Collapse to view only § 1320d-6. Wrongful disclosure of individually identifiable health information
- § 1320d. Definitions
- § 1320d-1. General requirements for adoption of standards
- § 1320d-2. Standards for information transactions and data elements
- § 1320d-3. Timetables for adoption of standards
- § 1320d-4. Requirements
- § 1320d-5. General penalty for failure to comply with requirements and standards
- § 1320d-6. Wrongful disclosure of individually identifiable health information
- § 1320d-7. Effect on State law
- § 1320d-8. Processing payment transactions by financial institutions
- § 1320d-9. Application of HIPAA regulations to genetic information
§ 1320d. DefinitionsFor purposes of this part:
(1) Code set
(2) Health care clearinghouse
(3) Health care provider
(4) Health informationThe term “health information” means any information, whether oral or recorded in any form or medium, that—
(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
(5) Health planThe term “health plan” means an individual or group plan that provides, or pays the cost of, medical care (as such term is defined in section 300gg–91 of this title). Such term includes the following, and any combination thereof:
(A) A group health plan (as defined in section 300gg–91(a) of this title), but only if the plan—
(i) has 50 or more participants (as defined in section 1002(7) of title 29); or
(ii) is administered by an entity other than the employer who established and maintains the plan.
(B) A health insurance issuer (as defined in section 300gg–91(b) of this title).
(C) A health maintenance organization (as defined in section 300gg–91(b) of this title).
(D) Parts 1
1 So in original. Probably should be “Part”.
A, B, C, or D of the Medicare program under subchapter XVIII.(E) The medicaid program under subchapter XIX.
(F) A Medicare supplemental policy (as defined in section 1395ss(g)(1) of this title).
(G) A long-term care policy, including a nursing home fixed indemnity policy (unless the Secretary determines that such a policy does not provide sufficiently comprehensive coverage of a benefit so that the policy should be treated as a health plan).
(H) An employee welfare benefit plan or any other arrangement which is established or maintained for the purpose of offering or providing health benefits to the employees of 2 or more employers.
(I) The health care program for active military personnel under title 10.
(J) The veterans health care program under chapter 17 of title 38.
(K) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as defined in section 1072(4) of title 10.
(L) The Indian health service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.).
(M) The Federal Employees Health Benefit Plan under chapter 89 of title 5.
(6) Individually identifiable health informationThe term “individually identifiable health information” means any information, including demographic information collected from an individual, that—
(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and—
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
(7) Standard
(8) Standard setting organization
(9) Operating rules
(Aug. 14, 1935, ch. 531, title XI, § 1171, as added Pub. L. 104–191, title II, § 262(a), Aug. 21, 1996, 110 Stat. 2021; amended Pub. L. 107–105, § 4, Dec. 27, 2001, 115 Stat. 1007; Pub. L. 111–5, div. A, title XIII, § 13102, Feb. 17, 2009, 123 Stat. 242; Pub. L. 111–148, title I, § 1104(b)(1), Mar. 23, 2010, 124 Stat. 146.)
§ 1320d–1. General requirements for adoption of standards
(a) Applicability
Any standard adopted under this part shall apply, in whole or in part, to the following persons:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1320d–2(a)(1) of this title.
(b) Reduction of costs
(c) Role of standard setting organizations
(1) In general
(2) Special rules
(A) Different standards
The Secretary may adopt a standard that is different from any standard developed, adopted, or modified by a standard setting organization, if—
(i) the different standard will substantially reduce administrative costs to health care providers and health plans compared to the alternatives; and
(ii) the standard is promulgated in accordance with the rulemaking procedures of subchapter III of chapter 5 of title 5.
(B) No standard by standard setting organization
If no standard setting organization has developed, adopted, or modified any standard relating to a standard that the Secretary is authorized or required to adopt under this part—
(i) paragraph (1) shall not apply; and
(ii) subsection (f) shall apply.
(3) Consultation requirement
(A) In general
A standard may not be adopted under this part unless—
(i) in the case of a standard that has been developed, adopted, or modified by a standard setting organization, the organization consulted with each of the organizations described in subparagraph (B) in the course of such development, adoption, or modification; and
(ii) in the case of any other standard, the Secretary, in complying with the requirements of subsection (f), consulted with each of the organizations described in subparagraph (B) before adopting the standard.
(B) Organizations described
The organizations referred to in subparagraph (A) are the following:
(i) The National Uniform Billing Committee.
(ii) The National Uniform Claim Committee.
(iii) The Workgroup for Electronic Data Interchange.
(iv) The American Dental Association.
(d) Implementation specifications
(e) Protection of trade secrets
(f) Assistance to Secretary
(g) Application to modifications of standards
(Aug. 14, 1935, ch. 531, title XI, § 1172, as added Pub. L. 104–191, title II, § 262(a), Aug. 21, 1996, 110 Stat. 2023.)
§ 1320d–2. Standards for information transactions and data elements
(a) Standards to enable electronic exchange
(1) In generalThe Secretary shall adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically, that are appropriate for—
(A) the financial and administrative transactions described in paragraph (2); and
(B) other financial and administrative transactions determined appropriate by the Secretary, consistent with the goals of improving the operation of the health care system and reducing administrative costs, and subject to the requirements under paragraph (5).
(2) TransactionsThe transactions referred to in paragraph (1)(A) are transactions with respect to the following:
(A) Health claims or equivalent encounter information.
(B) Health claims attachments.
(C) Enrollment and disenrollment in a health plan.
(D) Eligibility for a health plan.
(E) Health care payment and remittance advice.
(F) Health plan premium payments.
(G) First report of injury.
(H) Health claim status.
(I) Referral certification and authorization.
(J) Electronic funds transfers.
(3) Accommodation of specific providers
(4) Requirements for financial and administrative transactions
(A) In generalThe standards and associated operating rules adopted by the Secretary shall—
(i) to the extent feasible and appropriate, enable determination of an individual’s eligibility and financial responsibility for specific services prior to or at the point of care;
(ii) be comprehensive, requiring minimal augmentation by paper or other communications;
(iii) provide for timely acknowledgment, response, and status reporting that supports a transparent claims and denial management process (including adjudication and appeals); and
(iv) describe all data elements (including reason and remark codes) in unambiguous terms, require that such data elements be required or conditioned upon set values in other fields, and prohibit additional conditions (except where necessary to implement State or Federal law, or to protect against fraud and abuse).
(B) Reduction of clerical burden
(5) Consideration of standardization of activities and items
(A) In generalFor purposes of carrying out paragraph (1)(B), the Secretary shall solicit, not later than January 1, 2012, and not less than every 3 years thereafter, input from entities described in subparagraph (B) on—
(i) whether there could be greater uniformity in financial and administrative activities and items, as determined appropriate by the Secretary; and
(ii) whether such activities should be considered financial and administrative transactions (as described in paragraph (1)(B)) for which the adoption of standards and operating rules would improve the operation of the health care system and reduce administrative costs.
(B) Solicitation of inputFor purposes of subparagraph (A), the Secretary shall seek input from—
(i) the National Committee on Vital and Health Statistics, the Health Information Technology Policy Committee, and the Health Information Technology Standards Committee; and
(ii) standard setting organizations and stakeholders, as determined appropriate by the Secretary.
(b) Unique health identifiers
(1) In general
(2) Use of identifiers
(c) Code sets
(1) In generalThe Secretary shall adopt standards that—
(A) select code sets for appropriate data elements for the transactions referred to in subsection (a)(1) from among the code sets that have been developed by private and public entities; or
(B) establish code sets for such data elements if no code sets for the data elements have been developed.
(2) Distribution
(d) Security standards for health information
(1) Security standardsThe Secretary shall adopt security standards that—
(A) take into account—
(i) the technical capabilities of record systems used to maintain health information;
(ii) the costs of security measures;
(iii) the need for training persons who have access to health information;
(iv) the value of audit trails in computerized record systems; and
(v) the needs and capabilities of small health care providers and rural health care providers (as such providers are defined by the Secretary); and
(B) ensure that a health care clearinghouse, if it is part of a larger organization, has policies and security procedures which isolate the activities of the health care clearinghouse with respect to processing information in a manner that prevents unauthorized access to such information by such larger organization.
(2) SafeguardsEach person described in section 1320d–1(a) of this title who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards—
(A) to ensure the integrity and confidentiality of the information;
(B) to protect against any reasonably anticipated—
(i) threats or hazards to the security or integrity of the information; and
(ii) unauthorized uses or disclosures of the information; and
(C) otherwise to ensure compliance with this part by the officers and employees of such person.
(e) Electronic signature
(1) Standards
(2) Effect of compliance
(f) Transfer of information among health plans
(g) Operating rules
(1) In general
(2) Operating rules developmentIn adopting operating rules under this subsection, the Secretary shall consider recommendations for operating rules developed by a qualified nonprofit entity that meets the following requirements:
(A) The entity focuses its mission on administrative simplification.
(B) The entity demonstrates a multi-stakeholder and consensus-based process for development of operating rules, including representation by or participation from health plans, health care providers, vendors, relevant Federal agencies, and other standard development organizations.
(C) The entity has a public set of guiding principles that ensure the operating rules and process are open and transparent, and supports nondiscrimination and conflict of interest policies that demonstrate a commitment to open, fair, and nondiscriminatory practices.
(D) The entity builds on the transaction standards issued under Health Insurance Portability and Accountability Act of 1996.
(E) The entity allows for public review and updates of the operating rules.
(3) Review and recommendationsThe National Committee on Vital and Health Statistics shall—
(A) advise the Secretary as to whether a nonprofit entity meets the requirements under paragraph (2);
(B) review the operating rules developed and recommended by such nonprofit entity;
(C) determine whether such operating rules represent a consensus view of the health care stakeholders and are consistent with and do not conflict with other existing standards;
(D) evaluate whether such operating rules are consistent with electronic standards adopted for health information technology; and
(E) submit to the Secretary a recommendation as to whether the Secretary should adopt such operating rules.
(4) Implementation
(A) In general
(B) Adoption requirements; effective dates
(i) Eligibility for a health plan and health claim status
(ii) Electronic funds transfers and health care payment and remittance adviceThe set of operating rules for electronic funds transfers and health care payment and remittance advice transactions shall—(I) allow for automated reconciliation of the electronic payment with the remittance advice; and(II) be adopted not later than July 1, 2012, in a manner ensuring that such operating rules are effective not later than January 1, 2014.
(iii) Health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, referral certification and authorization
(C) Expedited rulemaking
(h) Compliance
(1) Health plan certification
(A) Eligibility for a health plan, health claim status, electronic funds transfers, health care payment and remittance advice
(B) Health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, health claims attachments, referral certification and authorization
(2) Documentation of complianceA health plan shall provide the Secretary, in such form as the Secretary may require, with adequate documentation of compliance with the standards and operating rules described under paragraph (1). A health plan shall not be considered to have provided adequate documentation and shall not be certified as being in compliance with such standards, unless the health plan—
(A) demonstrates to the Secretary that the plan conducts the electronic transactions specified in paragraph (1) in a manner that fully complies with the regulations of the Secretary; and
(B) provides documentation showing that the plan has completed end-to-end testing for such transactions with their partners, such as hospitals and physicians.
(3) Service contracts
(4) Certification by outside entity
(5) Compliance with revised standards and operating rules
(A) In generalA health plan (including entities described under paragraph (3)) shall file a statement with the Secretary, in such form as the Secretary may require, certifying that the data and information systems for such plan are in compliance with any applicable revised standards and associated operating rules under this subsection for any interim final rule promulgated by the Secretary under subsection (i) that—
(i) amends any standard or operating rule described under paragraph (1) of this subsection; or
(ii) establishes a standard (as described under subsection (a)(1)(B)) or associated operating rules (as described under subsection (i)(5)) for any other financial and administrative transactions.
(B) Date of compliance
(6) Audits of health plans
(i) Review and amendment of standards and operating rules
(1) Establishment
(2) Evaluations and reports
(A) Hearings
(B) Report
(3) Interim final rulemaking
(A) In general
(B) Public comment
(i) Public comment period
(ii) Effective date
(4) Review committee
(A) DefinitionFor the purposes of this subsection, the term “review committee’ means a committee chartered by or within the Department of Health and Human services that has been designated by the Secretary to carry out this subsection, including—
(i) the National Committee on Vital and Health Statistics; or
(ii) any appropriate committee as determined by the Secretary.
(B) Coordination of HIT standards
(5) Operating rules for other standards adopted by the Secretary
(j) Penalties
(1) Penalty fee
(A) In generalNot later than April 1, 2014, and annually thereafter, the Secretary shall assess a penalty fee (as determined under subparagraph (B)) against a health plan that has failed to meet the requirements under subsection (h) with respect to certification and documentation of compliance with—
(i) the standards and associated operating rules described under paragraph (1) of such subsection; and
(ii) a standard (as described under subsection (a)(1)(B)) and associated operating rules (as described under subsection (i)(5)) for any other financial and administrative transactions.
(B) Fee amount
(C) Additional penalty for misrepresentation
(D) Annual fee increase
(E) Penalty limitA penalty fee assessed against a health plan under this subsection shall not exceed, on an annual basis—
(i) an amount equal to $20 per covered life under such plan; or
(ii) an amount equal to $40 per covered life under the plan if such plan has knowingly provided inaccurate or incomplete information (as described under subparagraph (C)).
(F) Determination of covered individuals
(2) Notice and dispute procedure
(3) Penalty fee report
(4) Collection of penalty fee
(A) In general
(B) Notice
(C) Payment due date
(D) Unpaid penalty feesAny amount of a penalty fee assessed against a health plan under this subsection for which payment has not been made by the due date provided under subparagraph (C) shall be—
(i) increased by the interest accrued on such amount, as determined pursuant to the underpayment rate established under section 6621 of the Internal Revenue Code of 1986; and
(ii) treated as a past-due, legally enforceable debt owed to a Federal agency for purposes of section 6402(d) of the Internal Revenue Code of 1986.
(E) Administrative fees
(Aug. 14, 1935, ch. 531, title XI, § 1173, as added Pub. L. 104–191, title II, § 262(a), Aug. 21, 1996, 110 Stat. 2024; amended Pub. L. 111–148, title I, § 1104(b)(2), title X, § 10109(a), Mar. 23, 2010, 124 Stat. 147, 915.)
§ 1320d–3. Timetables for adoption of standards
(a) Initial standards
(b) Additions and modifications to standards
(1) In general
(2) Special rules
(A) First 12-month period
(B) Additions and modifications to code sets
(i) In general
(ii) Additional rules
(Aug. 14, 1935, ch. 531, title XI, § 1174, as added Pub. L. 104–191, title II, § 262(a), Aug. 21, 1996, 110 Stat. 2026.)
§ 1320d–4. Requirements
(a) Conduct of transactions by plans
(1) In general
If a person desires to conduct a transaction referred to in section 1320d–2(a)(1) of this title with a health plan as a standard transaction—
(A) the health plan may not refuse to conduct such transaction as a standard transaction;
(B) the insurance plan may not delay such transaction, or otherwise adversely affect, or attempt to adversely affect, the person or the transaction on the ground that the transaction is a standard transaction; and
(C) the information transmitted and received in connection with the transaction shall be in the form of standard data elements of health information.
(2) Satisfaction of requirements
A health plan may satisfy the requirements under paragraph (1) by—
(A) directly transmitting and receiving standard data elements of health information; or
(B) submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse, and receiving standard data elements through the health care clearinghouse.
(3) Timetable for compliance
(b) Compliance with standards
(1) Initial compliance
(A) In general
(B) Special rule for small health plans
(2) Compliance with modified standards
(3) Construction
Nothing in this subsection shall be construed to prohibit any person from complying with a standard or specification by—
(A) submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse; or
(B) receiving standard data elements through a health care clearinghouse.
(Aug. 14, 1935, ch. 531, title XI, § 1175, as added Pub. L. 104–191, title II, § 262(a), Aug. 21, 1996, 110 Stat. 2027.)
§ 1320d–5. General penalty for failure to comply with requirements and standards
(a) General penalty
(1) In generalExcept as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part—
(A) in the case of a violation of such provision in which it is established that the person did not know (and by exercising reasonable diligence would not have known) that such person violated such provision, a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(A) but not to exceed the amount described in paragraph (3)(D);
(B) in the case of a violation of such provision in which it is established that the violation was due to reasonable cause and not to willful neglect, a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(B) but not to exceed the amount described in paragraph (3)(D); and
(C) in the case of a violation of such provision in which it is established that the violation was due to willful neglect—
(i) if the violation is corrected as described in subsection (b)(3)(A),1
1 So in original. Probably should be “(b)(2)(A),”.
a penalty in an amount that is at least the amount described in paragraph (3)(C) but not to exceed the amount described in paragraph (3)(D); and(ii) if the violation is not corrected as described in such subsection, a penalty in an amount that is at least the amount described in paragraph (3)(D).
In determining the amount of a penalty under this section for a violation, the Secretary shall base such determination on the nature and extent of the violation and the nature and extent of the harm resulting from such violation.
(2) Procedures
(3) Tiers of penalties describedFor purposes of paragraph (1), with respect to a violation by a person of a provision of this part—
(A) the amount described in this subparagraph is $100 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $25,000;
(B) the amount described in this subparagraph is $1,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $100,000;
(C) the amount described in this subparagraph is $10,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $250,000; and
(D) the amount described in this subparagraph is $50,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.
(b) Limitations
(1) Offenses otherwise punishable
(2) Failures due to reasonable cause
(A) In general
(B) Extension of period
(i) No penalty
(ii) Assistance
(3) Reduction
(c) Noncompliance due to willful neglect
(1) In general
(2) Required investigation
(d) Enforcement by State attorneys general
(1) Civil actionExcept as provided in subsection (b), in any case in which the attorney general of a State has reason to believe that an interest of one or more of the residents of that State has been or is threatened or adversely affected by any person who violates a provision of this part, the attorney general of the State, as parens patriae, may bring a civil action on behalf of such residents of the State in a district court of the United States of appropriate jurisdiction—
(A) to enjoin further such violation by the defendant; or
(B) to obtain damages on behalf of such residents of the State, in an amount equal to the amount determined under paragraph (2).
(2) Statutory damages
(A) In general
(B) Limitation
(C) Reduction of damages
(3) Attorney fees
(4) Notice to SecretaryThe State shall serve prior written notice of any action under paragraph (1) upon the Secretary and provide the Secretary with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately upon instituting such action. The Secretary shall have the right—
(A) to intervene in the action;
(B) upon so intervening, to be heard on all matters arising therein; and
(C) to file petitions for appeal.
(5) Construction
(6) Venue; service of process
(A) Venue
(B) Service of processIn an action brought under paragraph (1), process may be served in any district in which the defendant—
(i) is an inhabitant; or
(ii) maintains a physical place of business.
(7) Limitation on State action while Federal action is pending
(8) Application of CMP statute of limitation
(e) Allowing continued use of corrective action
(Aug. 14, 1935, ch. 531, title XI, § 1176, as added
§ 1320d–6. Wrongful disclosure of individually identifiable health information
(a) Offense
A person who knowingly and in violation of this part—
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b). For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d–9(b)(3) of this title) and the individual obtained or disclosed such information without authorization.
(b) Penalties
A person described in subsection (a) shall—
(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
(Aug. 14, 1935, ch. 531, title XI, § 1177, as added Pub. L. 104–191, title II, § 262(a), Aug. 21, 1996, 110 Stat. 2029; amended Pub. L. 111–5, div. A, title XIII, § 13409, Feb. 17, 2009, 123 Stat. 271.)
§ 1320d–7. Effect on State law
(a) General effect
(1) General rule
(2) ExceptionsA provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d–1 through 1320d–3 of this title, shall not supersede a contrary provision of State law, if the provision of State law—
(A) is a provision the Secretary determines—
(i) is necessary—(I) to prevent fraud and abuse;(II) to ensure appropriate State regulation of insurance and health plans;(III) for State reporting on health care delivery or costs; or(IV) for other purposes; or
(ii) addresses controlled substances; or
(B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.
(b) Public health
(c) State regulatory reporting
(Aug. 14, 1935, ch. 531, title XI, § 1178, as added Pub. L. 104–191, title II, § 262(a), Aug. 21, 1996, 110 Stat. 2029.)
§ 1320d–8. Processing payment transactions by financial institutionsTo the extent that an entity is engaged in activities of a financial institution (as defined in section 3401 of title 12), or is engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution, this part, and any standard adopted under this part, shall not apply to the entity with respect to such activities, including the following:
(1) The use or disclosure of information by the entity for authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting, a payment for, or related to, health plan premiums or health care, where such payment is made by any means, including a credit, debit, or other payment card, an account, check, or electronic funds transfer.
(2) The request for, or the use or disclosure of, information by the entity with respect to a payment described in paragraph (1)—
(A) for transferring receivables;
(B) for auditing;
(C) in connection with—
(i) a customer dispute; or
(ii) an inquiry from, or to, a customer;
(D) in a communication to a customer of the entity regarding the customer’s transactions, payment card, account, check, or electronic funds transfer;
(E) for reporting to consumer reporting agencies; or
(F) for complying with—
(i) a civil or criminal subpoena; or
(ii) a Federal or State law regulating the entity.
(Aug. 14, 1935, ch. 531, title XI, § 1179, as added Pub. L. 104–191, title II, § 262(a), Aug. 21, 1996, 110 Stat. 2030.)
§ 1320d–9. Application of HIPAA regulations to genetic information
(a) In general
The Secretary shall revise the HIPAA privacy regulation (as defined in subsection (b)) so it is consistent with the following:
(1) Genetic information shall be treated as health information described in section 1320d(4)(B) of this title.
(2) The use or disclosure by a covered entity that is a group health plan, health insurance issuer that issues health insurance coverage, or issuer of a medicare supplemental policy of protected health information that is genetic information about an individual for underwriting purposes under the group health plan, health insurance coverage, or medicare supplemental policy shall not be a permitted use or disclosure.
(b) Definitions
For purposes of this section:
(1) Genetic information; genetic test; family member
(2) Group health plan; health insurance coverage; medicare supplemental policy
(3) HIPAA privacy regulation
(4) Underwriting purposes
The term “underwriting purposes” means, with respect to a group health plan, health insurance coverage, or a medicare supplemental policy—
(A) rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy;
(B) the computation of premium or contribution amounts under the plan, coverage, or policy;
(C) the application of any pre-existing condition exclusion under the plan, coverage, or policy; and
(D) other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.
(c) Procedure
(d) Enforcement
(Aug. 14, 1935, ch. 531, title XI, § 1180, as added Pub. L. 110–233, title I, § 105(a), May 21, 2008, 122 Stat. 903.)