[Federal Register Volume 74, Number 193 (Wednesday, October 7, 2009)]
[Proposed Rules]
[Pages 51698-51710]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-22492]
��Federal Register / Vol. 74, No. 193 / Wednesday, October 7, 2009 /
Proposed Rules��
[[Page 51698]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991-AB54
HIPAA Administrative Simplification: Standards for Privacy of
Individually Identifiable Health Information
AGENCY: Office for Civil Rights, HHS.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services (HHS) proposes to
modify certain provisions of the ``Standards for Privacy of
Individually Identifiable Health Information'' (Privacy Rule), issued
under the Health Insurance Portability and Accountability Act of 1996
(HIPAA). The purpose of these proposed modifications is to implement
section 105 of Title I of the Genetic Information Nondiscrimination Act
of 2008 (GINA) regarding the privacy and confidentiality of genetic
information, as well as to make certain other changes to the HIPAA
Privacy Rule.
DATES: Comments on the proposed rule will be considered if we receive
them at the appropriate address, as provided below, no later than
December 7, 2009.
ADDRESSES: Written comments may be submitted through any of the methods
specified below. Please do not submit duplicate comments.
Federal eRulemaking Portal: You may submit electronic
comments at http://www.regulations.gov. Follow the instructions for
submitting electronic comments. Attachments should be in Microsoft
Word, WordPerfect, or Excel; however, we prefer Microsoft Word.
Regular, Express, or Overnight Mail: You may mail written
comments (one original and two copies) to the following address only:
U.S. Department of Health and Human Services, Office for Civil Rights,
Attention: GINA NPRM (RIN 0991-AB54), Hubert H. Humphrey Building, Room
509F, 200 Independence Avenue, SW., Washington, DC 20201. Mailed
comments may be subject to delivery delays due to security procedures.
Please allow sufficient time for mailed comments to be timely received
in the event of delivery delays.
Hand Delivery or Courier: If you prefer, you may deliver
(by hand or courier) your written comments (one original and two
copies) to the following address only: Office for Civil Rights,
Attention: GINA NPRM (RIN 0991-AB54), Hubert H. Humphrey Building, Room
509F, 200 Independence Avenue, SW., Washington, DC 20201. (Because
access to the interior of the Hubert H. Humphrey Building is not
readily available to persons without federal government identification,
commenters are encouraged to leave their comments in the mail drop
slots located in the main lobby of the building.)
Inspection of Public Comments: All comments received before the
close of the comment period will be available for public inspection,
including any personally identifiable or confidential business
information that is included in a comment. We will post all comments
received before the close of the comment period at http://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: Andra Wicks, 202-205-2292.
SUPPLEMENTARY INFORMATION:
I. Background
The ``Standards for Privacy of Individually Identifiable Health
Information,'' or ``Privacy Rule'' was issued on December 28, 2000 (and
later amended in August 2002), pursuant to the Administrative
Simplification Provisions of Title II, Subtitle F, of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), Public
Law 104-191. Subtitle F of Title II of HIPAA added a new Part C to
Title XI of the Social Security Act (sections 1171-1179 of the Act, 42
U.S.C. 1320d-1320d-8). The Privacy Rule is one of a suite of rules
required by the Administrative Simplification provisions of HIPAA, and
put in place the first national standards for the privacy protection of
certain individually identifiable health information (called
``protected health information'' or ``PHI''). The other HIPAA
Administrative Simplification Rules provide national standards for
electronic health care transactions and code sets, unique health
identifiers for employers and health care providers, and the security
of electronic PHI. The HIPAA Privacy and other Administrative
Simplification Rules currently apply to three types of covered
entities: health care providers who conduct covered health care
transactions electronically, health plans, and health care
clearinghouses.
The HIPAA Privacy Rule protects individuals' medical records and
other individually identifiable health information held by HIPAA
covered entities by, among other provisions, requiring appropriate
safeguards to protect the privacy of such information, and setting
limits and conditions on the uses and disclosures that may be made of
the information. The Privacy Rule also gives patients rights over their
PHI, including rights to examine and obtain a copy of their health
records, and to request corrections.
On May 21, 2008, President Bush signed into law the Genetic
Information Nondiscrimination Act of 2008 (``GINA''), Public Law 110-
233, 122 Stat. 881. Congress enacted GINA to ``establish [ ] a national
and uniform basic standard [that] is necessary to fully protect the
public from discrimination and allay their concerns about the potential
for discrimination, thereby allowing individuals to take advantage of
genetic testing, technologies, research, and new therapies.'' GINA
section 2(5). To that end, GINA generally prohibits discrimination
based on an individual's genetic information with respect to both
health coverage and employment.
In particular, with respect to health coverage, Title I of GINA
generally prohibits discrimination in group premiums based on genetic
information, proscribes the use of genetic information as a basis for
determining eligibility or setting premiums in the individual and
Medicare supplemental policy (Medigap) insurance markets, and limits
the ability of group health plans, health insurance issuers, and
Medigap issuers to collect genetic information or to request or require
that individuals undergo genetic testing. Title II of GINA generally
prohibits use of genetic information in the employment context,
restricts acquisition of genetic information by employers and other
entities covered by Title II, and strictly limits such entities from
disclosing genetic information. The Departments of Labor (Employee
Benefits Security Administration), Treasury (Internal Revenue Service),
and HHS (Centers for Medicare & Medicaid Services) are responsible for
administering and enforcing the GINA Title I nondiscrimination
provisions, and the Equal Employment Opportunity Commission (EEOC) is
responsible for administering and enforcing the GINA Title II
nondiscrimination provisions.\1\
---------------------------------------------------------------------------
\1\ The Departments of Labor (Employee Benefits Security
Administration), Treasury (Internal Revenue Service), and HHS
(Centers for Medicare & Medicaid Services (CMS)) have issued
regulations in a separate rulemaking to implement sections 101-103
of GINA, which amended: section 702(b) of the Employee Retirement
Income Security Act of 1974 (29 U.S.C. 1182(b); section 2702(b) of
the Public Health Service Act (42 U.S.C. 300gg-1(b); and subsection
(b) of section 9802 of the Internal Revenue Code of 1986. Section
104 of GINA applies to Medigap issuers, which are subject to the
provisions of section 1882 of the Social Security Act that are
implemented by CMS, and which incorporate by reference certain
provisions in a model regulation of the National Association of
Insurance Commissioners (NAIC). The NAIC amended its model
regulation on September 24, 2008, to conform to section 104 of GINA,
and the amended regulation was published by CMS in the Federal
Register on April 24, 2009 at 74 FR 18808. With respect to Title II
of GINA, the EEOC issued a notice of proposed rulemaking on March 2,
2009, at 74 FR 9056.
---------------------------------------------------------------------------
[[Page 51699]]
In addition to these nondiscrimination provisions, Title I of GINA
contains certain new privacy protections for genetic information. In
particular, section 105 of GINA, entitled ``Privacy and
Confidentiality,'' amends Part C of Title XI of the Social Security Act
by adding section 1180 to address the application of the HIPAA Privacy
Rule to genetic information. Section 1180 requires the Secretary of HHS
to revise the Privacy Rule to clarify that genetic information is
health information and to prohibit group health plans, health insurance
issuers (including HMOs), and issuers of Medicare supplemental policies
from using or disclosing genetic information for underwriting purposes.
In this proposed rule, HHS is proposing to implement the
modifications required by GINA section 105, as well as to make certain
other modifications to the HIPAA Privacy Rule, and seeks public comment
on its proposal. In developing its proposal, HHS consulted with the
Departments of Labor and Treasury, as required by section 105(b)(1) of
GINA, to ensure, to the extent practicable, consistency across the
regulations. In addition, HHS coordinated with the EEOC in the
development of these regulations.
II. Description of Proposed Modifications
Overview and Scope
In accordance with section 105 of GINA \2\ and the Department's
general authority under sections 262 and 264 of HIPAA, the Department
proposes to modify the HIPAA Privacy Rule to: (1) Explicitly provide
that genetic information is health information for purposes of the
Rule; (2) prohibit health plans from using or disclosing protected
health information that is genetic information for underwriting
purposes; (3) revise the provisions relating to the Notice of Privacy
Practices for health plans that perform underwriting; (4) make a number
of conforming modifications to definitions and other provisions of the
Rule; and (5) make technical corrections to update the definition of
``health plan.''
---------------------------------------------------------------------------
\2\ Any reference in this section of the preamble to GINA is a
reference to Title I of GINA, except as otherwise indicated.
---------------------------------------------------------------------------
Section 105 of GINA requires HHS to modify the Privacy Rule to
prohibit ``a covered entity that is a group health plan, health
insurance issuer that issues health insurance coverage, or issuer of a
medicare [sic] supplemental policy'' from using or disclosing genetic
information for underwriting purposes. GINA section 105 provides that
the terms ``group health plan'' and ``health insurance coverage'' have
the meanings given such terms under section 2791 of the Public Health
Service Act (42 U.S.C. 300gg-91), and that the term ``medicare [sic]
supplemental policy'' has the meaning given such term in section
1882(g) of the Social Security Act. In addition, the term ``health
insurance issuer,'' as defined at 42 U.S.C. 300gg-91, includes a health
maintenance organization (HMO). These four types of health plans (i.e.,
group health plans, health insurance issuers, and health maintenance
organizations, as defined in the Public Health Service Act, as well as
issuers of Medicare supplemental policies), correspond to the types of
health plans listed at subparagraphs (i) through (iii) and (vi) of
paragraph (1) of the definition of ``health plan'' at Sec. 160.103 in
the HIPAA Privacy Rule.
In addition to these four categories of health plans, the HIPAA
Privacy Rule also applies to many other types of health plans,
including: (1) Long-term care policies (excluding nursing home fixed-
indemnity policies); (2) employee welfare benefit plans or other
arrangements that are established or maintained for the purpose of
offering or providing health benefits to the employees of two or more
employers (to the extent that they are not group health plans or health
insurance issuers); (3) high risk pools that are mechanisms established
under State law to provide health insurance coverage or comparable
coverage to eligible individuals; (4) certain public benefit programs,
such as Medicare Part A and B, Medicaid, the military and veterans
health care programs, the Indian Health Service program, and others; as
well as (5) any other individual or group plan, or combination of
individual or group plans that provides or pays for the cost of medical
care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-
91(a)(2)). This last category includes, for example, certain ``excepted
benefits'' plans described at 42 U.S.C. 300gg-91(c)(2), such as limited
scope dental or vision benefits plans. See the definition of ``health
plan'' at Sec. 160.103.
The Department proposes to apply the prohibition in GINA on using
and disclosing protected health information that is genetic information
for underwriting to all health plans that are subject to the Privacy
Rule, rather than solely to the plans GINA explicitly requires be
subject to the prohibition. We believe that this interpretation is
consistent with both GINA and the Secretary's broad authority under
HIPAA.
Section 264 of HIPAA (42 U.S.C. 1320d-2 note) provides the
Secretary with authority to promulgate privacy standards that govern:
(1) The rights that an individual who is a subject of individually
identifiable health information should have.
(2) The procedures that should be established for the exercise of
such rights.
(3) The uses and disclosures of such information that should be
authorized or required.
Accordingly, the Secretary has wide latitude to promulgate privacy
standards that limit the use or disclosure of individually identifiable
health information, including genetic information. Furthermore, section
262 of HIPAA, codified at 42 U.S.C. 1320d-1, states that:
Any standard adopted under this part shall apply, in whole or in
part, to the following persons:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information
in electronic form in connection with a transaction referred to in
section 1173(a)(1).
While other portions of HIPAA were limited to group health plans, see,
e.g., sections 101 and 102 of HIPAA, the Administrative Simplification
subtitle governs a substantially broader definition of ``health plan,''
42 U.S.C. 1320d, and instructs that ``any standard'' will apply to all
such health plans.
Based on this broad definition of ``health plan,'' the wide
latitude Congress provided to the Secretary to promulgate privacy
standards, and the charge that ``any standard'' should apply to all
health plans, we interpret that the HIPAA administrative simplification
provisions provide the Secretary with broad authority to craft privacy
standards that uniformly apply to all health plans, regardless of
whether such health plans are governed by other portions of the HIPAA
statute.
In GINA, Congress recognized a privacy interest on the part of
individuals, distinct from the nondiscrimination provisions, with
respect to the use or disclosure of individuals' genetic information in
health coverage decisions. At a minimum, GINA requires the Secretary to
apply this privacy interest to uses and disclosures of group health
plans, health insurance issuers that issue health insurance coverage,
and issuers of
[[Page 51700]]
Medicare supplemental policies. Apart from this required change to the
HIPAA Privacy Rule, however, nothing in GINA explicitly or implicitly
curtails the broad authority of the Secretary to promulgate privacy
standards for any and all health plans that are governed by the HIPAA
Administrative Simplification provisions.
Under the Privacy Rule, consistent with the HIPAA statutory text
discussed above, an individual's privacy interests and rights with
respect to the use and disclosure of PHI are protected uniformly
without regard to the type of health plan that holds the information.
Thus, under the Privacy Rule, individuals can expect and benefit from
privacy protections that do not diminish based on the type of health
plan from which they obtain health coverage.
Therefore, in keeping with a uniform privacy construct, and
pursuant to its authority under HIPAA sections 262 and 264, the
Department proposes to apply the prohibition on using or disclosing PHI
that is genetic information for underwriting purposes to all health
plans that are covered entities as defined by HIPAA section 262, and,
correspondingly, by the Privacy Rule. The Department believes that
individuals' interests in uniform protection under the Privacy Rule
against the use or disclosure of their genetic information for
underwriting purposes outweigh any adverse impact on health plans that
are not covered by GINA. This is particularly true since we do not
expect that all of the health plans subject to the Privacy Rule use or
disclose PHI that is genetic information for underwriting today (or
even conduct underwriting generally, in the case of some of the public
benefit plans).
Consistent with Sec. 160.104(c), the Department intends to require
health plans to comply with these modifications to the privacy
standards no later than 180 days from the effective date of such
modifications. Note that the Department does not propose to extend the
compliance date for small health plans as the Department believes 180
days is sufficient time for small health plans to come into compliance
with the proposed requirements.
With this overview and description of the scope of the proposed
rule as foundation, the following discussion describes the proposed
modifications to the Privacy Rule section by section. Those interested
in commenting on the proposed provisions can assist the Department by
preceding discussion of any particular provision in the comment with a
citation to the section of the proposed rule being discussed, or, if
submitting a comment relevant to the above discussion, with the term
``Scope.''
Section 160.103--Definitions
The Department is proposing to modify Sec. 160.103 to: (1)
Explicitly provide, as required by GINA, that the definition of
``health information'' encompasses ``genetic information''; (2) add a
number of terms used in GINA Title I for purposes of implementing
GINA's provisions; and (3) make certain technical corrections to update
the definition of ``health plan.'' We note that with respect to the
GINA terms, this proposed rule proposes to adopt definitions that are
generally consistent with the definitions of such terms promulgated in
the implementing regulations for sections 101-103 of GINA.
1. Health information. The Department has always maintained that
genetic information is health information protected by the Privacy Rule
to the extent such information is individually identifiable and held by
a covered entity (subject to the general exclusions from the definition
of ``protected health information''). Frequently Asked Question number
354, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/about/354.html, states:
Question: Does the HIPAA Privacy Rule protect genetic
information?
Answer: Yes, genetic information is health information protected
by the Privacy Rule. Like other health information, to be protected
it must meet the definition of protected health information: it must
be individually identifiable and maintained by a covered health care
provider, health plan, or health care clearinghouse. See 45 CFR
160.103.
Nevertheless, section 105 of GINA requires the Secretary to revise the
Privacy Rule to make clear that genetic information is health
information under the Rule. Accordingly, the Department proposes to
modify the definition of ``health information'' at Sec. 160.103 to
explicitly provide that such term includes genetic information. We
note, however, that as before, genetic information, while health
information, is only covered by the Privacy Rule to the extent that it
meets the definition of ``protected health information.'' That is, the
genetic information must be individually identifiable and maintained by
a HIPAA covered entity (or business associate of a covered entity) (and
not otherwise fall within one of the exceptions to the definition). See
the definition of ``protected health information'' at Sec. 160.103.
2. Genetic information. The term ``genetic information'' is a
defined term in GINA that establishes what information is protected by
the statute. GINA section 105 provides that the term ``genetic
information'' in section 105 shall have the same meaning given the term
in section 2791 of the Public Health Service Act (PHSA) (42 U.S.C.
300gg-91), as amended by GINA section 102. Section 102(a)(4) of GINA
defines ``genetic information'' to mean, with respect to any
individual, information about: (1) Such individual's genetic tests; (2)
the genetic tests of family members of such individual; and (3) the
manifestation of a disease or disorder in family members of such
individual (i.e., family medical history). GINA also provides that the
term ``genetic information'' includes, with respect to any individual,
any request for, or receipt of, genetic services, or participation in
clinical research which includes genetic services, by such individual
or family member of such individual; however, GINA excludes information
about the sex or age of any individual. The basic definition of
``genetic information'' in section 102(a)(4) of GINA (and that is to
apply for purposes of section 105) is also expanded by section
102(a)(3), which provides that any reference to genetic information
concerning an individual or family member in the PHSA shall include:
with respect to an individual or family member of an individual who is
a pregnant woman, the genetic information of any fetus carried by such
pregnant woman; and with respect to an individual or family member
utilizing an assisted reproductive technology, the genetic information
of any embryo legally held by the individual or family member. The
Department proposes to include this statutory definition of ``genetic
information'' in Sec. 160.103 without substantive change.
3. Genetic test. As indicated above, GINA provides that the term
``genetic information'' includes information about an individual's
genetic tests or the genetic tests of family members of such
individual. As with the term ``genetic information,'' GINA section 105
provides that the term ``genetic test'' shall have the same meaning as
the term has in section 2791 of the PHSA (42 U.S.C. 300gg-91), as
amended by section 102 of GINA. Section 102(a)(4) of GINA amends
section 2791 of the PHSA to define ``genetic test'' to mean ``an
analysis of human DNA, RNA, chromosomes, proteins, or metabolites, that
detects genotypes, mutations, or chromosomal changes.'' GINA further
clarifies that the term ``genetic test'' does not include an analysis
of proteins or metabolites that does not detect genotypes, mutations,
or chromosomal changes, or that is directly related to a
[[Page 51701]]
manifested disease, disorder, or pathological condition that could
reasonably be detected by a health care professional with appropriate
training and expertise in the field of medicine involved.
Consistent with the statutory definition of ``genetic test,'' the
Department proposes to define ``genetic test'' at Sec. 160.103 as an
analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if
the analysis detects genotypes, mutations or chromosomal changes, and
to provide in the definition that ``genetic test'' does not include an
analysis of proteins or metabolites that is directly related to a
manifested disease, disorder, or pathological condition. The statute
does not define ``manifestation'' or ``manifested.'' Consequently, as
discussed below, the Department proposes to include a definition of
``manifestation or manifested.''
Under this proposed definition of ``genetic test,'' a test to
determine whether an individual has a gene variant associated with
breast cancer (such as the BRCA1 or BRCA2 variant) is a genetic test.
Similarly, a test to determine whether an individual has a genetic
variant associated with hereditary nonpolyposis colorectal cancer is a
genetic test. However, medical tests that analyze genetic material that
is not of human origin, such as tests that detect the presence of
viruses or bacteria in an individual, or tests that do not detect
genotypes, mutations, or chromosomal changes, are not genetic tests.
For example, an HIV test, complete blood count, cholesterol test, liver
function test, or test for the presence of alcohol or drugs is not a
genetic test.
4. Genetic services. GINA provides that the term ``genetic
information'' includes, with respect to any individual, any request
for, or receipt of, genetic services, or participation in clinical
research which includes genetic services, by such individual or any
family member of such individual. As with the definitions above,
section 105 of GINA provides that the term ``genetic services'' shall
have the meaning given such term in section 2791 of the PHSA (42 U.S.C.
300gg-91), as amended by section 102 of GINA. Section 102(a)(4) of GINA
defines ``genetic services'' to mean: (1) A genetic test; (2) genetic
counseling (including obtaining, interpreting, or assessing genetic
information); or (3) genetic education. Thus, the fact that an
individual or a family member of the individual requested or received a
genetic test, counseling, or education is information protected under
GINA.
Genetic counseling is a means for individuals to obtain information
and support about potential risks for genetic diseases and disorders.
Genetic education is also a means for individuals to obtain information
about potential risks for genetic diseases and disorders. The
Department proposes to add the statutory definition of ``genetic
services'' to Sec. 160.103 without substantive change.
5. Family Member. The term ``family member'' is used in the
definition of ``genetic information'' in GINA to indicate that an
individual's genetic information also includes information about the
genetic tests of the individual's family members, as well as family
medical history. GINA section 105 states that the term ``family
member'' shall have the meaning given such term in section 2791 of the
PHSA (42 U.S.C. 300gg-91), as amended by GINA section 102(a)(4), which
defines ``family member'' to mean, with respect to any individual: (1)
A dependent (as such term is used for purposes of section 2701(f)(2) of
the PHSA, 42 U.S.C. 300gg(f)(2)) of such individual; or (2) any other
individual who is a first-degree, second-degree, third-degree, or
fourth-degree relative of such individual or of a dependent of the
individual. Section 2701(f)(2) of the PHSA uses the term ``dependent''
to mean an individual who is eligible for coverage under the terms of a
group health plan because of a relationship to the participant.
The Department proposes to incorporate the statutory definition of
``family member'' into Sec. 160.103 but also to clarify in the
regulatory text that relatives by affinity (such as by marriage or
adoption) are to be treated the same as relatives by consanguinity
(that is, relatives who share a common biological ancestor) and that,
in determining the degree of relationship, relatives by less than full
consanguinity (such as half-siblings, who share only one parent) are
treated the same as relatives by full consanguinity (such as siblings
who share both parents). This is consistent with the legislative
history of GINA, which suggests that the term ``family member'' is to
be broadly construed to provide the maximum protection against
discrimination. See House Report 110-28, Part 2 at 27. In addition, the
Department proposes to include in the regulatory definition, non-
exhaustive lists of persons who are first-, second-, third-, or fourth-
degree relatives. Finally, the Department proposes in the definition of
``family member'' to refer to the definition of ``dependent'' in the
implementing regulations at 45 CFR 144.103 rather than to the PHSA
directly. The Department invites public comment on this definition.
We also note that the term ``family member'' is not currently
defined in the Privacy Rule but is used in the Privacy Rule at Sec.
164.510(b), which provides the standard for uses and disclosures of an
individual's PHI to family members and other persons involved in the
individual's care and for notification purposes. It is not expected
that adding to the Privacy Rule the above broad definition of the term
``family member'' would impact the scope of these existing provisions,
particularly given the use in the provisions of the additional terms
``other relative,'' ``close personal friend,'' ``other person
identified by the individual,'' ``personal representative,'' and
``other person responsible for the care of the individual,'' which
would appear to capture any other person, as appropriate, who would not
qualify as a ``family member'' by the new definition.
In addition to the use of the term ``family member'' in the Privacy
Rule, the term ``family'' is used in three other instances in the Rule:
(1) In reference to the Family Educational Rights and Privacy Act in
the definition of ``protected health information'' at Sec. 160.103;
(2) in the definition and disclosure permission for psychotherapy notes
(at Sec. Sec. 164.501 and 164.508(a)(2)(B), respectively) where such
notes may be created based upon, and used to train within, a family
counseling session; and (3) in the disclosure permission at Sec.
164.512(k)(4) for medical suitability determinations by the Department
of State for circumstances where family accompany a Foreign Service
member abroad. It is also not expected that including a definition of
``family member'' in the Privacy Rule would impact these provisions, as
the scope of the term ``family'' in each occurrence is determined
independently of the Privacy Rule.
6. Manifestation or manifested. Although not separately defined by
GINA, the terms ``manifestation'' or ``manifested'' are used in GINA in
three important contexts. First, GINA uses the term ``manifestation''
to incorporate ``family medical history'' into the definition of
``genetic information'' by stating that ``genetic information''
includes, with respect to an individual, the manifestation of a disease
or disorder in family members of such individual. Second, GINA uses the
term ``manifested'' to exclude from the definition of ``genetic test''
those tests that analyze a physical malady rather
[[Page 51702]]
than genetic makeup by excluding from the definition analyses of
proteins or metabolites that are directly related to a manifested
disease, disorder, or pathological condition. Third, GINA uses the term
``manifestation'' to clarify that nothing in Title I of GINA should be
construed to limit the ability of a health plan to adjust premiums or
contribution amounts for a group health plan based on the manifestation
of a disease or disorder of an individual enrolled in the plan.
However, GINA provides that, in such case, the manifestation of a
disease or disorder in one individual cannot also be used as genetic
information about other group members and to further increase the
premium for the plan. Similarly, for the individual health insurance
market, GINA clarifies that a health plan is not prohibited from
establishing rules for eligibility for an individual to enroll in
coverage or from adjusting premium or contribution amounts for an
individual based on the manifestation of a disease or disorder in that
individual or in a family member of such individual where such family
member is covered under the individual's policy. However, the
manifestation of a disease or disorder in one individual cannot also be
used as genetic information about other individuals and to further
increase premiums or contribution amounts.
As noted above, GINA does not define the terms ``manifestation''
and ``manifested.'' However, based on the exceptions to the statutory
definition of ``genetic test,'' it is clear from the context of the
statute that a manifested disease or disorder is one ``that could
reasonably be detected by a health care professional with appropriate
training and expertise in the field of medicine involved.'' Thus, given
the importance of the term in the contexts described above, the
Department proposes to include in Sec. 160.103 a definition of
``manifestation or manifested'' to mean, with respect to a disease,
disorder, or pathological condition, that an individual has been or
could reasonably be diagnosed with the disease, disorder, or
pathological condition by a health care professional with appropriate
training and expertise in the field of medicine involved, and to
further provide that a disease, disorder, or pathological condition is
not manifested if the diagnosis is based principally on genetic
information.
Variants of genes associated with diseases have varying degrees of
predictive power for later development of the disease. In some cases,
an individual may have a genetic variant for a disease and yet never
develop the disease. In other cases, the presence of a genetic variant
means that the individual will eventually develop the disease.
Huntington's disease is an example of the latter case. However, an
individual may obtain a positive test that shows the genetic variant
for Huntington's disease decades before any clinical symptoms appear.
Under the above definition, the presence of a genetic variant alone
does not constitute the diagnosis of a disease even in cases where it
is certain that the individual possessing the genetic variant will
eventually develop the disease, such as the case with Huntington's
disease. For example, an individual may have a family member that has
been diagnosed with Huntington's disease and also have a genetic test
result that indicates the presence of the Huntington's disease gene
variant in the individual. However, when the individual is examined by
a neurologist (a physician with appropriate training and expertise for
diagnosing Huntington's disease) because the individual has begun to
suffer from occasional moodiness and disorientation (symptoms which are
associated with Huntington's disease), and the results of the
examination do not support a diagnosis of Huntington's disease, then
Huntington's disease is not manifested with respect to the individual.
In contrast, if the individual exhibits additional neurological and
behavioral symptoms, and the results of the examination support a
diagnosis of Huntington's disease by the neurologist, then Huntington's
disease is manifested with respect to the individual.
As another example, an individual has had several family members
with colon cancer, one of whom underwent genetic testing which detected
a mutation in the MSH2 gene associated with hereditary nonpolyposis
colorectal cancer (HNPCC). On the recommendation of his physician (a
health care professional with appropriate training and expertise in the
field of medicine involved), the individual undergoes a targeted
genetic test to look for the specific mutation found in the family
member of the individual to determine if the individual himself is at
increased risk for cancer. The genetic test shows that the individual
also carries the mutation but the individual's colonoscopy indicates no
signs of disease and the individual has no symptoms. Because the
individual has no signs or symptoms of colorectal cancer that could be
used by the individual's physician to diagnose the cancer, HNPCC is not
a manifested disease with respect to the individual. In contrast, if
the individual undergoes a colonoscopy or other medical tests that
indicate the presence of HNPCC, and the individual's physician makes a
diagnosis of HNPCC, HNPCC is a manifested disease with respect to the
individual.
If a health care professional with appropriate expertise makes a
diagnosis based on the symptoms of the patient, and uses genetic tests
to confirm the diagnosis, the disease will be considered manifested,
despite the use of genetic information. For example, if a neurologist
sees a patient with uncontrolled movements, a loss of intellectual
faculties, and emotional disturbances, and the neurologist suspects the
presence of Huntington's disease, the neurologist may confirm the
diagnosis with a genetic test. While genetic information is used as
part of the diagnosis, the genetic information is not the sole or
principal basis for the diagnosis, and, therefore, the Huntington's
disease would be considered a manifested disease of the patient.
7. Health plan. The Department proposes to make technical
corrections to update the definition of ``health plan'' by revising and
renumbering the definition to: Include specific reference to the
Voluntary Prescription Drug Benefit Program under Part D of title XVIII
of the Social Security Act, 42 U.S.C. 1395w-101 through 1395w-152;
remove the specific reference to the Civilian Health and Medical
Program of the Uniformed Services (CHAMPUS) (as defined in 10 U.S.C.
1072(4)), as this program is now part of the TRICARE health care
program under title 10 of the United States Code, and revise the
reference to the title 10 health care program accordingly to read more
generally ``health care program for the uniformed services'' rather
than ``health care program for active military personnel''; and reflect
that Part C of title XVIII of the Social Security Act, 42 U.S.C. 1395w-
21 through 1395w-28, is now called the Medicare Advantage program.
Section 164.501--Definitions
The Department proposes to modify Sec. 164.501 to add a definition
of ``underwriting purposes'' and to make conforming changes to the
definitions of ``payment'' and ``health care operations.''
1. Underwriting Purposes. GINA section 105 provides that the term
``underwriting purposes'' means, with respect to a group health plan,
health insurance coverage, or Medicare supplemental policy: (A) Rules
for, or determination of, eligibility (including enrollment and
continued eligibility) for, or determination of, benefits under
[[Page 51703]]
the plan, coverage, or policy; (B) the computation of premium or
contribution amounts under the plan, coverage, or policy; (C) the
application of any pre-existing condition exclusion under the plan,
coverage, or policy; and (D) other activities related to the creation,
renewal, or replacement of a contract of health insurance or health
benefits.
The Department proposes to adopt the statutory definition, but also
to include certain clarifications for consistency with the regulations
promulgated pursuant to GINA sections 101 through 103. Specifically, we
include a parenthetical to explain that the rules for, or determination
of eligibility for, or determination of, benefits under the plan
include changes in deductibles or other cost-sharing mechanisms in
return for activities such as completing a health risk assessment or
participating in a wellness program. Similarly, we include a
parenthetical to make clear that the computation of premium or
contribution amounts under the plan, coverage, or policy includes
discounts, rebates, payments in kind, or other premium differential
mechanisms in return for activities such as completing a health risk
assessment or participating in a wellness program. Finally, we add a
provision to the definition to clarify that ``underwriting purposes''
does not include determinations of medical appropriateness where an
individual seeks a benefit under the plan, coverage, or policy. This
provision is intended to be consistent with the provisions in the
regulations promulgated pursuant to GINA sections 101 through 103 that
provide that determinations of medical appropriateness, where the
individual seeks a benefit under the plan, are not considered
``underwriting purposes.''
We also note that the specific types of activities included in the
GINA definition of ``underwriting purposes'' proposed above fall within
the definitions of ``health care operations'' and ``payment'' under the
Privacy Rule, and that the current definition of ``health care
operations'' also includes the term ``underwriting.'' Thus, to avoid
confusion, the Department proposes conforming changes to the
definitions of ``health care operations'' and ``payment,'' as discussed
below.
2. Health care operations. Paragraph (3) of the definition of
``health care operations'' in the Privacy Rule at Sec. 164.501
includes ``[u]nderwriting, premium rating, and other activities
relating to the creation, renewal or replacement of a contract of
health insurance or health benefits * * *.'' In order to avoid
confusion with the use of both ``underwriting'' and ``underwriting
purposes'' in the Privacy Rule, and in recognition of the fact that the
proposed definition of ``underwriting purposes'' includes activities
that fall within both the definitions of ``payment'' and ``health care
operations'' in the Rule, the Department proposes to remove the term
``underwriting'' from the definition of ``health care operations.'' At
the same time, we propose to add the term ``enrollment'' to the express
list of health care operations activities to make clear that the
removal of the term ``underwriting'' would not impact the use or
disclosure of PHI that is not genetic information for enrollment
purposes. We note that these proposed revisions are not intended to
constitute a substantive change to the definition of ``health care
operations.'' All uses and disclosures of PHI currently permitted for
any activities related to the creation, renewal, or replacement of a
contract of health insurance or health benefits under the definition of
``health care operations,'' including what would be considered
``underwriting'' as the term is used in the existing Rule, still would
be permitted under the revised definition, subject to the prohibition
on using or disclosing PHI that is genetic information at proposed
Sec. 164.502(a)(3). However, the Department requests public comment on
whether the removal of the term ``underwriting'' from the definition of
``health care operations'' could have unintended consequences.
3. Payment. The definition of ``payment'' in the Privacy Rule at
Sec. 164.501 includes activities, such as ``determinations of
eligibility or coverage'' by a health plan, some of which may also fall
within the proposed definition of ``underwriting purposes'' in the same
section. Thus, to avoid any implication that a health plan is permitted
to disclose PHI that is genetic information for ``payment'' purposes
that are otherwise prohibited by Sec. 164.502(a)(3) (i.e., that are
also underwriting purposes), the Department proposes to include a
cross-reference in the definition of ``payment'' at Sec. 164.501 to
the proposed prohibition at Sec. 164.502(a)(3) on health plans using
and disclosing genetic information for underwriting purposes to exclude
such activities from the ``payment'' definition.
In addition, the inclusion of a cross-reference in the definition
of ``payment'' to the new underwriting prohibition at Sec.
164.502(a)(3) is necessary to properly align the definition of
``payment'' in the Privacy Rule with the nondiscrimination provisions
of GINA Title I, and their implementing regulations. GINA provides a
rule of construction, in section 102(a)(2), which adds paragraph
2702(c)(3) of the Public Health Service Act, to make clear that health
plans are not prohibited from obtaining and using the results of a
genetic test in making determinations regarding payment, as such term
is defined by the HIPAA Privacy Rule. Thus, the proposed exception
would make clear that GINA's rule of construction regarding payment
does not allow a health plan to request the results of genetic tests
for activities that would otherwise constitute ``underwriting
purposes,'' such as for determinations of eligibility for benefits.
Section 164.502(a)--Uses and Disclosures of Protected Health
Information: General Rules
The proposed rule includes the new prohibition on health plans
using or disclosing PHI that is genetic information for underwriting
purposes at Sec. 164.502(a)(3), and makes clear that such provision
would operate notwithstanding the other provisions in the Rule
permitting uses and disclosures. We interpret section 105 of GINA as
requiring us to prohibit a health plan's use or disclosure of genetic
information for underwriting purposes, even if an individual has signed
an authorization for such purposes pursuant to Sec. 164.508. We thus
also propose a conforming change to Sec. 164.502(a)(1)(iv) to make
clear that an authorization could not be used to permit a use or
disclosure of genetic information for underwriting purposes.
Additionally, we note that this prohibition applies to all genetic
information from the compliance date of these modifications forward,
regardless of when or where the genetic information originated.
Consistent with the statute, however, this prohibition should not
be construed to limit the ability of a health plan to adjust premiums
or contribution amounts for a group health plan based on the
manifestation of a disease or disorder of an individual enrolled in the
plan, even though a health plan cannot use the manifestation of a
disease or disorder in one individual as genetic information about
other group members and to further increase the premium for the plan.
Similarly, for the individual health insurance market, a health plan is
not prohibited from establishing rules for eligibility for an
individual to enroll in coverage or from adjusting premium or
contribution amounts for an individual based on the manifestation of a
disease or disorder in that individual or in a family member of such
individual where such family member is covered under the individual's
policy,
[[Page 51704]]
even though the health plan cannot use the manifestation of a disease
or disorder in one individual as genetic information about other
individuals to further increase premiums or contribution amounts for
those other individuals.
As an example to demonstrate the proposed prohibition, if a health
insurance issuer, with respect to an employer-sponsored group health
plan, uses an individual's family medical history or the results of
genetic tests maintained in the group health plan's claims experience
information to adjust the plan's premium rate for the upcoming year,
the issuer would be using PHI that is genetic information for
underwriting purposes in violation of proposed Sec. 164.502(a)(3).
Similarly, if a group health plan uses family medical history provided
by an individual incidental to the collection of other information on a
health risk assessment to grant a premium reduction to the individual,
the group health plan would be using genetic information for
underwriting purposes in violation of Sec. 164.502(a)(3).
Also, note that the prohibition is limited to health plans. A
health care provider may use or disclose genetic information as it sees
fit for treatment of an individual. If a covered entity, such as an
HMO, acts as both a health plan and health care provider, the covered
entity may use genetic information for purposes of treatment, to
determine the medical appropriateness of a benefit, and as otherwise
permitted by the Privacy Rule, but may not use such genetic information
for underwriting purposes. Such covered entities, in particular, should
ensure that appropriate staff members are trained on the permissible
and impermissible uses of genetic information.
Section 164.504(f)(1)(ii)--Requirements for Group Health Plans
Section 164.504(f)(1)(ii) permits a group health plan, or health
insurance issuer or HMO with respect to the group health plan, to
disclose summary health information to the plan sponsor if the plan
sponsor requests the information for the purpose of obtaining premium
bids from health plans for providing health insurance coverage under
the group health plan, or for modifying, amending, or terminating the
group health plan. As this provision permits activities that constitute
``underwriting purposes,'' as defined by GINA and this proposed rule,
we add a cross-reference to the proposed Sec. 164.502(a)(3)
prohibition on the use or disclosure of genetic information for
underwriting purposes, to make clear that Sec. 164.504(f)(1)(ii) would
not allow a disclosure of PHI that is otherwise prohibited by Sec.
164.502(a)(3).
Section 164.506--Uses and Disclosures to Carry Out Treatment, Payment,
or Health Care Operations
Section 164.506(a) of the Privacy Rule sets out the uses and
disclosures a HIPAA covered entity is permitted to make to carry out
treatment, payment, or health care operations. In light of the fact
that the proposed definition of ``underwriting purposes'' encompasses
activities that fall both within the definitions of ``payment'' and
``health care operations'' under the Privacy Rule, the Department
proposes to add a cross-reference in Sec. 164.506(a) to the new
prohibition at proposed Sec. 164.502(a)(3) on health plans using and
disclosing PHI that is genetic information for underwriting purposes.
This cross-reference is intended to make clear that Sec. 164.506 of
the Privacy Rule would not permit health plans to use or disclose an
individual's PHI that is genetic information for underwriting, even
though such a use or disclosure is considered payment or health care
operations.
Section 164.514(g)--Uses and Disclosures for Activities Relating to the
Creation, Renewal, or Replacement of a Contract of Health Insurance or
Health Benefit
Section 164.514(g) of the Privacy Rule prohibits a health plan that
receives PHI for underwriting, premium rating, or other activities
relating to the creation, renewal, or replacement of a contract for
health insurance or health benefits, from using or disclosing such PHI
for any other purpose (except as required by law) if the health
insurance or health benefits are not placed with the health plan. The
Department proposes conforming amendments to this provision to: (1)
Remove the term ``underwriting'' to avoid confusion given the new
definition of ``underwriting purposes'' in the proposed rule, which
encompasses the activities described above; and (2) make clear that a
health plan that receives PHI that is genetic information for the above
purposes is not permitted to use or disclose such information, in
accordance with proposed Sec. 164.502(a)(3). Note that the removal of
the term ``underwriting'' from this provision is not intended as a
substantive change to the scope of the provision.
Section 164.520--Notice of Privacy Practices for Protected Health
Information
Section 164.520 of the Privacy Rule sets out the requirements for
most covered entities to have and distribute a Notice of Privacy
Practices (NPP), which describes the uses and disclosures of PHI a
covered entity is permitted to make, the covered entity's legal duties
to protect PHI, and the individual's rights with respect to PHI. With
respect to the description of permitted uses and disclosures, Sec.
164.520(b)(1)(iii) requires a covered entity to include separate
statements if the covered entity intends to use or disclose PHI for
certain treatment, payment, or health care operations activities, such
as fundraising. The purpose of these statements is to put individuals
on notice of certain uses and disclosures a covered entity may make as
part of treatment, payment, or health care operations that may not
otherwise be apparent in the NPP since the Privacy Rule does not
require the listing of every permitted use or disclosure that may fall
within treatment, payment, or health care operations. In a similar
manner, the Department believes that individuals have a right to be
specifically informed of the fact that health plans that intend to use
or disclose their PHI for underwriting nonetheless may not use or
disclose their genetic information for such purposes. Thus, the
Department proposes to require health plans that use or disclose PHI
for underwriting to include a statement in their NPP making clear that
they are prohibited from using or disclosing PHI that is genetic
information about an individual for such purposes. Without such a
specific statement, individuals would not be aware of this restriction
and the general statements regarding permitted uses and disclosures for
treatment, payment, and health care operations in the NPP of a health
plan that performs underwriting would not be accurate (i.e., the NPP
would state that the health plan may use or disclose PHI for purposes
of payment and health care operations, which would not be true with
respect to genetic information when the use or disclosure is for
underwriting purposes).
The proposed prohibition at Sec. 164.502(a)(3) and the proposed
requirement to explicitly include a statement regarding the prohibition
represent a material change to the NPP of health plans that perform
underwriting, and the Privacy Rule requires at Sec.
164.520(c)(1)(i)(C) that plans provide notice to individuals
[[Page 51705]]
covered by the plan within 60 days of any material revision to the NPP.
The Department recognizes that revising and redistributing a NPP may be
costly for health plans that perform underwriting and thus requests
comment on ways to inform individuals of this change to privacy
practices without unduly burdening health plans, particularly given
there may be other material changes to the NPP due to the modifications
to the Privacy Rule required by the provisions of the Health
Information Technology for Economic and Clinical Health (HITECH) Act,
enacted as part of the American Recovery and Reinvestment Act of 2009.
In particular, the Department is considering a number of options in
this area: (1) Replace the 60-day requirement with a requirement for
health plans to revise their NPPs and redistribute them (or at least
notify members of the material change to the NPP and how to obtain the
revised NPP) in their next annual mailing to members after a material
revision to the NPP, such as at the beginning of the plan year or
during the open enrollment period; (2) provide a specified delay or
extension of the 60-day timeframe for health plans that perform
underwriting to implement and inform individuals of the underwriting
prohibition; (3) retain the provision generally to require health plans
to provide notice within 60 days of a material revision but provide
that the Secretary will waive the 60-day timeframe in cases where the
timing or substance of modifications to the Privacy Rule call for such
a waiver; or (4) make no change and thus, require that health plans
that perform underwriting provide notice to individuals within 60 days
of the material change to the NPP that would be required by this
proposed rule. The Department requests comment on these options, as
well as any other options for informing individuals in a timely manner
of this proposed or other material changes to the NPP.
The Department also notes that the obligation to revise the NPP for
the reasons described above would fall only on health plans that intend
to use or disclose PHI for activities that constitute ``underwriting
purposes'' as defined in this proposed rule at Sec. 164.501. Thus,
health care providers, as well as health plans that do not perform
underwriting, would not be required to revise their NPPs.
III. Impact Statement and Other Required Analyses
Executive Order 12866
Executive Order 12866 (58 FR 51735, October 4, 1993) directs
agencies to determine whether a regulatory action is ``significant''
and, therefore, subject to review by the Office of Management and
Budget and the requirements of the Executive Order. Executive Order
12866, in section 3(f), defines ``significant regulatory action'' as
one that is likely to result in a rule that may:
(1) Have an annual effect on the economy of $100 million or more or
adversely affect in a material way the economy, a sector of the
economy, productivity, competition, jobs, the environment, public
health or safety, or state, local, or tribal government or communities;
(2) Create a serious inconsistency or otherwise interfere with an
action taken or planned by another agency;
(3) Materially alter the budgetary impact of entitlements, grants,
user fees, or loan programs or the rights and obligations of recipients
thereof; or
(4) Raise novel legal or policy issues arising out of legal
mandates, the President's priorities, or the principles set forth in
the Executive Order.
Executive Order 12866 requires a full economic impact analysis only
for ``economically significant'' rules under section 3(f)(1).
The Department has determined that this proposed rule is a
``significant regulatory action'' within the meaning of section 3(f)(4)
of Executive Order 12866, because this action raises novel policy
issues arising out of legal mandates. However, for the reasons
discussed below, the Department has determined that the impact of this
proposed regulation is not such that it would reach the economically-
significant threshold under section 3(f)(1) of the Executive Order.
Therefore, a detailed cost-benefit assessment of the proposed rule is
not required.
The proposed rule would prohibit health plans that are HIPAA
covered entities from using or disclosing an individual's PHI that is
genetic information for underwriting purposes. Health plans that do not
currently use or disclose PHI for underwriting purposes would not be
affected at all by the proposed rule. Further, even with respect to
health plans that perform underwriting, plans and issuers in the group
market have commented to the Department that they do not currently use
genetic information for underwriting purposes because pre-GINA laws and
regulations prohibit them from discriminating against individuals based
on any health status-related factors, including genetic information.\3\
With respect to issuers in the individual market, the Department
acknowledges that there may be more significant policy changes
associated with the proposed prohibition on using or disclosing PHI
that is genetic information for underwriting purposes. However, the
Department does not have sufficient information at this time to
determine the extent of such changes, that is, to what extent issuers
in the individual market use genetic information for underwriting
purposes, and thus, requests comment in this area. In the case of
either the individual or group market, however, the Department assumes,
because a prohibited use or disclosure of genetic information for
underwriting purposes is also a discriminatory use of such information
under the nondiscrimination provisions of GINA Title I and its
implementing regulations, that there would not be costs associated with
conforming a plan's practices to comply with the prohibition proposed
at Sec. 164.502(a)(3) that are above and beyond the costs associated
with complying with the regulations implementing sections 101-103 of
GINA. With respect to the health plans not covered by GINA but subject
to the proposed prohibition in the Privacy Rule, the Department also
assumes that the costs to comply will be minimal because such plans
either: (1) Do not perform underwriting, as is the case generally with
public benefit plans; or (2) perform underwriting but do not in most
cases use genetic information (including family medical history) for
such purposes. The Department requests comment on its assumptions.
---------------------------------------------------------------------------
\3\ See e.g., Comments from BlueCross BlueShield Association,
pg. 3 (http://www.dol.gov/ebsa/pdf/cmt-12190808.pdf) and Society for
Human Resource Management, pg. 2 (http://www.dol.gov/ebsa/pdf/cmt-12190813.pdf) in response to Request for Information issued by HHS,
the Department of Labor, and Treasury/IRS on October 10, 2008, at 73
FR 70208.
---------------------------------------------------------------------------
However, because these modifications would require a change to the
privacy practices of health plans that perform underwriting, health
plans that use or disclose PHI for underwriting purposes would be
required to undertake a number of actions to comply with existing
Privacy Rule requirements. First, these health plans would be required
to change their policies and procedures as necessary to comply with the
proposed changes to the Privacy Rule. See 45 CFR 164.530(i)(2). Second,
health plans that use or disclose PHI for underwriting purposes would
be required to train workforce members whose functions are affected by
the
[[Page 51706]]
change to the health plan's policies and procedures, within a
reasonable period of time after the material change becomes effective,
and to document the training. See 45 CFR 164.530(b)(2)(i)(C) and (ii).
Finally, the affected health plans would be required to revise their
NPPs to reflect the change in the law and to provide notice of the
revision to individuals covered by the plan within 60 days of the
change. See 45 CFR 164.520(c)(1)(i)(C).
The Department estimates that approximately 630 insurers are
affected by GINA, consisting of approximately 460 insurers offering
coverage in connection with insured group health plans and
approximately 490 health insurance issuers offering policies in the
individual health insurance market.\4\ These insurers would be required
to revise their privacy policies and procedures and train affected
workforce members with respect to the proposed prohibition on using or
disclosing PHI that is genetic information for underwriting purposes.
However, given that a prohibited use or disclosure of genetic
information for underwriting purposes would also be a discriminatory
use of such information under the nondiscrimination provisions of GINA
Title I and its implementing regulations, the Department expects the
costs associated with conforming a plan's HIPAA policies and procedures
and to conduct training to be a small addition to the costs otherwise
associated with updating policies and procedures and developing and
conducting the training needed to comply with the regulations
implementing sections 101-103 of GINA. Accordingly, the Department
estimates that these plans would need to spend an additional one hour
of a legal professional's time at an hourly labor rate of $116 \5\ to
revise the plan's privacy policies and procedures and to ensure the
HIPAA Privacy Rule's prohibition is appropriately incorporated into
training materials. This results in an estimated cost of $73,000. With
respect to the health plans not covered by GINA but subject to the
proposed prohibition in the Privacy Rule, the Department does not have
sufficient information at this time to determine how many of such plans
perform underwriting and are not otherwise part of an issuer that
already would be obligated to update policies and procedures and train
staff on these new provisions. Thus, the Department requests comment in
this area.
---------------------------------------------------------------------------
\4\ Estimates are from 2007 NAIC financial statements data and
the California Department of Managed Healthcare. Because most self-
insured plans hire third-party administrators--insurance companies
in most cases--to administer and provide guidance regarding
underwriting the plans, we assume that the impact on self-insured
plans is addressed in this discussion about the impact of the rule
on insurers. We request comment on this assumption.
\5\ Based on the National Occupational Employment Survey (May
2007, Bureau of Labor Statistics) and the Employment Cost Index June
2008, Bureau of Labor Statistics).
---------------------------------------------------------------------------
We calculate the total cost of revising and distributing notices of
privacy practices as $83.4 million. This is based on three components:
(1) The cost of printing and mailing the notice; (2) the cost of time
associated with distributing the notice; and (3) the cost of time
associated with revising the notice.
1. Based on the U.S. Census Bureau's Current Population Survey for
2007, there were 92.3 million participants in employer-based health
policies, and 18.9 million policyholders of non-employment related
health insurance policies, leading to a total of 111.2 million
policies.\6\ We use data for participants and policyholders, rather
than persons covered, since plans are only expected to provide notice
to the named insured. See 45 CFR 164.520(c)(1)(iii). We limit our
analysis to private insurance, rather than all insurance, because it is
our understanding that Medicare, Medicaid, and military health care
programs do not use or disclose PHI for underwriting purposes, and,
therefore, will not need to change their notices. Our total number of
participants and policyholders is limited to comprehensive health
insurance plans; we do not have data on the number of other types of
plans, such as long-term care insurance, and invite comment on this
issue. Based on our data on the total number of private health
insurance participants and policyholders, we expect that health plans
will need to print and distribute approximately 111.2 million notices.
As with the December 2000 preamble to the Privacy Rule, we are
estimating that the printing cost for each notice is $0.05.\7\
Accordingly, the cost for printing will be approximately $5.6 million.
The cost for postage will be approximately $0.44 per notice (although
the actual cost may be less, due to bulk mail discounts), resulting in
a postage cost of approximately $48.9 million. The total for printing
and postage is $54.5 million.
---------------------------------------------------------------------------
\6\ Current Population Survey, March Supplement, March 2008,
using HI and PRIV variables.
\7\ 65 FR 82,770 (Dec. 28, 2000).
---------------------------------------------------------------------------
2. We estimate the time to distribute notices to be 100 per hour.
For 111.2 million notices, this results in approximately 1,120,000
burden-hours related to distributing the notice. At an hourly labor
rate of $26 for a clerical staff's time,\8\ this leads to an additional
cost of $28.9 million.
---------------------------------------------------------------------------
\8\ Based on the National Occupational Employment Survey (May
2007, Bureau of Labor Statistics) and the Employment Cost Index June
2008, Bureau of Labor Statistics).
---------------------------------------------------------------------------
3. We estimate that it will take 0.5 hours of a legal
professional's time to revise the notice to reflect that the health
plan may not use or disclose genetic information for underwriting
purposes. As referenced above, we estimate that there are 630 plans
affected by GINA. This results in 315 burden-hours related to revising
the notice. The wage for a legal professional's time is $116 per hour.
This leads to an additional cost of $37,000. We do not have data on the
number of additional plans that would be required to change the notice
because they are subject to the Privacy Rule's prohibition but not
otherwise subject to GINA. As noted above, the Department requests
comment in this area.
Thus, the Department estimates the total cost to be incurred to
implement these provisions, based on currently available information,
would be $83.5 million. These costs represent costs to be incurred as
one-time, first year implementation costs.
Regulatory Flexibility Analysis
The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) (RFA) imposes
certain requirements with respect to federal rules that are subject to
the notice and comment rulemaking requirements of section 553(b) of the
Administrative Procedure Act (5 U.S.C. 551 et seq.) and that are likely
to have a significant economic impact on a substantial number of small
entities.
As indicated above, plans and issuers in the group market have
indicated that the immediate impact of GINA and the rules on both large
and small group health plans and health insurance issuers should be
minimal. Plans and issuers commented that they do not currently use
genetic information for underwriting purposes because pre-GINA laws and
regulations prohibit them from discriminating against individuals based
on any health status-related factors, including genetic information.
Further, while there may be more significant policy changes associated
with compliance by issuers in the individual market, in the case of
either the individual or group market, the Department assumes that
there would not be costs associated with conforming a plan's practices
to comply with the proposed prohibition in this proposed rule on using
or disclosing genetic information for underwriting
[[Page 51707]]
purposes that are above and beyond the costs associated with complying
with the regulations implementing sections 101-103 of GINA. In
addition, as explained above for health plans not subject to the
regulations implementing sections 101-103 of GINA but subject to this
proposed rule, the Department assumes the costs to comply will be
minimal because such plans either do not perform underwriting or do not
use genetic information for underwriting.
Despite the above, health insurers in both the group and individual
health insurance markets would have to incur some cost to comply with
this proposed rule. In particular, such plans would have to update
their policies and procedures to comply with the proposed changes to
the Privacy Rule; train workforce members whose functions are affected
by the change to the policies and procedures; and revise and
redistribute their NPPs to reflect the change in the law. For this
purpose, using the Small Business Administration's definition of a
small insurer as a business with less than $ 7 million in revenues,
premiums earned as a measure of revenue,\9\ and data obtained from the
National Association of Insurance Commissioners,\10\ the Department
estimates that approximately 75 out of 630 insurers had revenues of
less than $7 million, and, of these, about 25 had revenues of less than
$1 million.\11\
---------------------------------------------------------------------------
\9\ U.S. Small Business Administration, ``Table of Small
Business Standards Matched to North American Industry Classification
System Codes,'' available at http://www.sba.gov/idc/groups/public/documents/sba_homepage/serv_sstd_tablepdf.pdf.
\10\ NAIC 2007 financial statements data.
\11\ These counts could be an overestimate. Only health
insurance premiums from both the group and individual market were
counted. If insurers also offered other types of insurance, their
revenues could be higher.
---------------------------------------------------------------------------
However, as discussed above, for all plans, the Department expects
the costs associated with conforming a plan's HIPAA policies and
procedures and to conduct training to be a small addition to the costs
otherwise associated with updating policies and procedures and
developing and conducting the training needed to comply with the
regulations implementing sections 101-103 of GINA. Accordingly, the
Department estimates that each insurer on average would spend only an
additional one hour of a legal professional's time at an hourly labor
rate of $116 \12\ to revise the plan's privacy policies and procedures
and to ensure the HIPAA Privacy Rule's prohibition is appropriately
incorporated into training materials. Further, with respect to revising
the NPP, we estimate that it will take 0.5 hours of a legal
professional's time, at the same $116 an hour, to make the necessary
changes, which results in an additional cost of $58 per plan.
---------------------------------------------------------------------------
\12\ The Department's estimates are based on the National
Occupational Employment Survey (May 2007, Bureau of Labor
Statistics) and the Employment Cost Index (June 2008, Bureau of
Labor Statistics).
---------------------------------------------------------------------------
With respect to redistributing the revised NPP to the named
insured, as described above, we estimate the cost of distributing each
notice to be approximately $0.49 for printing and postage and about
$0.26 for labor associated with the distribution (100 notices per hour
at an hourly labor rate of $26 for a clerical staff's time \13\).
However, because we expect smaller plans to have fewer participants and
policyholders to whom the plans would need to send the NPP, we do not
expect the costs of providing the revised NPP to fall
disproportionately on small insurers.
---------------------------------------------------------------------------
\13\ Based on the National Occupational Employment Survey (May
2007, Bureau of Labor Statistics) and the Employment Cost Index
(June 2008, Bureau of Labor Statistics).
---------------------------------------------------------------------------
Thus, for the reasons stated above, it is not expected that the
cost of compliance would be significant for small health plans. Nor is
it expected that the cost of compliance would fall disproportionately
on small health plans. Therefore, the Secretary certifies that this
proposed rule would not have a significant economic impact on a
substantial number of small entities. The Department invites public
comments on its certification.
Paperwork Reduction Act
This proposed rule contains information collections that are
subject to review by OMB under the Paperwork Reduction Act of 1995
(PRA) (44 U.S.C. 3501-3520). Per section 3507(d) of the PRA, we have
submitted these information collections to OMB for review. In order to
fairly evaluate whether an information collection should be approved by
OMB, section 3506(c)(2)(A) of the PRA requires that we solicit comment
on the following issues:
1. Whether the information collection is necessary and useful to
carry out the proper functions of the agency;
2. The accuracy of the agency's estimate of the information
collection burden;
3. The quality, utility, and clarity of the information to be
collected; and
4. Recommendations to minimize the information collection burden on
the affected public, including automated collection techniques.
Under the PRA, the time, effort, and financial resources necessary
to meet the information collection requirements referenced in this
section are to be considered. We explicitly seek, and will consider,
public comment on our assumptions as they relate to the PRA
requirements summarized in this section. To comment on this collection
of information or to obtain copies of the supporting statement and any
related forms for the proposed paperwork collections referenced above,
e-mail your comment or request, including your address and phone number
to [email protected], or call the Reports Clearance Office
on (202) 690-6162. In making your request and submitting comments,
please reference this rule and OMB Control Number 0990-0294. Written
comments and recommendations for the proposed information collections
must be directed to the OS Paperwork Clearance Officer at the above e-
mail address within 60 days.
Abstract
Section 105 of GINA amends Part C of Title XI of the Social
Security Act by adding section 1180 to address the application of the
HIPAA Privacy Rule to genetic information. Section 1180 requires the
Secretary of HHS to revise the HIPAA Privacy Rule to clarify that
genetic information is health information and to prohibit health plans
from using or disclosing genetic information for underwriting purposes.
In this notice of proposed rulemaking, we propose to implement the
modifications required by GINA section 105, and seek public comment on
its proposal. The proposed prohibition at Sec. 164.502(a)(3) and the
proposed requirement at Sec. 164.520(b)(1)(iii) to explicitly include
a statement regarding the prohibition represent a material change to
the Notice of Privacy Practices (NPP) of health plans that perform
underwriting. As such, pursuant to Sec. 164.520(c)(1)(i)(C), affected
health plans would be required to revise their NPP to reflect the
change in the law and to provide notice of the revision to individuals
covered by the plan within 60 days of the change.
The estimated annualized burden table below was developed using the
same estimates and workload assumptions in the impact statement in the
section regarding Executive Order 12866, above.
Estimated Annualized Burden Table
[[Page 51708]]
Estimated Annualized Burden Hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
Number of
Section Type of respondent Number of responses per Average burden hours per Total burden
respondents respondent response hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
164.520............................... Revision of Notice of Privacy 630 1 30/60................... 315
Practices for Protected
Health Information (health
plans).
164.520............................... Dissemination of Notice of 111,200,000 1 1 per 100............... 1,112,000
Privacy Practices for
Protected Health Information
(health plans).
----------------------------------------------------------------------------------
Total............................. ............................. ................. ................. ........................ 1,112,315
--------------------------------------------------------------------------------------------------------------------------------------------------------
Unfunded Mandates
Section 202 of the Unfunded Mandates Reform Act of 1995 also
requires that agencies assess anticipated costs and benefits before
issuing any rule that may result in expenditures by State, local, or
tribal governments, in the aggregate, or by the private sector, of $133
million in a single year after adjusting for inflation from 1995. For
the reasons discussed above, this proposed rule would not impose a
burden large enough to require a section 202 statement under the
Unfunded Mandates Reform Act of 1995.
Environmental Impact
The Department has determined under 21 CFR 25.30(k) that this
action is of a type that would not individually or cumulatively have a
significant effect on the human environment. Therefore, neither an
environmental assessment nor an environmental impact statement is
required.
Executive Order 13132: Federalism
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a rule that imposes substantial
direct requirement costs on State and local governments, preempts State
law, or otherwise has Federalism implications. The Federalism
implications of the Privacy Rule were assessed as required by Executive
Order 13132 and published in the Privacy Rule of December 28, 2000 (65
FR 82462, 82797). The Department believes that these proposed
modifications to the Privacy Rule would not significantly affect the
rights, roles, and responsibilities of States.
List of Subjects
45 CFR Part 160
Administrative practice and procedure, Computer technology,
Electronic information system, Electronic transactions, Employer
benefit plan, Health, Health care, Health facilities, Health insurance,
Health records, Hospitals, Investigations, Medicaid, Medical research,
Medicare, Penalties, Privacy, Reporting and recordkeeping requirements,
Security.
45 CFR Part 164
Administrative practice and procedure, Computer technology,
Electronic information system, Electronic transactions, Employer
benefit plan, Health, Health care, Health facilities, Health insurance,
Health records, Hospitals, Medicaid, Medical research, Medicare,
Privacy, Reporting and recordkeeping requirements, Security.
For the reasons set forth in the preamble, the Department proposes
to amend 45 CFR subtitle A, subchapter C, parts 160 and 164, as
follows:
PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
1. The authority citation for part 160 is revised to read as
follows:
Authority: 42 U.S.C. 1302(a), 42 U.S.C. 1320d-1320d-9, sec. 264
of Public Law 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2
(note)); 5 U.S.C. 552; and secs. 13400 and 13402, Public Law 111-5,
123 Stat. 258-263.
2. Revise Sec. 160.101 to read as follows:
Sec. 160.101 Statutory basis and purpose.
The requirements of this subchapter implement sections 1171 through
1180 of the Social Security Act (the Act), as added by sections 262 and
264 of Public Law 104-191 and section 105 of Public Law 110-233, and
section 13402 of Public Law 111-5.
3. In Sec. 160.103, add in alphabetical order definitions of
``Family member,'' ``Genetic information,'' ``Genetic services,''
``Genetic test,'' and ``Manifestation or manifested,'' and revise the
introductory text of the definition of ``Health information'' and
paragraphs (1)(vi) through (xi), and (xv) of the definition of ``Health
plan'' as follows:
Sec. 160.103 Definitions.
* * * * *
Family member means, with respect to an individual:
(1) A dependent (as such term is defined in 45 CFR 144.103), of the
individual; or
(2) Any other person who is a first-degree, second-degree, third-
degree, or fourth-degree relative of the individual or of a dependent
of the individual. Relatives by affinity (such as by marriage or
adoption) are treated the same as relatives by consanguinity (that is,
relatives who share a common biological ancestor). In determining the
degree of the relationship, relatives by less than full consanguinity
(such as half-siblings, who share only one parent) are treated the same
as relatives by full consanguinity (such as siblings who share both
parents).
(i) First-degree relatives include parents, spouses, siblings, and
children.
(ii) Second-degree relatives include grandparents, grandchildren,
aunts, uncles, nephews, and nieces.
(iii) Third-degree relatives include great-grandparents, great-
grandchildren, great aunts, great uncles, and first cousins.
(iv) Fourth-degree relatives include great-great grandparents,
great-great grandchildren, and children of first cousins.
Genetic information means:
(1) Subject to paragraphs (2) and (3) of this definition, with
respect to any individual, information about:
(i) Such individual's genetic tests;
(ii) The genetic tests of family members of the individual;
(iii) The manifestation of a disease or disorder in family members
of such individual; or
(iv) Any request for, or receipt of, genetic services, or
participation in clinical research which includes genetic services, by
such individual or any family member of such individual.
(2) Any reference in this subchapter to genetic information
concerning an individual or family member of an individual shall
include the genetic information of:
[[Page 51709]]
(i) A fetus carried by the individual or family member who is a
pregnant woman; and
(ii) Any embryo legally held by an individual or family member
utilizing an assisted reproductive technology.
(3) Genetic information excludes information about the sex or age
of any individual.
Genetic services means:
(1) A genetic test;
(2) Genetic counseling (including obtaining, interpreting, or
assessing genetic information); or
(3) Genetic education.
Genetic test means an analysis of human DNA, RNA, chromosomes,
proteins, or metabolites, if the analysis detects genotypes, mutations,
or chromosomal changes. Genetic test does not include an analysis of
proteins or metabolites that is directly related to a manifested
disease, disorder, or pathological condition.
* * * * *
Health information means any information, including genetic
information, whether oral or recorded in any form or medium, that: * *
*
* * * * *
Health plan means * * *
(1) * * *
(vi) The Voluntary Prescription Drug Benefit Program under Part D
of title XVIII of the Act, 42 U.S.C. 1395w-101 through 1395w-152.
(vii) An issuer of a Medicare supplemental policy (as defined in
section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).
(viii) An issuer of a long-term care policy, excluding a nursing
home fixed indemnity policy.
(ix) An employee welfare benefit plan or any other arrangement that
is established or maintained for the purpose of offering or providing
health benefits to the employees of two or more employers.
(x) The health care program for uniformed services under title 10
of the United States Code.
(xi) The veterans health care program under 38 U.S.C. chapter 17.
* * * * *
(xv) The Medicare Advantage program under Part C of title XVIII of
the Act, 42 U.S.C. 1395w-21 through 1395w-28.
* * * * *
Manifestation or manifested means, with respect to a disease,
disorder, or pathological condition, that an individual has been or
could reasonably be diagnosed with the disease, disorder, or
pathological condition by a health care professional with appropriate
training and expertise in the field of medicine involved. For purposes
of this subchapter, a disease, disorder, or pathological condition is
not manifested if the diagnosis is based principally on genetic
information.
* * * * *
PART 164--SECURITY AND PRIVACY
4. The authority citation for part 164 is revised to read as
follows:
Authority: 42 U.S.C. 1320d-1320d-9; sec. 264, Public Law 104-
191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); secs. 13400 and
13402, Public Law No. 111-5, 123 Stat. 258-263.
5. In Sec. 164.501, revise paragraph (3) of the definition of
``Health care operations'' and paragraph (1)(i) of the definition of
``Payment,'' and to add in alphabetical order a definition of
``Underwriting purposes'' to read as follows:
Sec. 164.501 Definitions.
* * * * *
Health care operations means * * *
(3) Enrollment, premium rating, and other activities related to the
creation, renewal, or replacement of a contract of health insurance or
health benefits, and ceding, securing, or placing a contract for
reinsurance of risk relating to claims for health care (including stop-
loss insurance and excess of loss insurance), provided that the
requirements of Sec. 164.514(g) are met, if applicable;
* * * * *
Payment means:
(1) * * *
(i) Except as prohibited under Sec. 164.502(a)(3), a health plan
to obtain premiums or to determine or fulfill its responsibility for
coverage and provision of benefits under the health plan; or
* * * * *
Underwriting purposes means, with respect to a health plan:
(1) Except as provided in paragraph (2) of this definition:
(i) Rules for, or determination of, eligibility (including
enrollment and continued eligibility) for, or determination of,
benefits under the plan, coverage, or policy (including changes in
deductibles or other cost-sharing mechanisms in return for activities
such as completing a health risk assessment or participating in a
wellness program);
(ii) The computation of premium or contribution amounts under the
plan, coverage, or policy (including discounts, rebates, payments in
kind, or other premium differential mechanisms in return for activities
such as completing a health risk assessment or participating in a
wellness program);
(iii) The application of any pre-existing condition exclusion under
the plan, coverage, or policy; and
(iv) Other activities related to the creation, renewal, or
replacement of a contract of health insurance or health benefits.
(2) Underwriting purposes does not include determinations of
medical appropriateness where an individual seeks a benefit under the
plan, coverage, or policy.
* * * * *
6. In Sec. 164.502, revise paragraph (a)(1)(iv) and add paragraph
(a)(3) to read as follows:
Sec. 164.502 Uses and disclosures of protected health information:
General rules.
(a) * * *
(1) * * *
(iv) Except for uses and disclosures prohibited under Sec.
164.502(a)(3), pursuant to and in compliance with a valid authorization
under Sec. 164.508;
* * * * *
(3) Prohibited uses and disclosures. Notwithstanding any other
provision of this subpart, a health plan shall not use or disclose
protected health information that is genetic information for
underwriting purposes.
* * * * *
7. In Sec. 164.504, revise the introductory text of paragraph
(f)(1)(ii) to read as follows:
Sec. 164.504 Uses and disclosures: Organizational requirements.
* * * * *
(f)(1) * * *
(ii) Except as prohibited by Sec. 164.502(a)(3), the group health
plan, or a health insurance issuer or HMO with respect to the group
health plan, may disclose summary health information to the plan
sponsor, if the plan sponsor requests the summary health information
for purposes of:
* * * * *
8. In Sec. 164.506, revise paragraph (a) to read as follows:
Sec. 164.506 Uses and disclosures to carry out treatment, payment, or
health care operations.
(a) Standard: Permitted uses and disclosures. Except with respect
to uses or disclosures that require an authorization under Sec.
164.508(a)(2) or (3) or that are prohibited under Sec. 164.502(a)(3),
a covered entity may use or disclose protected health information for
treatment, payment, or health care operations as set forth in paragraph
(c) of this section, provided that such use or disclosure is consistent
with other applicable requirements of this subpart.
* * * * *
[[Page 51710]]
9. In Sec. 164.514, revise paragraph (g) to read as follows:
Sec. 164.514 Other requirements relating to uses and disclosures of
protected health information.
* * * * *
(g) Standard: Uses and disclosures for activities relating to the
creation, renewal, or replacement of a contract of health insurance or
health benefits. If a health plan receives protected health information
for the purpose of premium rating or other activities relating to the
creation, renewal, or replacement of a contract of health insurance or
health benefits, and if such health insurance or health benefits are
not placed with the health plan, such health plan may only use or
disclose such protected health information for such purpose or as may
be required by law, subject to the prohibition at Sec. 164.502(a)(3)
with respect to genetic information included in the protected health
information.
* * * * *
10. In Sec. 164.520, add a new paragraph (b)(1)(iii)(D) to read as
follows:
Sec. 164.520 Notice of privacy practices for protected health
information.
* * * * *
(b) * * *
(1) * * *
(iii) * * *
(D) If a covered entity that is a health plan intends to use or
disclose protected health information for underwriting purposes, a
statement that the covered entity is prohibited from using or
disclosing protected health information that is genetic information of
an individual for such purposes.
Dated: June 5, 2009.
Kathleen Sebelius,
Secretary.
[FR Doc. E9-22492 Filed 10-1-09; 11:15 am]
BILLING CODE 4153-01-P