HIPAA COMPLIANCE:
Employers Could Be At Risk When They Collect Genetic Data From Employees
Published on Wed Nov 28, 2007
Study shows genetic info lacks privacy protections.
Knowing which rules to follow when it comes to keeping medical records is challenging enough, with privacy officers struggling to choose between Health Insurance Portability and Accountability Act (HIPAA) requirements and state mandates. But with genetic information--the situation gets murkier still.
And that situation is plenty murky, according to a report commissioned by the California HealthCare Foundation and prepared by the Georgetown University Health Privacy Project. "Genetics and Privacy: A Patchwork of Protections" surveys U.S. policy on the collection, use, storage and protection of genetic information.
The conclusion? There's a need for clear and consistent nation-wide guidelines to ensure that genetic information is kept out of the wrong hands. And there's a need for a consistent policy governing when genetic testing should be "encouraged, discouraged, facilitated, or prohibited." As a result, genetic privacy policies often vary from state to state, employer to employer and insurer to insurer
While conceding that much genetic information will be protected by HIPAA privacy regulations, so long as it meets the HIPAA definition of protected health information, the report nevertheless identifies five major gaps it says still remain in the protection of genetic information:
1. Genetic source materials from which a person's genetic information can easily be obtained--such as tissue, blood and hair--are not protected by HIPAA;
2. Key entities with access to genetic information--including employers, pharmaceutical companies, pharmacy benefit managers, workers compensation managers, life insurers and disability income insurers--are covered only indirectly by HIPAA;
3. Certain HIPAA privacy regulations are "too permissive," according to the group, especially those governing the use of protected health information--including genetic information--for health-related marketing, and the access to that information by law enforcement officials;
4. There is no private right of action under HIPAA that allows individuals whose rights have been violated to seek compensation; and
5. There is little policy governing the collection, use and disclosure of genetic information on the Internet.
"The federal government has yet to develop a clear policy about the collection, use, storage and protection of genetic information," says CHCF's Sam Karp. "The result is a patchwork of protections that leaves individuals and families vulnerable." Genetics, Employers and Privacy One of the study's key concerns is the potential for the abuse of genetic information by employers.
The report points out that while HIPAA goes to "great length" to prevent employers from inappropriately acquiring and using workers' protected health information, the reg can't always keep all health information out of employers' hands. Some employers that sponsor their employees' health plans, for example, administer those plans in-house. In such instances an employer could learn that an employee had undergone a genetic test when the worker submits a claim for the test.
Testing often [...]