revise paragraph (3) of the definition of “Health care operations” and paragraph (1)(i) of the definition of “Payment,” and to add in alphabetical order a definition of “Underwriting purposes” to read as follows:

§ 164.501 Definitions.

* * * * *

Health care operations means * * *

(3) Enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of § 164.514(g) are met, if applicable;

* * * * *

Payment means:

(1) * * *

(i) Except as prohibited under § 164.502(a)(3), a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or

* * * * *

Underwriting purposes means, with respect to a health plan:

(1) Except as provided in paragraph (2) of this definition:

(i) Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy (including changes in deductibles or other cost-sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);

(ii) The computation of premium or contribution amounts under the plan, coverage, or policy (including discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);

(iii) The application of any pre-existing condition exclusion under the plan, coverage, or policy; and

(iv) Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.

(2) Underwriting purposes does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage, or policy.

* * * * *

6. In § 164.502, revise paragraph (a)(1)(iv) and add paragraph (a)(3) to read as follows:

§ 164.502 Uses and disclosures of protected health information: General rules.

(a) * * *

(1) * * *

(iv) Except for uses and disclosures prohibited under § 164.502(a)(3), pursuant to and in compliance with a valid authorization under § 164.508;

* * * * *

(3) Prohibited uses and disclosures. Notwithstanding any other provision of this subpart, a health plan shall not use or disclose protected health information that is genetic information for underwriting purposes.

* * * * *

7. In § 164.504, revise the introductory text of paragraph (f)(1)(ii) to read as follows:

§ 164.504 Uses and disclosures: Organizational requirements.

* * * * *

(f)(1) * * *

(ii) Except as prohibited by § 164.502(a)(3), the group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose summary health information to the plan sponsor, if the plan sponsor requests the summary health information for purposes of:

* * * * *

8. In § 164.506, revise paragraph (a) to read as follows:

§ 164.506 Uses and disclosures to carry out treatment, payment, or health care operations.

(a) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under § 164.508(a)(2) or (3) or that are prohibited under § 164.502(a)(3), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart.

* * * * *

9. In § 164.514, revise paragraph (g) to read as follows:

§ 164.514 Other requirements relating to uses and disclosures of protected health information.

* * * * *

(g) Standard: Uses and disclosures for activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits. If a health plan receives protected health information for the purpose of premium rating or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the health plan, such health plan may only use or disclose such protected health information for such purpose or as may be required by law, subject to the prohibition at § 164.502(a)(3) with respect to genetic information included in the protected health information.

* * * * *

10. In § 164.520, add a new paragraph (b)(1)(iii)(D) to read as follows:

§ 164.520 Notice of privacy practices for protected health information.

* * * * *

(b) * * *

(1) * * *

(iii) * * *

(D) If a covered entity that is a health plan intends to use or disclose protected health information for underwriting purposes, a statement that the covered entity is prohibited from using or disclosing protected health information that is genetic information of an individual for such purposes.

Dated: June 5, 2009.

Kathleen Sebelius,

Secretary.

end regulatory text

[FR Doc. E9-22492 Filed 10-1-09; 11:15 am]

BILLING CODE 4153-01-P

Footnotes Back to Top

1. The Departments of Labor (Employee Benefits Security Administration), Treasury (Internal Revenue Service), and HHS (Centers for Medicare Medicaid Services (CMS)) have issued regulations in a separate rulemaking to implement sections 101-103 of GINA, which amended: section 702(b) of the Employee Retirement Income Security Act of 1974 (29 U.S.C. 1182(b); section 2702(b) of the Public Health Service Act (42 U.S.C. 300gg-1(b); and subsection (b) of section 9802 of the Internal Revenue Code of 1986. Section 104 of GINA applies to Medigap issuers, which are subject to the provisions of section 1882 of the Social Security Act that are implemented by CMS, and which incorporate by reference certain provisions in a model regulation of the National Association ofInsurance Commissioners (NAIC). The NAIC amended its model regulation on September 24, 2008, to conform to section 104 of GINA, and the amended regulation was published by CMS in the Federal Register on April 24, 2009 at 74 FR 18808. With respect to Title II of GINA, the EEOC issued a notice of proposed rulemaking on March 2, 2009, at 74 FR 9056.

Back to Context

2. Any reference in this section of the preamble to GINA is a reference to Title I of GINA, except as otherwise indicated.

Back to Context

3. See e.g., Comments from BlueCross BlueShield Association, pg. 3 (http://www.dol.gov/ebsa/pdf/cmt-12190808.pdf) and Society for Human Resource Management, pg. 2 (http://www.dol.gov/ebsa/pdf/cmt-12190813.pdf) in response to Request for Information issued by HHS, the Department of Labor, and Treasury/IRS on October 10, 2008, at 73 FR 70208.

Back to Context

4. Estimates are from 2007 NAIC financial statements data and the California Department of Managed Healthcare. Because most self-insured plans hire third-party administrators—insurance companies in most cases—to administer and provide guidance regarding underwriting the plans, we assume that the impact on self-insured plans is addressed in this discussion about the impact of the rule on insurers. We request comment on this assumption.

Back to Context

5. Based on the National Occupational Employment Survey (May 2007, Bureau of Labor Statistics) and the Employment Cost Index June 2008, Bureau of Labor Statistics).

Back to Context

6. Current Population Survey, March Supplement, March 2008, using HI and PRIV variables.

Back to Context

7. 65 FR 82,770 (Dec. 28, 2000).

Back to Context

8. Based on the National Occupational Employment Survey (May 2007, Bureau of Labor Statistics) and the Employment Cost Index June 2008, Bureau of Labor Statistics).

Back to Context

9. U.S. Small Business Administration, “Table of Small Business Standards Matched to North American Industry Classification System Codes,” available at http://www.sba.gov/idc/groups/public/documents/sba_homepage/serv_sstd_tablepdf.pdf.

Back to Context

10. NAIC 2007 financial statements data.

Back to Context

11. These counts could be an overestimate. Only health insurance premiums from both the group and individual market were counted. If insurers also offered other types of insurance, their revenues could be higher.

Back to Context

12. The Department's estimates are based on the National Occupational Employment Survey (May 2007, Bureau of Labor Statistics) and the Employment Cost Index (June 2008, Bureau of Labor Statistics).

Back to Context

13. Based on the National Occupational Employment Survey (May 2007, Bureau of Labor Statistics) and the Employment Cost Index (June 2008, Bureau of Labor Statistics).

Back to Context
Site Feedback