Proposed HIPAA Privacy Rule Change Explicitly Makes Genetic Info PHI

An important element of data protection compliance is knowing, identifying and inventorying the applicable information…

Healthcare covered entities (CEs) under HIPAA, and now all their business partners, or business associates (BAs) under HIPAA, must comply with the Privacy Rule and Security Rule requirements, which originally applied to 18 listed types of protected health information (PHI) items.
Yesterday the US Department of Health and Human Services (HHS) Office of Civil Rights (OCR), which has oversight and enforcement authority over by the HIPAA Privacy Rule and Security Rule, announced a new proposed rule that will expand the definition of PHI:

Genetic Information
The Genetic Information Nondiscrimination Act (GINA) was signed into law on May 21, 2008. GINA protects individuals against discrimination based on their genetic information in health coverage and in employment. GINA is divided into two sections, or Titles. Title I of GINA prohibits discrimination based on genetic information in health coverage. Title II of GINA prohibits discrimination based on genetic information in employment.
In the proposed rule issued on October 1, 2009 OCR proposes to modify the Privacy Rule to clarify that genetic information is health information and to prohibit the use and disclosure of genetic information by covered health plans for underwriting purposes, which include eligibility determinations, premium computations, applications of any pre-existing condition exclusions, and any other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits. OCR is publishing this proposed rule with a 60 day period for public comments.
OCR developed this proposed rule after coordinating with the Department of Labor (DOL), the Centers for Medicare and Medicaid Services (CMS), and the Department of the Treasury (Treasury), which have responsibility for issuing regulations under GINA Title I to prohibit discrimination based on genetic information by group health plans and health insurance issuers, and with the Equal Employment Opportunity Commission (EEOC), which has responsibility for issuing regulations under GINA Title II to prohibit discrimination based on genetic information by employers. Additionally, HHS sought guidance from the National Institutes of Health on the definitions and on other issues.
View the OCR Proposed Rule
View the DOL/CMS/Treasury Interim Final Rule
View the Press Release
View the EEOC Proposed Rule

I am surprised this hasn’t been talked about more.
Now, protection of genetic information before was implied, and HHS guidance indicated that genetic information should generally be considered as PHI. But now it is explicitly listed and covered.
I know many information security and privacy officers have not included genetic information within their scope of PHI safeguards, or within their breach response plans because it was not explicitly listed. Many (to most?) used just those 17 specifically named PHI items and didn’t really worry much about that 18th catch-all item (shown below).
The amount of genetic data, and even hard copy genetic information, within healthcare providers and insurers is *HUGE*! And, this information is often located in many different types of locations than the originally defined PHI items. Add to this all the places where BAs have genetic information under their control.
The list of PHI items, with genetic information added, will generally look like the following if/when the proposed rule is enacted:

(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains
more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images;
(From GINA Rule) Genetic information; and
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section

Folks, if you’re working at a CE or BA, this means that, if you have not already done so, you will need to ensure all those Privacy Rule and Security Rule requirements are expanded to all the locations for genetic information, and that all those pieces of genetic information will now need to be monitored for breaches and appropriate breach response activities will need to occur.
Are you aware of this? Are your information security and privacy officers and leaders aware?

Leave a Reply