Public Comments: April 2009 Proposed Rule to Implement Title II of the Genetic Information Nondiscrimination Act of 2008
Background:
The World Privacy Forum filed comments on the proposed regulations on the Genetic Information NonDiscrimination Act, or GINA. The comments request that the Equal Opportunity Employment Commission close down several potential loophole in consumer protection in the regulations. The Forum specifically asked the EEOC to consider curtailing the amount of commercially available information employers could access about employees, for example, through marketing databases. WPF also requested that those covered under GINA be required to maintain audit trails in certain circumstances, and urged that wellness programs be structured in such a way as to prevent information leakage through billing and other activities.
-
Download the comments (PDF)
-
or Read comments below
—–
Comments of the World Privacy Forum regarding Proposed Rule
to
Implement Title II of the Genetic Information Nondiscrimination Act of 2008 to Equal Employment Opportunity Commission, RIN 3046-AA84
via www.regulations.gov and mail
Stephen Llewellyn
Executive Officer, Executive Secretariat,
Equal Employment Opportunity Commission
131 M Street NE
Suite 6NE03F
Washington, DC 20507
April 22, 2009
Re: Proposed rule to implement Title II of the Genetic Information Nondiscrimination Act of 2008, March 2, 2009, at 74 Fed. Reg. 9056-9071, EEOC RIN 3046-AA84.
The World Privacy Forum appreciates the opportunity to comment on the proposed rule to implement Title II of the Genetic Information Nondiscrimination Act of 2008. The proposed rule appeared in the Federal Register on March 2, 2009, at 74 Fed. Reg. 9056-9071.
The World Privacy Forum is a non-partisan, non-profit public interest research and consumer education organization. Our focus is on conducting in-depth research and analysis of privacy issues, in particular issues related to information privacy and health privacy. More information about the activities of the World Privacy Forum is available at our web site, <https://www.worldprivacyforum.org>.
I. Comments on Segregating Genetic Information
The proposed regulation assumes that the health care system will be able to segregate genetic information in a health record. For example, on page 9061 (Section 1635.8 Acquisition of Genetic Information), the commentary states that covered entities should ensure that any medical inquiries they make or any medical examinations they require are modified so as to comply with the requirements of GINA. We have significant doubts that all or most health care providers have the ability or the incentive to segregate genetic information as defined in GINA. Some health providers who work directly or regularly for Title II-covered entities may learn the legal requirements in time. Many others may not.
We observe that health care providers have always been obliged legally and professionally to protect the privacy of patient information. Yet when confronted with a comprehensive set of requirements to protect privacy through the HIPAA regulation, providers complained long and hard about those requirements, and they took years to comply. Asking health care providers to satisfy a new and different set of privacy standards that affect some of their activities and to learn a legally-defined category of information – one that may not match up well with entrenched medical definitions of that same information — may be a task that providers will find impossible. Notwithstanding requirements of HIPAA, we believe that it may still be commonplace for a provider to place an entire health record in a copying machine and to send the resulting copy in the hopes of meeting the requirements of the requester.
A. Need for further limiting the proposed exception
The exception in proposed § 1635.8(b)(1)(iv) states: [“An employer requests medical information (other than genetic information) as permitted by Federal, State, or local law from an individual, who responds by providing, among other information, genetic information”] may be reasonable in some contexts. However, it could easily provide an excuse for Title II-covered entity and a health care provider to avoid the extra work of segregating genetic information.
Consider a provider who sends the fiftieth employee evaluation to an employer, each time including genetic information. And each time the employer relies on the same exception to excuse the acquisition of genetic information. The exception should not be allowed to excuse repeated conduct that violates the purpose of the rule. We recommend that the exception be limited so that it cannot apply more than one time by a specific health care provider to a specific employer.
B. Proposed alternate approach
We additionally suggest an alternate approach to avoid the risk altogether. It may be appropriate in some or all instances for information transferred from a health care provider to a Title II- covered entity to pass through the hands of a third party who will remove any information restricted under GINA before it reaches the Title II-covered entity. Third-party review could be required for all transfers of medical information or it could be a remedy required for records coming to Title II-covered entities from those health care providers who have demonstrated an inability to remove GINA information in the past.
We do not like the idea of showing Protected Health Information (PHI) to yet another set of eyes, but we do not see how providers can be expected to comply with a requirement that really does not fall on them. Any required third-party editing would have to be arranged for by a Title II- covered entity. If it were possible for an automated method of segregating information to succeed, that might be a better solution.
This is not a trivial problem. Genetic information will increase in amount and importance with a patient record maintained by a health care provider. The problem of identifying and segregating that information will also increase in difficulty and complexity. The exception proposed in the draft rule will become an enormous loophole in just a few short years.
II. Voluntary Wellness Programs: what constitutes “voluntary”
The Commission invited comments (page 9062, § 1635.8 Acquisition of Genetic Information) on what it means for a wellness program that seeks medical information to be voluntary. We suggest that a program is voluntary only if:
a) Participation is not required; and
b) an employee is not penalized for not participating; and
c) an employee is not offered any positive incentive for participating.
The third point is critical. If an employer is allowed to offer any incentive for participating (such as a discount on health insurance), the employer will be able to structure the incentive so as to make free choice difficult or impossible. Suppose, for example, that an employee pays $100 a month for employer-provided health insurance. An employer could double or triple the premiums and then offer a large discount to those who enroll in a wellness program. The only allowable positive incentive for participation should be the benefit that the wellness program offers.
Further, it should be expressly stated that if an employee participates in a wellness program, the employee cannot be penalized for dropping out of the program or for not following its recommendations. Finally, no manager or supervisor should be rewarded in any way for meeting an enrollment goal for employees in a wellness program.
III. Family and Medical Leave Exception
Section 1635.8(b)(3): [“Where the employer requests family medical history to comply with the certification provisions of the Family and Medical Leave Act of 1993 (29 U.S.C. 2601 et seq.) or State or local family and medical leave laws.”] includes an exception covering disclosure of medical information to meet requirements of the Family and Medical Leave Act and similar laws. The exception needs to be qualified.
Only that part of the family information that is directly relevant to certification should be disclosed. The rule should expressly provide that any other family history information be withheld. If the reason for the leave is care of the employee’s daughter, any genetic information pertaining to others that can be segregated should be withheld. If a provider cannot adequately segregate the information, then the suggestion above of using a third party to review records and remove unnecessary information before the records reach the Title II-covered entity may have application here as well.
IV. Commercially and Publicly Available Information
The Commission invited public comment (page 9063, Section 1635.8 Acquisition of Genetic Information) on sources similar in kind to those identified in the statute that may contain family medical history and that should be included either in the group of excepted sources or the group of prohibited sources, such as personal Web sites, or social networking sites. It also asked if the additional sources that are noted in the proposed regulation should be deemed similar in nature to those contained in the statute so as to remain a part of the regulation.
The World Privacy Forum believes that there are many sources for genetic information today, that there will be more sources tomorrow, and that there is a need to control the use of the sources by Title II-covered entities. The profiling of Americans by commercial databrokers has the potential to swallow the purpose of the GINA legislation if the commercial sources loophole is not plugged. To help solve this problem, the list of prohibited sources needs to be expanded.
A. Public information sources
Genetic information can be obtained incidentally as a consequence of the widespread collection and maintenance of personal information about individuals by public sources (e.g., Department of Motor Vehicles) and private sources (e.g., credit bureaus, banks, marketers, utility service providers, list brokers, supermarkets, gyms, commercial Personal Health Record vendors, and many others) that have health information outside the regulatory scheme of HIPAA and other health privacy laws. Copying an individual driver’s license with medical codes may reflect health information (including genetic information) that may or may not be otherwise available.
Unless regulated under GINA, employers who need to verify identity or driving privileges may be able to cull DMV or other pertinent licensing records of individuals for medical information. State driver’s license records may be neither publicly available (driver’s licenses are not public as a result of the Driver’s Privacy Protection Act) nor generally available commercially except for narrow purposes defined in the statute. Other licensing information (e.g., occupational licensing, hunting licenses, etc.) may become part of the records of commercial data brokers. Even occupational or use licenses may include health information if a discount is available to licensees because of a disability or health status. Some occupational and use licenses are public in some jurisdictions.
The use of Internet search engines to obtain information about individuals may also provide a wealth of incidental information. For example, a web search may reveal the participation of an individual or family member in an Internet forum focused on particular diseases or health conditions. A social networking page for an individual or family member could reveal genetic information. As the commentary notes, obituaries can also be a source of genetic information.
Health information may also be found in other unexpected places. For example, in 2007, the World Privacy Forum commented on the Federal Register’s publication of the Federal Motor Carrier Safety Administration’s request for comments on its notice of applications for exemption from the diabetes standard for truck drivers. The published information included notice included the full first and last name, the age of the applicant, the middle initial when available (most were), as well as the individual’s medical details, and finally, the state the individual is licensed in. Any search engine request for one of the named individuals would find pertinent medical information on the individual. The same search might also reveal information regarding relatives of the individuals whose personal health histories were published by the federal government for all to read. See generally the comments of the World Privacy Forum at <https://www.worldprivacyforum.org/pdf/WPF_DOT_comments03202007fs.pdf>.
B. Commercial sources of incidental genetic information
Other information commercially available for sale is also a potential source of incidental genetic information. We want to provide a better idea of the scope of existing commercial activities that involve the collection, maintenance, sale, rental, and other uses of consumer data. Companies providing goods and services to consumers have a vast appetite for consumer information, and especially for information about health conditions. A large and lucrative industry of list brokers, consumer profilers, and other commercial databrokers satisfies that appetite. We selected diabetes to provide some examples of these activities, but we could have used many other ailments to make the point.
We include below just a few of the lists for sale that are available to those who want to communicate with identifiable consumers who have diabetes. These marketing lists typically give the name, address, email, phone number, number of children, age, income level, and other categories of demographic information about the individuals on the list. The information below is taken directly from the “data cards” accompanying the lists that were actually for sale. The descriptions of each list were provided by the list sellers. It is our experience that few outside the marketing business know about this resource for health information of identifiable individuals. We have testified before the Secretary’s Advisory Committee on Genetics, Health and Society on this issue, noting that many of the diseases on these marketing lists have a genetic component. Some lists for sale refer directly to genetic tests.
Ailment Medical Health – Diabetes Type 1
People who have Diabetes Type 1. Self reported on a household level. These people have genuine concerns about their lifestyle habits. They must be careful with every decision that they make when it comes to their health. As a result, it is safe to assume that they have been encouraged to change their lifestyle habits in the way they live and the products they buy. This opens an avenue for marketers offering health products, treatments and medications to assist these individuals with daily living and/or convalescence. If you do not see a specific ailment listed, call today for more information. [1]
Diabetes Ailment Sufferers – Prime Health Solutions
The audience of the # 2.0 DIABETES Ailment Sufferers – Prime Health Solutions Database has an average age of 57 and gender on this file is a 50/50 split. Selections within the # 2.0 DIABETES Ailment Sufferers – Prime Health Solutions database include over 400 Data Points. Buying habits, OTC and Rx are selectable. Type 1 or Type 2 Diabetes selectable. Income segmentation on the file covers a wide range with average HHI of $48,000. [2]
Absolute Diabetes Ailment List
Derived from a proprietary survey, these are all responders who clearly stated either themselves or someone in their household suffers from some type of Diabetes. This is the ideal list for health and diet offers, healthy cooking books, medications and more! Reach the people who have given permission to receive additional offers and/or information via direct mail, telemarketing, and email. [3]
The number of consumer names on these lists ranges from more than 100,000 to more than 1.5 million individuals. A search on the DirectMag website (http://listfinder.directmag.com/market) for mailing lists using diabetes as the keyword produced results pages with 504 lists on the particular day we searched. [4] Some of the lists focused on health care professionals, donors, and others, but a large percentage of lists offered data on consumers known or suspected to have diabetes. These kinds of lists are available on many diseases and conditions.
As mentioned earlier, some of the list descriptions mention the availability of other data on the consumers, data that often includes income, age, family size, ethnicity, buying habits, and dozens or even hundreds of other personal characteristics, including family relationships. The availability of this range of personal information is standard today because information about consumers is organized into profiles rather than flat files, which typically reflect only one or two fields. Those who rent the marketing lists can select subsets of other personal or household characteristics to suit a particular marketing campaign or to accomplish other purposes.
The traditional list and consumer profiling industry has both traditional and new sources of supply for health (and other) consumer information. Health information may find its way into commercial databases through Web profiling of consumers and customers; monitoring of consumer use of Internet search engines; social networking sites; unwitting disclosure of health information by individuals through transactional or marketing activities; personal health records held outside of HIPAA and used to marketing; and the sale or rental of health information by other entities not subject to HIPAA.
For example, frequent shopper cards issued by retailers such as supermarkets and drug stores may collect considerable amounts of personal information relating to health (including purchases of non-prescription drugs or foods that reveal various health conditions) that is not regulated by HIPAA or otherwise for privacy. Social networking sites could easily be a source of family history information. (“Picked up my uncle at the dialysis center this afternoon.”). The point is that there is a significant market demand for consumer information, including health information, and that there is a corresponding commercial and non-commercial supply of information. That demand will surely extend to genetic information as it becomes more readily available from any source. We have no doubt that consumer lists and profiles will routinely include genetic predispositions in the near future.
Because some family history information is included in the definition of genetic information, nearly any routine current source of health information will contain genetic information covered by GINA. Existing enterprises that collect and sell consumer information will seek and sell genetic testing information in the same way that they already seek and sell other health and consumer information, as in the diabetes lists. In short, genetic information will become another profit center for consumer list and consumer profile sellers. The health information collected and sold through list marketers in this manner is not subject to HIPAA or any other general privacy law.
Products are already being sold to consumers based on their genetic profiles. For example, dubious weight loss merchandising based on a DNA test is trivial to find. A web search will quickly turn up all sorts of “DNA diets” offered to consumers. For example, there is a product consumers can buy to do a test and start their DNA Diet Weight Loss system. [5] Consumers who learn about their genetic predispositions may not be aware that disclosures of that information on websites or in response to advertising can be added by databrokers to existing consumer profiles and then sold to anyone.
The Commission cannot and should not assume that there are laws in place that protect consumers’ identifiable health information in all contexts. Much consumer health information exists in a wholly unregulated commercial sphere, and there are great risks that existing protection for health records held by providers and insurers can leak into commercial records. For example, the HIPAA health privacy rule can be overcome by any company able to wheedle a consent from an individual.
Other non-profit and public sources of DNA analysis exist. The Personal Genome Project proposes to maintain a public and identifiable genomic database. [6] As genetic testing becomes less expensive, other more commercial and less scrupulous sources of genetic testing information are certain to arise and provide data for commercial sale and use. It is not too dramatic to suggest that in the near future, genetic testing information that GINA wants to keep from Title II-covered entities will be readily and cheaply available. Sources will include commercial databrokers, websites of every type, and free or non-commercial sources. As discussed, other health information is already available in this fashion.
Preventing the incidental collection of information that either is readily available today or will become readily available will be a real challenge. When genetic testing becomes so inexpensive that vendors can offer free T-shirts in exchange for a hair sample for genetic testing, the high likelihood is that commercial data brokers and consumer profilers will be awash in unregulated genetic information.
C. Recommendations regarding incidental collection of genetic information
The World Privacy Forum is concerned about incidental collection both inside and outside the health care sector. We offer these recommendations:
1. Title II-covered entities should be expressly prohibited from engaging in conduct that will knowingly lead to or may likely lead to the collection of genetic information.
It is not enough for the rule to provide in § 1635.8(b)(4) that a “covered entity may not research medical databases or court records, even where such databases may be publicly and commercially available, for the purpose of obtaining genetic information about an individual.” The regulation must regulate conduct and not simply selected sources of information. We recommend that any Title II-covered entity be expressly prohibited from engaging in conduct that will knowingly or may likely lead to the collection of genetic information. That includes web searching for personal information about any employees and their families. Title II-covered entities should not be allowed to search for information about any current or potential employee and the employee’s family on social networking sites because of the likelihood that family history information will be included.
It is one thing for an employer to buy a daily newspaper that happens to include obituaries. It is something else for a Title II-covered entity to go to a newspaper website and engage in a search for family history information about a particular employee or prospective new hire. Searching should be prohibited in all sources when there is a specific intent to look for information on a particular individual or family. It is not enough to say only that a Title II-covered entity may not use family medical history to make employment decisions, even if the information was acquired through commercially and publicly available sources. If information can be found, it will be too easy for the information to be used surreptitiously in an improper way.
2. A Title II-covered entity should not be allowed to purchase any list or consumer profile that may include any form of health information.
The goal is to prevent databrokers from providing genetic information as part of a disclosure of other consumer information under the guise that the genetic information was incidentally obtained. Any commercial source that includes any medical information should be considered to be a medical database. Otherwise, the relentless expansion of unregulated consumer profiling, behavioral targeting, commercially maintained personal health records outside the health care system, and the like will create shadow medical records that could be freely available to Title II- covered entities. The reference to medical databases must be broadened beyond databases compiled for medical research purpose so that it includes any compilation of health data no matter the source or the compiler. Otherwise, the exception for commercial databases will overwhelm the rule entirely. We included the extended discussion of commercial databases above to underscore this point.
3. Title II-covered entities should have audit trail requirements when engaging in activities that are likely to lead to incidental collection.
If a Title II-covered entity has a legitimate non-employment related reason for engaging in an activity likely to give rise to the incidental collection of genetic information (e.g., web searching, list buying, or consumer information acquisition), the activity should be allowed only if there is a strict and documented separation (with audit trails) between the functions and records of those components that are legitimately engaging in the specific activities and any other part of the same entity that may be able to use that data in a way that is prohibited by GINA.
If a separation is not possible, then no activity that may give rise to collection of genetic information (incidental or otherwise) should be allowed. For example, if a company wants to buy a list of consumers with medical problems to use for marketing purposes, the company must have a way to keep that list from being reviewed for employment purposes and must have audit trails or other controls to document that no inappropriate accesses occurred.
4. Recommend a prohibition on structuring a wellness program in any manner that discloses health or genetic information to a Title II-covered entity.
Incidental genetic information could also become available to Title II-covered entity because of an employer sponsored wellness program. Depending on the nature of the program, even basic confirmation of an employee’s participation could result in the disclosure of genetic information. For example, if a wellness program that offers a service to individuals at risk for a particular condition, any reporting of participation in that service may disclose genetic information.
We recommend that the Commission expressly prohibit the structuring of a permitted wellness program in a manner that discloses any health or genetic information to the Title II-covered entity. It should be made clear in the rule or in the commentary that § 1635.8(b)(2)(iii) [“Any individually identifiable genetic information provided under paragraph (b)(2) of this section is only available for purposes of such services and is not disclosed to the covered entity except in aggregate terms that do not disclose the identity of specific individuals.”] covers billing information for the services. The billing system for wellness programs should not become a source of leakage back to a Title II-covered entity.
V. Comments on Genetic Information That is also Protected Health Information (PHI) under HIPAA
Some covered entities subject to Title II of GINA will also be covered entities under HIPAA. For example, an employer may provide health services and have information subject to HIPAA. Proposed § 1635.11(d) provides that Part 1635 “does not apply to genetic information that is protected health information” under HIPAA. It is not at all clear what that means to a Title II- covered entity that is also a HIPAA-covered entity.
Can a Title II entity with genetic information covered by both HIPAA and Title II use the genetic information to discriminate because Part 1635 does not apply? That cannot be the intent of the proposed regulation. We suggest that the relationship between HIPAA and Title II be described with more specificity in the rulemaking.
A Title II-covered entity may acquire PHI through the provision of health care or perhaps in other ways. It may be appropriate to work through all of the circumstances in which a Title II- covered entity acquires PHI so that the regulation provides clearer and more specific guidance without opening unwanted loopholes. The proposed rule for HIPAA overlap is far too crude. We recognize the problem, but ask for a more detailed and sophisticated restatement.
Thank you for the opportunity to offer comments. Please contact us if we can provide you with additional information.
Respectfully submitted,
Pam Dixon
Executive Director,
World Privacy Forum
__________________________________
Endnotes
[1] DirectMag, DirectListfinder 2.0, “#1 Ailment Medical Health – Diabetes Type 1,” NEXTMARK ID: 119135, <http://listfinder.directmag.com/market;jsessionid=DCD110A5C001B08C02F7E833D600AB63?page=research/dat acard&id=119135>.
[2] DirectMag, DirectListfinder 2.0, “# 2.0 DIABETES Ailment Sufferers – Prime Health Solutions,” NEXTMARK ID:211336, <http://listfinder.directmag.com/market;jsessionid=1E4AED4FD93B39F3AB51E0C6ED4C6DE2?page=research/da tacard&id=211336>.
[3] DirectMag, DirectListfinder 2.0, “Absolute Diabetes Ailment List,” NEXTMARK ID: 117538, <http://listfinder.directmag.com/market;jsessionid=1E4AED4FD93B39F3AB51E0C6ED4C6DE2?page=research/da tacard&id=117538>.
[4] From a Listfinder search April 22, 2009. < listfinder.directmag.com >.
[5] The DNA Diet Weight Loss System <http://www.thednadiet.com/dnaweightlosssystem.html>, last visited April 22, 2009. See also GeneWatch.org <http://www.genewatch.org/article.shtml?als[cid]=558225&als[itemid]=558234>.
[6] See, e.g., Ellen Nakashima, Genome Database Will Link Genes, Traits in Public View, Washington Post, Page A01, (October 18, 2008), <http://www.washingtonpost.com/wpdyn/ content/article/2008/10/17/AR2008101703345.html>.