Question about Compliance Requirements for Genetic Testing

This week we were asked a question about compliance requirements for genetic testing. The following is our response to the question asked by Marilyn T. in Alaska:

What are the compliance requirements for genetic testing? When is consent necessary?

Healthcare Compliance Pros Response:

Under the HIPAA Privacy Rule covered entities and business associates are permitted to disclose PHI without a signed authorization for treatment, payment, or health care operations reasons. For example, doctors and/or hospitals (that are covered entities) may share information freely with one another for treatment reasons. Patient information may be released without their authorization to insurance companies in order to receive payment for services provided. Health care operations can include a variety of business activities such as quality assessment, employee review, licensing and others. Any uses or disclosures of PHI for non-TPO are not permitted unless they are required by state or other law, or have been authorized by the patient.

Under the Privacy Rule, patient authorization is required for non-TPO uses and disclosures of PHI. An authorization is a customized document that gives covered entities permission to use specified PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual. An authorization is required for use and disclosure of PHI not otherwise allowed by the Privacy Rule.

Not all state law is preempted by HIPAA. State laws that are more "stringent" than HIPAA, which basically means laws that require more protection of the privacy of information than HIPAA does, will still govern. For example, many states have laws applying a higher standard of confidentiality to particularly sensitive information, such as that relating to HIV/AIDS, psychotherapy notes, drug and alcohol information and genetic information.

Like other health information, to be protected by HIPAA, genetic information must meet the definition of protected health information (PHI). In other words, it must be individually identifiable and maintained by a covered entity or a business associate. State genetic privacy laws typically require an individual's specific written consent for the collection, retention, use, or disclosure of genetic information about an individual, with certain exceptions.

Alaska is a State that has more "stringent" requirements regarding the use and disclosure of genetic information. Under Alaska State law "a person may not collect a DNA sample from a person, perform a DNA analysis on a sample, retain a DNA sample or the results of a DNA analysis, or disclose the results of a DNA analysis unless the person has first obtained the informed and written consent of the person, or the person's legal guardian or authorized representative, for the collection, analysis, retention, or disclosure."

Based on the facts restated above, in our opinion and this is by no means legal advice, under the HIPAA Privacy Rule there are no special restrictions on the use and disclosure of sensitive information, such as genetic information for purposes of Treatment, Payment and Operations (T.P.O.). Sharing information with another physician or hospital is appropriate as long as the information is being shared for treatment purposes. Patient information (including genetic testing) may be released without patient authorization to insurance companies in order to receive payment for services provided. Because Alaska has more ""stringent" requirements, written consent of the person, or the person's legal guardian or authorized representative, is required for the collection, analysis, retention, or disclosure of a DNA sample. We recommend written authorization at the time of or prior to, performing any genetic tests.

If you have any additional questions or require further assistance, please do not hesitate to contact one of our professional consultants.