Stop the Wellness--Department of Labor Strictly Limits Wellness Programs with Harsh Restrictions on Asking Family History Questions in Final GINA Regulations
The Department of Labor (DOL) and IRS have issued final regulations for employer health plans under the Genetic Information Nondiscrimination Act of 2008 (GINA). The new rules prohibit employer health plans from offering a premium discount or other incentive to participate in a health risk assessment if the assessment includes any questions about the individual's family history of medical conditions or about genetic tests or services of the individual or a family member. Other collection and use of genetic information is also restricted, as explained below in this FBT Legal Update. The new prohibitions are effective for plan years beginning on or after December 6, 2009 -- January 1, 2010 for calendar year plans.
Are all group health plans subject to the new rules? Yes. Insured and self-insured programs are affected, and, unlike other HIPAA nondiscrimination rules, the GINA rules apply to even small employer health plans (any plan that covers two or more employees, including dental and vision plans). Substantially similar rules apply to group health insurers.
What does GINA prohibit? Under GINA, a group health plan cannot:
- Provide a discount for participation in a health risk assessment that asks about or gathers any genetic information
- Use genetic information for eligibility, enrollment, continued eligibility, deductibles or cost-sharing, premium amounts, discounts, rebates, or any other activity related to the creation, renewal or replacement of health benefits, including the application of pre-existing condition limits (existing HIPAA rules would prohibit use of genetic information for pre-existing condition limits, so this is not new)
- Ask for any genetic information before or in connection with enrollment
- Ask an employee to undergo a genetic test, although benefits can be conditioned on genetic tests supporting appropriate treatment for a condition
- Discriminate in the terms and conditions of employment based on genetic information
- Use or distribute genetic information in violation of the HIPAA privacy rules (the privacy rules would already prohibit this, but the rules heighten the standards and require that privacy notices be updated to specifically reference the genetic information use restrictions if the group health plan has any genetic information)
What is genetic information? Genetic information is defined in the new rules as information about an individual or a family member's genetic tests or services, or about family member medical history. For this purpose, family member is defined very broadly to include relatives by marriage and half-blood, and to the fourth degree (includes great-great grandparents and first cousins). Information about a condition the individual actually has is not genetic information.
How will the new rules impact wellness programs?
- Participation in a health risk assessment cannot be the basis of a premium discount if that health risk assessment asks for or gathers any genetic information (including via an open-ended question, unless the assessment specifically includes an instruction not to include any genetic information). So, if the health risk assessment asks about family member conditions or about tests the individual may have had to make genetic determinations as to possible future conditions, no incentive can be given for participation in the health risk assessment. A discount on a health premium is not permitted under these circumstances. If the health risk assessment does not ask for genetic information, a discount can be given for participation. The rules suggest that plans may want to use a combination of the two designs. A health risk assessment with no genetic questions for a premium discount and a health risk assessment with genetic questions that is fully voluntary and does not result in a premium reduction.
- But, the plan must also be careful not to ask for any genetic information before or in connection with enrollment.
- Disease management programs may also need operational changes. A health risk assessment that asks for genetic information cannot then use that information to target individuals for participation in a disease management program, because that is considered to be a prohibited incentive for participating in the health risk assessment. Individuals who already have a specific condition, like diabetes, can be offered a disease management program based on a health risk assessment or other health plan information. But, for individuals who merely have a family history or a genetic test indicating a likelihood of developing a disease, that information collected in a health risk assessment can't be used to develop a targeted group offer to participate in disease management for that potential condition. Group health plans can send a general invitation to all participants offering participation in a disease management program if they have or have family members who have a specific condition like diabetes.
- Employers should be able to ask about whether employees are obtaining routine screenings, such as mammograms and physicals. Those are not genetic tests to the extent they are determining if a specific disease is present as opposed to whether a person is predisposed to develop a disease. The rules make clear that the following are not genetic tests: HIV test, complete blood count, cholesterol test, liver function test, or tests for the presence of alcohol or drugs.
Will the new rules affect treatment by providers? No, the rules allow physicians to request genetic information or a genetic test, and to use that information in any manner for treatment purposes.
Can genetic information be considered by a health plan in making claims determinations? Yes, genetic information can be considered in determining whether a treatment or benefit is medically appropriate, and a plan can even require a genetic test in order to determine if a treatment is appropriate. But, a plan can only request the minimum amount of genetic information that is necessary to determine if the benefit is medically appropriate. The regulations give the example of a health plan that pays for a mammogram annually for women 40 and over, and also for women over 30 who have an increased risk for breast cancer due to BRCA1 or BRCA2 gene mutations. The plan does not violate the new rules if it requires someone under age 40 to have the genetic test to determine if BRCA1 or BRCA2 mutations are present as a condition of covering the test.
What are the new HIPAA privacy rule requirements? At the same time DOL and IRS issued the new rules described above, the Department of Health and Human Services issued proposed new privacy regulations. The proposed regulations, when finalized, will clarify that genetic information is protected under the privacy rules regulating use or disclosure of health information. For plans that expect to use or disclose any protected health information for eligibility, enrollment, benefits, pre-existing condition exclusions, or other activities related to the creation, renewal or replacement of health benefits, the group health plan's privacy notice will need to be revised to specifically state that protected health information that is genetic information cannot be so used. Most plans do impose pre-existing condition limitations and/or will continue to use health risk assessments that do not request genetic information as a basis for a premium reduction, so we expect that most group health plans will be required to update their privacy notice as part of information in connection with health plan pricing. Because this part of the new rules is only in proposed form, an updated notice will not be required until the rules are finalized, and at that time, the notice might be required as fast as 60 days after publication of the final rule.
What are the penalties for violating the GINA rules? The new rules add substantially identical regulations to ERISA and the Internal Revenue Code (the Code), and the penalties that can be collected by the government under the two laws are also very similar. The penalty is $100 per day for each individual affected until a failure is corrected. There are also minimums if a correction is not made by the time IRS issues a notice of examination to the employer, and there are reductions and limitations on maximum taxes if the failure could not have been discovered using reasonable diligence. If the failure is due to reasonable cause and not willful neglect, for most plans the limit on penalties during any one year is the lesser of 10% of all health plan costs of the employer in the prior year or $500,000. This penalty applies under both ERISA and the Code, so employers face maximums of $200 per day and $1,000,000 per year under the two laws. Under ERISA, participants also have a private cause of action for plan benefits or equitable relief. The penalty scheme is essentially the same one that currently exists for violation of the HIPAA nondiscrimination, special enrollment and pre-existing condition rules.
Next steps. Employers need to quickly assess how they use genetic information in health plan operations to determine what changes must be made for January 1st (assuming a calendar plan year). In particular, health risk assessments and disease management programs may need to be changed. Employers also need to watch for changes in the HIPAA privacy rules, and should prepare an updated notice soon after the new rules are issued in final form.
For assistance with these new compliance obligations, contact Alison Stemler or Mike Bindner or any other member of FBT's Employee Benefits law team.