 |
| Sample Newsletters | MarketPlace AIS Products & Services |
| HIPAA Compliance StrategiesFeatured Health Business Daily Story Nov. 10, 2009
Health Plans Face HIPAA Privacy Rule Changes Under the New Genetic Information Nondiscrimination Act
Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.
By Liana Heitin, Editor, (lheitin@aispub.com)
On Oct. 7, 2009, HHS issued proposed changes for the HIPAA privacy rule in accordance with the interim final regulations for the Genetic Information Nondiscrimination Act (GINA) of 2008, which were released the same day.
Under the proposed HIPAA changes, health plans will need to carefully explore their underwriting practices — using a new and broader definition of “underwriting” — as well as revise and redistribute their privacy notices.
The proposed modifications to HIPAA essentially do five things:
According to Joanne Hustead, a health compliance specialist with employee benefits consulting firm The Segal Company in Washington, D.C., genetic information has always been considered PHI, so that particular point is “only a cosmetic change, not a substantive one.” The major change for health plans, she says, is that they can no longer use or disclose genetic information for underwriting purposes. “Because of that change, there’s a cascading effect. There will have to be some tweaking of HIPAA notices and privacy policies and procedures flowing from that change.”
“Underwriting purposes” is defined by the GINA regs as “including, with respect to group health plan coverage, rules for and determinations of eligibility (including enrollment and continued eligibility), computation of premium or contribution amounts, and application of preexisting condition exclusions.” It is not just related to rating and pricing, but rather includes changing deductibles or “providing discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment (HRA) or participating in a wellness program.”
Hustead notes that most people in the industry tend to think of underwriting narrowly — as upping a group rate based on concerns about the health of one person in the group. But now, privacy officers “need to think of underwriting purposes in a very broad sense — it’s not just the price on the policy.”
Under GINA, health plans that use PHI for underwriting — which is all plans except for the public plans, says Hustead — have to update their privacy notices to specifically state that they will not use genetic information.
Changes That Are Needed May Be Minimal
Mark Stember, a Washington, D.C., attorney with Kilpatrick Stockton LLP, says that despite using PHI, most health plans were not actually using genetic information for underwriting, “so from an administrative standpoint there’s no change. [The plans] are simply updating their documents to make sure they say the right thing.” As covered entities learned in complying with HIPAA, he says, “it’s all about documentary compliance. If you don’t have your documents in order, you’re technically in violation, even if as a practical matter you’re not operating that way.”
However, Sharon Cohen of Watson Wyatt Worldwide, who is based in Arlington, Va., and works with employers, thinks that some covered entities may be unknowingly using genetic information for things that now have GINA implications based on the broad definition of “underwriting.” She gives an example (which falls under GINA rather than the privacy rule) of a health plan that sends a health coach to follow up about disease management after a health risk assessment. The coach asks a few questions about the beneficiary’s family medical history. While the health coach seems to be providing some type of medical care, which would make the use of genetic information allowable, the service is coming from a health plan. It’s a fine line whether the family history questions are permissible, dependent on when in the enrollment process they were asked and whether they are tied to any kind of incentive. Covered entities should “go through their policies and procedures to make sure they are not in violation of the [underwriting] rule — not just the policies on paper, but the ones really in operation,” Cohen says.
As expected, HHS is still hammering out some of the GINA details, especially concerning timelines. According to the HIPAA privacy rule as currently written, a covered entity must notify beneficiaries of a material change within 60 days of implementing the change. The new proposed HIPAA modifications state that “the proposed requirement to explicitly include a statement regarding the prohibition represent a material change to the NPP of health plans that perform underwriting,” so the 60-day time frame should apply. And while modifying the document would be simple, redistributing it could be quite a burden. “HHS is not wild about the idea of just telling plans to redistribute privacy notices so they can add five words. They’re considering what to do and asking commenters to weigh in about what they think is appropriate under the circumstances.”
Several Timelines Are Possible
There are several timeline options on the table, says Cohen. HHS could allow health plans to send the new notices with their annual enrollment information, waive the time frame altogether or keep the 60-day deadline. Stember notes that since the original GINA regulations were released in May, many health plans already changed their notices and sent the new ones out with their annual enrollment mailing. For health plans “to change privacy notices midyear it would be a different story because there are specific costs associated with that,” says Stember.
If the privacy notice change does constitute a material change under the final rules, health plans will also need to do employee training, says Stember, though there are no specific requirements in the privacy rule about how and when. Educating staff could be as easy as a one-page memo, he says, or as difficult as a series of training sessions, depending on the company’s evaluation of its needs.
The proposed time frames have potential to cause confusion in light of the changes CEs have to make under the HITECH Act. The security breach notification interim final rules officially went into effect on Sept. 23, though HHS has said it will not enforce these regulations for the first six months.
Covered entities also need to modify their business associate agreements by February 2010. The proposed changes to the privacy rule state that health plans will be required to comply with the new standards 180 days after the final rule is published. “The good news from the perspective of the HIPAA privacy officer is that nothing has to be done right now — this is one change in the law unlike the rest of it that’s not yet effective,” says Hustead. “They’re basically looking at having six months from the time they issue the final rule to get their ducks in a row,” and the final regs aren’t likely to come out until sometime next year.
But wouldn’t it be wise to get a leg up on these changes, since so many other changes will be due right around the same time? Not necessarily. Stember suggests health plans save time and money by waiting to make the HITECH and GINA changes at once “rather than doing it piecemeal.” The HIPAA final changes are likely to be made before February, so mailings, policy and procedure updates and training sessions can be done at the same time for both regs to comply with both deadlines, he says.
Hustead agrees that health plans should wait on making changes for both GINA and HITECH. “They may have to do some HITECH stuff first, but HHS is aware this is all happening. It’s the same office writing the regulations, so I’m sure they’re trying to coordinate. The only thing to do now is breach notification, and CEs should already be doing it.” |
 |
1100 17th Street, NW, Suite 300, Washington, DC 20036
Phone 202-775-9008 or 800-521-4323; E-mail customerserv@aispub.com