President Bush is expected to sign into law the Genetic Information Nondiscrimination Act (GINA) passed last week by Congress. The new law, which has been debated in Congress for 13 years, adds to current federal anti-discrimination laws (including Title VII) prohibitions on employers and insurance companies using genetic tests showing people are at risk of developing cancer, heart disease or other ailments to reject their job applications, promotions or health care coverage, or in setting premiums. Like HIPAA (Health Insurance Portability and Accountability Act of 1996), GINA provides for an exception to use or acquisition of genetic information with the voluntary signed consent of an employee or applicant.

In sum, GINA prohibits health insurance companies from using genetic information to set premiums or determine enrollment eligibility. Employers, with very few exceptions, cannot use genetic information in hiring, firing or promotion decisions and must maintain any genetic information strictly confidential in compliance with the ADA (medical records) and HIPAA. As for enforcement, procedures and damages –– think ADA. In other words, private employers with fifteen or more employees are subject to GINA. The Equal Employment Opportunity Commission (EEOC) will be charged with investigating complaints, and the procedure and remedies are mostly identical to other federal anti-discrimination laws.

The law will go into effect in November 2009, by which time the Department of Labor is supposed to have enacted its regulations for GINA.

What in the World Do I Care About Genetics? While genetic testing for employment purposes is not regularly used by most of our clients, most do require post-offer medical examinations and verification of absences and FMLA time. Studies cited in support of GINA show that nearly two-thirds of major U.S. companies require medical examinations of new hires, of which 14% conduct tests for susceptibility to workplace hazards, among other things. The federal government for several years has prohibited the federal government from requiring genetic testing or from considering a person’s genetic information in hiring or promotion decisions. Plus, there are labs actively marketing to employers in connection with disability and workers’ compensations claims. GINA significantly proscribes the use of any testing with a genetic component.

Does Texas Have a Similar State Law? Well, yes, Virginia…it does! Texas is one of 31 states (according to National Human Genome Research Institute) that have already adopted laws regarding genetic discrimination in the workplace. Texas’ law has been in effect since 1997. Parallel to GINA, Texas law:

• Provides for protection against discrimination by employers with 15 or more employees, employment agencies, or labor unions based on information about an individual’s genetic characteristics or on the refusal of an individual to take a genetic test or submit a family health history.

• Provides a civil penalty if a person improperly discloses genetic information.

• Employers must keep genetic testing confidential unless an individual specifically authorizes release of such information, or unless they are required to release information pursuant to a court order, or otherwise required by law.

What Difference Will This Make If I Don’t Require Genetic Testing? Like any other anti-discrimination law, employers will want to have a clear written policy as well as procedures prohibiting conduct in violations of GINA as well as educate workers on what is not prohibited by the Act.

Does GINA Affect Our Employee Wellness Program? Yes. Under both HIPAA and, now, GINA, employers may use both personal health and genetic information as part of a qualified wellness program. Wellness programs generally reward participants for reaching a desired health outcome … giving up smoking or losing weight, for example, or carrying out a specified exercise regime. You can see the U.S. Department of Labor’s new rules for creating workplace wellness programs that comply with existing HIPAA law (no doubt soon to be amended to include GINA).

To prevent employers from practicing “back door discrimination,” a wellness plan must meet very specific requirements. Check with your legal counsel regarding wellness programs to keep your plan “legally healthy.”

Little Known Fact: Per the National Human Genome Research Institute, everyone probably has at least six genetic mutations placing them at greater risk for some disease. Although these mutations do not necessarily mean that a disease will develop, researchers said, that the person is more likely to get the disease than someone without the genetic mutation.

The House voted 414-1 for GINA last Thursday, a week after the legislation passed the Senate on a 95-0 vote. The only member of Congress to vote against the bill was Rep. Ron Paul, R-Texas. Click here to read the complete text of GINA.

HIPAA continues as the gift that just keeps giving–to lawyers at any rate. Apparently, it is being misconstrued around the country to be an obstacle to families seeking to ascertain the condition of their loved ones. From an interesting editorial in the Idaho Mountain Express:

American medicine and its practitioners are among the finest anywhere in the world. However, getting to that treatment through the maze of government and insurance paperwork and waiting for an appointment is another matter entirely.

Now relatives and friends of patients are ruefully discovering an equally frustrating obstacle in the medical bureaucracy: medical professionals and health-care personnel who stonewall when asked even the most fundamental questions about a patient and his or her condition.

Investigators at the Department of Health and Human Resources have uncovered the culprit: widespread ignorance and misunderstanding about rules written into HIPAA, the Health Insurance Portability and Accountability Act, and a knee-jerk tendency of medical personnel to say “No” when asked for patient information.

The lack of understanding is widespread and profound. So profound that some nursing homes apparently stopped having birthday parties for residents because supervisors feared that revealing birthdates would violate HIPAA.

In another case, a woman had to rush from Oklahoma to Florida because the hospital staff wouldn’t tell her anything about her mother’s condition. The staff continued to stonewall after her arrival–an absurd interpretation of HIPAA–especially if the daughter has the power to make health care decisions for her mother.

Please note the following from the HHSC FAQ’s regarding information that you may give family members and friends:

May a hospital or other covered entity notify a patient’s family member or other person that the patient is at their facility?

Answer

Yes. The HIPAA Privacy Rule, at 45 CFR 164.510(b), permits covered entities to notify, or assist in the notification of, family members, personal representatives, or other persons responsible for the care of the patient, of the patient’s location, general condition, or death. Where the patient is present, or is otherwise available prior to the disclosure, and has capacity to make health care decisions, the covered entity may notify family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also use or disclose this information to notify the family and these other persons if it can reasonably infer from the circumstances, based on professional judgment, that the patient does not object. Under these circumstances, for example:

A doctor may call a patient’s wife to tell her that her husband was in a car accident and is being treated in the emergency room for minor injuries.

A doctor may contact a pregnant patient’s husband to let him know that his wife arrived at the hospital in labor and is about to give birth.

A nurse may contact the patient’s friend to let him know that his roommate broke his leg falling down the stairs, has had surgery, and is in recovery.

Even when the patient is not present or it is impracticable because of emergency or incapacity to ask the patient about notifying someone, a covered entity can still notify family and these other persons when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b). For example, a doctor may, using such professional judgment, call the adult daughter of an incapacitated patient to inform her that her father suffered a stroke and is in the intensive care unit of a hospital

And

Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with the patient’s family and friends?

Answer

Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Under these circumstances, for example:

- A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.
- A hospital may discuss a patient’s payment options with her adult daughter.
- A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
- A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.

Even when the patient is not present or it is impracticable because of emergency circumstances or the patient’s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person, a covered entity may share this information with the person when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b). Thus, for example:

- A surgeon may, if consistent with such professional judgment, inform a patient’s spouse, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient’s progress and prognosis.
- A doctor may, if consistent with such professional judgment, discuss an incapacitated patient’s condition with a family member over the phone.

In addition, the Privacy Rule expressly permits a covered entity to use professional judgment and experience with common practice to make reasonable inferences about the patient’s best interests in allowing another person to act on behalf of the patient to pick up a filled prescription, medical supplies, X-rays, or other similar forms of protected health information. For example, when a person comes to a pharmacy requesting to pick up a prescription on behalf of an individual he identifies by name, a pharmacist, based on professional judgment and experience with common practice, may allow the person to do so.

Note that in the editorial that HHS seems to have been investigating the failure of providers to give PHI to those who are entitled to it.

A National Provider Identifier (NPI) is a 10-digit number used to identify providers under the 1996 Health Insurance Portability and Accountability Act (HIPAA). According to the Centers for Medicare and Medicaid Services, there are only 151 days left to comply with the NPI requirement.

From the site:

If you are a health care provider who bills for services, you probably need an NPI. If you bill Medicare for services, you definitely need an NPI! Getting an NPI is easy. Getting an NPI is free. The first step is to get your NPI. Once you obtain your NPI, it is estimated that it will take 120 days to do the remaining work to use it. This includes working on your internal billing systems, coordinating with billing services, vendors, and clearinghouses, testing with payers. As outlined in the Federal Regulation, (The Health Insurance Portability and Accountability Act of 1996 (HIPAA)) you must also share their NPI with other providers, health plans, clearinghouses, and any entity that may need it for billing purposes. If you delay applying for your NPI, you risk your cash flow and that of your health care partners as well.

While HIPAA protects the health information of individuals, it does not create a private cause of action for those aggrieved (65 Fed. Reg. 82566).  This is made abundantly clear from the commentary to the regulations and HIPAA’s legislative history. And while many federal district courts have dismissed individual plaintiffs’ lawsuits under this rule, the Fifth Circuit, in the case of Acara v. Banks (5th Cir. Nov.13, 2006), has become the first federal appellate court to affirm the ruling.  The Fifth Circuit supported its decision by noting that the U.S. Department of Health and Human Services was granted comprehensive enforcement powers under HIPAA through its Office of Civil Rights.

Enforcement by regulators, rather than through private actions, hopefully allows for a uniform national standard with which providers can comply and that consumers will understand. By contrast, private causes of action would result in the competing interpretations resulting less certainty and clarity.

What are the patient’s rights under HIPAA? Under HIPAA, patients have the right to:
·      Receive a privacy notice to inform them about how protected information will be used and disclosed;
·      Request that uses and disclosure of protected information be restricted (covered entities are not required to always agree to restrictions);
·      Inspect, copy and amend their medical records (providers are allowed to charge a reasonable fee for copying expenses);
·      Get an accounting of the disclosure of their protected information for the past six years; and
·      File a complaint.

But then…there’s always State law.  State law, however, may arguably provide other theories of liability, such as violations of other statutory confidentiality restrictions, slander, intentional infliction of emotional distress, casting in a false light, etc.  And remember that such HIPAA restrictions apply in employer use of workers’ protected health information in addition to that of consumers.  Rather than a straightforward “HIPAA lawsuit,” you are much more likely to see HIPAA’s privacy requirements to bolster claims for other breaches of confidentiality and privacy rights under Texas law.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects individuals’ Private Health Information (PHI) held by “covered entities,” like health plans, health care providers, and health care clearinghouses, and regulates the use and disclosure of PHI.

In order to help emergency preparedness and recovery planners stay in compliance with HIPPA while accessing and using protected health information for the disabled, the U.S. Department of Health and Human Services (HHS) created an interactive web-based tool. (Medical News Today).

Planners are asked a series of questions that will help them determine whether they are legally allowed to disclose someone’s PHI for purposes of public health emergency preparedness. For example, the first question is, “Who is the source of the information to be disclosed?” If the source is a covered entity, the planner may not disclose. To make the task easier, HHS has posted a process flow chart (PDF).

Brett Mendel, Senior Analyst at Byte and Switch Insider is reporting that the FBI is apparently investigating security breaches regarding data security and HIPAA:

“It is happening with HIPAA,” says Mark Diamond, president and CEO of data storage consulting firm Contoural Inc. “If you do not maintain security of data, you will be investigated by the FBI.”

Say what?

You bet. While the U.S. Department of Health and Human Services (HHS) monitors compliance with the Health Insurance Portability and Accountability Act (HIPAA), the law does indeed expand the FBI’s reach into the realm of healthcare violations.

Security of data is the issue here:

Securing data that resides in enterprise storage, or data “at rest,” has become a hot topic for more than just the healthcare industry (see Wedding of the Year). Indeed, SAN security vendors such as Decru Inc., NeoScale Systems Inc., and Vormetric Inc. have been banging the drum of storage security for some time. But the legal implications of those concerns are only now hitting home.

“We do hear of more security audits by the government,” Kevin Brown, VP of marketing at Decru, recently told Byte and Switch.

The problem for “covered entities” is that the regulations don’t specify how to protect the data:

“The law is descriptive more than prescriptive,” says Dick Benton, practice manager for storage governance at GlassHouse Technologies Inc. “They leave it up to IT departments to determine what ‘protecting the security and confidentiality of information’ means.”

And according to Fiona Jones, Compliance Columnist, the cost of HIPAA has exceeded 17 billion dollars.