Stop the Wellness--Department of Labor Strictly Limits Wellness Programs with Harsh Restrictions on Asking Family History Questions in Final GINA Regulations

October 14, 2009

The Department of Labor (DOL) and IRS have issued final regulations for employer health plans under the Genetic Information Nondiscrimination Act of 2008 (GINA). The new rules prohibit employer health plans from offering a premium discount or other incentive to participate in a health risk assessment if the assessment includes any questions about the individual's family history of medical conditions or about genetic tests or services of the individual or a family member. Other collection and use of genetic information is also restricted, as explained below in this FBT Legal Update. The new prohibitions are effective for plan years beginning on or after December 6, 2009 -- January 1, 2010 for calendar year plans. 

Are all group health plans subject to the new rules?  Yes. Insured and self-insured programs are affected, and, unlike other HIPAA nondiscrimination rules, the GINA rules apply to even small employer health plans (any plan that covers two or more employees, including dental and vision plans). Substantially similar rules apply to group health insurers. 

What does GINA prohibit?  Under GINA, a group health plan cannot:

What is genetic information?  Genetic information is defined in the new rules as information about an individual or a family member's genetic tests or services, or about family member medical history. For this purpose, family member is defined very broadly to include relatives by marriage and half-blood, and to the fourth degree (includes great-great grandparents and first cousins). Information about a condition the individual actually has is not genetic information.  

How will the new rules impact wellness programs? 

Will the new rules affect treatment by providers? No, the rules allow physicians to request genetic information or a genetic test, and to use that information in any manner for treatment purposes. 

Can genetic information be considered by a health plan in making claims determinations? Yes, genetic information can be considered in determining whether a treatment or benefit is medically appropriate, and a plan can even require a genetic test in order to determine if a treatment is appropriate. But, a plan can only request the minimum amount of genetic information that is necessary to determine if the benefit is medically appropriate. The regulations give the example of a health plan that pays for a mammogram annually for women 40 and over, and also for women over 30 who have an increased risk for breast cancer due to BRCA1 or BRCA2 gene mutations. The plan does not violate the new rules if it requires someone under age 40 to have the genetic test to determine if BRCA1 or BRCA2 mutations are present as a condition of covering the test.

What are the new HIPAA privacy rule requirements?  At the same time DOL and IRS issued the new rules described above, the Department of Health and Human Services issued proposed new privacy regulations. The proposed regulations, when finalized, will clarify that genetic information is protected under the privacy rules regulating use or disclosure of health information. For plans that expect to use or disclose any protected health information for eligibility, enrollment, benefits, pre-existing condition exclusions, or other activities related to the creation, renewal or replacement of health benefits, the group health plan's privacy notice will need to be revised to specifically state that protected health information that is genetic information cannot be so used. Most plans do impose pre-existing condition limitations and/or will continue to use health risk assessments that do not request genetic information as a basis for a premium reduction, so we expect that most group health plans will be required to update their privacy notice as part of information in connection with health plan pricing. Because this part of the new rules is only in proposed form, an updated notice will not be required until the rules are finalized, and at that time, the notice might be required as fast as 60 days after publication of the final rule.

What are the penalties for violating the GINA rules?  The new rules add substantially identical regulations to ERISA and the Internal Revenue Code (the Code), and the penalties that can be collected by the government under the two laws are also very similar. The penalty is $100 per day for each individual affected until a failure is corrected. There are also minimums if a correction is not made by the time IRS issues a notice of examination to the employer, and there are reductions and limitations on maximum taxes if the failure could not have been discovered using reasonable diligence. If the failure is due to reasonable cause and not willful neglect, for most plans the limit on penalties during any one year is the lesser of 10% of all health plan costs of the employer in the prior year or $500,000. This penalty applies under both ERISA and the Code, so employers face maximums of $200 per day and $1,000,000 per year under the two laws. Under ERISA, participants also have a private cause of action for plan benefits or equitable relief. The penalty scheme is essentially the same one that currently exists for violation of the HIPAA nondiscrimination, special enrollment and pre-existing condition rules. 

Next steps. Employers need to quickly assess how they use genetic information in health plan operations to determine what changes must be made for January 1st (assuming a calendar plan year). In particular, health risk assessments and disease management programs may need to be changed. Employers also need to watch for changes in the HIPAA privacy rules, and should prepare an updated notice soon after the new rules are issued in final form. 

For assistance with these new compliance obligations, contact Alison Stemler or Mike Bindner or any other member of FBT's Employee Benefits law team.