Privacy of Genetic Information

In the mid-Atlantic region, the following states have enacted laws that prohibit health insurance companies from canceling, denying, or dropping policies on the basis of an individual's genetic information:

Delaware
Maryland
New Jersey

Maryland law also holds that health insurers cannot require individuals to undergo genetic testing or require individuals to reveal the results of prior genetic tests as criteria for coverage.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 provides some protection against genetic discrimination:

Health insurance companies cannot use genetic information to deny or limit coverage for members of a group plan.

However, HIPAA does not:

provide protection in all cases for individuals seeking insurance in the individual or self-employment market,
prohibit rating (increasing premiums for those seen as high risk) based on genetic information, or
prevent health insurers from releasing or demanding access to genetic information.

Several comprehensive federal bills regarding the privacy of medical records have been proposed and are under debate in the 106th Congress.

Medical Information Privacy and Security Act (S.573)
Health Care Personal Information Nondisclosure Act (S.578)
Medical Information Protection Act (S.881)

All three bills:

Provide the right to view and revise one's medical records.
Differentiate health information that will be protected from non-identifiable health information that will not be protected.
Identify 2 authorization processes: routine authorization for payment and specific authorization for release of records for other purposes.
Identify a number of exceptions for authorization including: health research, public health reporting, and emergencies.
Set civil and criminal penalties for violations.

Differences:

S.573 does not override more stringent state laws.
S.578 provides 18 months for states to pass more stringent laws.
S.881 overrides all existing state laws.
S.573 applies Common Law, set by previous cases, to privately funded research.
S.578 applies current standards until stated differently by Health and Human Services.
S.881 allows researchers to set protocols for ensuring privacy.
S.578 and S.881 provide that routine authorization allows the release of medical records for health care activities, including risk assessment and case management.

Congress needs to pass comprehensive health privacy legislation by August 21, 1999 or the Secretary of Health and Human Services, Donna Shalala, must issue regulations by February 2000. Stay tuned.