Before passage of the 2013 HIPAA Omnibus Rule, genetic information was not specifically included in the HIPAA regulations’ definition of protected health information (PHI). With passage of the Omnibus Rule, genetic information is now specifically included in the definition of PHI. As such, covered entities must implement safeguards under the HIPAA Privacy Rule to prevent unauthorized use or disclosure of HIPAA genetic information.
What is HIPAA Genetic Information?
HIPAA genetic information is defined as:
- Information about an individual’s genetic tests
- Genetic test means an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if the analysis detects genotypes, mutations, or chromosomal changes. Genetic test does not include an analysis of proteins or metabolites that is directly related to a manifested disease, disorder, or pathological condition.
- Information about the genetic tests of family members of the individual.
- Information about the manifestation of a disease or disorder in family members of the individual.
- Information about any request for, or receipt of, genetic services, by the individual or any family member of the individual.
- “Genetic services” include:
- A genetic test;
- Genetic counseling (including obtaining, interpreting, or assessing genetic information); or
- Genetic education.
The term “genetic information” includes, with respect to a pregnant woman (or a family member of a pregnant woman), genetic information about the fetus. The term “genetic information,” with respect to an individual using assisted reproductive technology, includes genetic information about the embryo.
When May Genetic Information be Used or Disclosed?
Genetic information that constitutes protected health information maintained by a covered entity (healthcare provider, health plan, or healthcare clearinghouse) is protected from unauthorized use or disclosure under the HIPAA Privacy Rule.
Protected health information (PHI) includes any piece of information in an individual’s medical record that was created, used, or disclosed during the course of diagnosis or treatment that can be used to personally identify the individual.
A covered entity is permitted to use and disclose PHI in the form of genetic information, for treatment, payment, and healthcare operations.
Treatment is the provision, coordination, or management of healthcare and related services for an individual by one or more healthcare providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.
Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for healthcare delivered to an individual. Payment also encompasses the activities of a healthcare provider to obtain payment or be reimbursed for the provision of healthcare to an individual.
Healthcare operations include any of the following activities:
- Quality assessment and improvement activities, including case management and care coordination;
- Competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation;
- Conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs;
- Specific insurance functions, such as:
- Risk rating
- Reinsuring risk
- Business planning, development, management, and administration; and
- Business management and general administrative activities of the entity, including, but not limited to:
- De-identifying protected health information;
- Creating a limited data set;
- Certain fundraising for the benefit of the covered entity.