Page 1 of 1
While the rest of us were enjoying our Memorial Day holiday, the Department of Labor was busy posting the new model FMLA notices and medical certification forms… with an expiration date of May 31, 2018!
No more month-to-month extensions or lost sleep over when the long-awaited forms would be released.
That said, it couldn’t have taken DOL a whole lot of time to draft the updated forms. After a relatively close review of the new forms, the notable change is a reference to the Genetic Information Nondiscrimination Act (GINA). In the instructions to the health care provider on the certification for an employee’s serious health condition, the DOL has added the following simple instruction:
Do not provide information about genetic tests, as defined in 29 C.F.R. § 1635.3(f), genetic services, as defined in 29 C.F.R. § 1635.3(e), or the manifestation of disease or disorder in the employee’s family members, 29 C.F.R. § 1635.3(b).
The DOL added similar language to the other medical certification forms as well. For years, employers have included GINA disclaimers in their FMLA paperwork, and those disclaimers typically have been far more robust (and reader-friendly) than the cryptic one the DOL used above.
For easy reference, here are the links to the new FMLA forms:
The forms also can be accessed from this DOL web page.
Does your company currently use forms created more than three years ago that asks for information about an applicant or an employee’s family medical history?
Do your supervisors and managers know that if they are “friended” by an employee on a social media site and they see medical information relating to the individual or the individual’s family member, they have violated a federal law and subjected the company to liability?
Has your company failed to update Family Medical Leave Act (FMLA), Americans with Disabilities Act (ADA), workers’ compensation, no-harassment, and other policies and procedures to comply with the Genetic Information Nondiscrimination Act (GINA)?
If you answered yes to any of these questions, you should review the impact of GINA so your company does not become the next GINA “headline.”
What Is GINA?
The Genetic Information Nondiscrimination Act (GINA) has been an active federal law for five years now. However, many employers still know little about the law. Enacted in 2008, GINA generally prohibits employers from engaging in three types of conduct:
Most attribute GINA’s enactment and requirements as a response to a trend in which employers sought to rely on genetic information in an attempt to screen out potentially unhealthy employees to help control their surging health care costs.
Inadvertent Collection Of Genetic Information
Many employers today pay little attention to GINA on the mistaken assumption that they do not collect genetic information. But there are three very common situations in which an employer can unknowingly collect genetic information.
First, employers regularly request medical documentation to support a potentially disabled employee’s request for a reasonable accommodation.
Second, employers regularly request medical documentation to support an employee’s request for leave under FMLA.
Third, many employers require a medical examination upon hire and, as a result, receive medical information in that context.
In each of these situations, the employer might acquire genetic information (without intentionally requesting it) and would violate GINA as a result of doing so. Fortunately, GINA provides a “safe harbor” that can protect an employer in such situations.
How To Avoid Noncompliance
When an employer requests medical information, it must warn the provider not to provide genetic information. When the employer makes such a warning, the “safe harbor” provision provides that any receipt of genetic information in response to their request will be deemed unintentional and not in violation of GINA.
As a result, it is imperative that employers include this specific warning any time that they request health-related information from a health care provider or an employee.
Of course, an employer could also obtain genetic information in a less formal situation. For example, a supervisor could obtain genetic information about an employee during a casual conversation, through email, or through social media. As long as the supervisor does not ask follow-up questions and does not take any employment-related action based on the accidentally acquired info, this information would be deemed unintentional. However, the use or disclosure of the accidentally acquired information would still violate GINA.
Does Your Wellness Program Violate GINA?
The federal regulations also make clear that an employer does not violate GINA if the employer requests genetic information as part of a “voluntary wellness program.”
For such a program to be deemed voluntary, the employer must show that:
Another reason that employers may be less knowledgeable about GINA (as compared to other federal laws) is that relatively few lawsuits have be filed since the law was enacted. According to EEOC statistics, there were just 280 charges of GINA-related discrimination filed in 2012, or around 0.3% of the overall charge filings for that year. However, the number of filed, GINA-related charges has increased by nearly 40% since the first year an individual could file under the statute.
Moreover, recent activity by the EEOC suggests that it would be best if employers begin reviewing their procedures now and taking the necessary steps to ensure they are GINA compliant.
Unknowing or unintentional violations of GINA are perhaps the most worrisome type of violations since they are the most likely to occur. This is particularly true for employers that rely on dated, pre-GINA human resources documents (including employment applications) or employment policies.
Employers should update existing nondiscrimination and anti-harassment policies and handbooks so that discrimination/harassment on the basis of genetic information is clearly prohibited. Similarly, employers should also update their Family Medical Leave Act (FMLA) and Americans with Disabilities Act (ADA) forms to include the requisite “safe harbor” language that warns employees and health care providers not to provide genetic information.
Employers also should ensure that an employee’s medical information is maintained separately from the employee’s personnel file, as required by the law.
For further information on GINA and its impact on your business or for assistance on insuring your company is GINA compliant, please do not hesitate to contact our office.
Under the 2013 Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules provisions, employers must update their health information disclosure policies and retrain employees to ensure compliance.
The Department of Health and Human Services (HHS) issued the new HIPAA regulations on January 25, 2013, to execute major changes that were mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) as well as the Genetic Information Nondiscrimination Act (GINA).
New Requirements for Business Associates
HIPAA regulations previously generally covered any business associate who performed or assisted in any activity involving the use or disclosure of individually identifiable health information, such as third-party administrators, pharmacy benefit managers and benefit consultants. Under the new regulations, business associate status is triggered when a vendor “creates, receives, maintains, or transmits” personal health information (PHI).
The key addition in this part of the regulation is found in the word ‘maintains’ because any entity that ‘maintains’ PHI on behalf of a covered entity- even if no access to that information is required or expected- will now be considered a business associate.
This change has some important consequences for group health plans that rely on cloud storage as a repository for their PHI or that outsource information-technology support and other functions and do not have business associate agreements (BAAs) with such vendors.
If you give PHI to a vendor before a BAA is in place, you will be in violation of HIPAA, and if you are a vendor, you can’t receive PHI without a compliant BAA in place. There must be a compliant BAA in place first.
Another change is that plan sponsors must enter into a sub-BAA with agents or subcontractors who are retained to help a business associate with covered functions for an employer-sponsored health plan. Plan sponsors should include BAA language that states that a business associate can’t subcontract work without prior permission, and then to monitor compliance with those agreements.
Presumption of PHI Breach Introduced
Under the previous rules, an impermissible use or disclosure of PHI- including electronic PHI- was a breach only if it posed a significant risk of harm to the individual. The HHS included in the new rules a presumption that any impermissible use or disclosure of PHI is a breach, subject to breach-notification rules.
Under the new rules, the only way now to get out of this presumption is by a demonstration that there is a low probability that the PHI was compromised.
To demonstrate low probability, the health plan or business associate must perform a risk assessment of four factors- at a minimum:
The HHS has indicated that it expects these risk assessments to be thorough and completed in good faith and to reach reasonable conclusions. If the risk assessment does not find a low probability that PHI has been compromised, then breach notification is required.
Action Advised for 2013
While the new regulations bring certainty to employer-sponsored health plans and their business associates on HIPAA compliance issues, they also emphasize the department’s intention to subject business associates and their subcontractors to heightened scrutiny.
Employers should review and revise their BAAs to ensure compliance with the security rule, paying special attention to the inclusion of subcontractors. Employers should also review and revise (or create) breach-notification procedures that detail how a risk assessment will be conducted. It is also important to train employees who have access to PHI on these updated policies and procedures.
The final regulations take effect September 23, 2013 and the HHS has provided another one-year transition period for some covered entities and their business associates that had a BAA in place on January 1, 2013. HHS also published an updated version of a template BAA, but it does not address all the unique situations that may arise between a covered entity and a business associate. Employers should ultimately ensure that their business associate agreements are appropriately tailored to their individual circumstances and business needs.
The Department of Labor’s (DOL) prior set of forms for the Family and Medical Leave Act (FMLA) expired at the end of 2011. Most employers expected that the DOL’s newer forms, which can be found here, would comply with the applicable laws. Unfortunately, the DOL’s new FMLA forms, which state that they are valid through February 28, 2015, do not comply with the Genetic Information Nondiscrimination Act (GINA).
Although GINA generally prohibits employers with 15 or more employees from requesting or requiring “genetic information” from an applicant or employee, there is a safe harbor for employers who inadvertently recieve genetic information in response to a lawful request for for medical information, such as for FMLA purposes.
Employers who lawfully request medical information from a health care provider for FMLA certification purposes should include the following recommended “safe harbor” language found in the GINA regulations when making a request:
The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits employers and other entities covered by GINA Title II from requesting or requiring genetic information of employees and their family members. In order to comply with this law, we are asking that you not provide any genetic information when responding to this request for medical information. “Genetic information” as defined by GINA , includes an individual’s family medical history, the results of an individual’s or family member’s genetic tests, the fact that an individual or an individual’s family member sought or received genetic services, and genetic information of a fetus carried by an individual or an individual’s family member or an embryo lawfully held by an individual or family member receiving assistive reproductive services.
Employers who use this language and still recieve genetic information from a health care provider will be deemed to have recieved the information inadvertently.
Employers should realize that they cannot always rely on government forms. Employers should add the GINA “safe harbor” language to any requests for medical information under the FMLA in order to avoid potential liability for GINA discrimination claims. The failure to do so leaves an employer at risk for possible discrimination under GINA, depending upon the type of information recieved in response to such a request.