What guidance does HIPAA offer to providers considering familial risk notification and cascade genetic testing?

Nora B Henrikson; Jennifer K Wagner; Heather Hampel; Christopher DeVore; Nirupama Shridhar; Janet L Williams; Katherine E Donohue; Iftikhar Kullo; Anya E R Prince

doi:10.1093/jlb/lsaa071

. 2020 Dec 11;7(1):lsaa071. doi: 10.1093/jlb/lsaa071

What guidance does HIPAA offer to providers considering familial risk notification and cascade genetic testing?

Nora B Henrikson ^1,^✉,², Jennifer K Wagner ^2,³, Heather Hampel ^3,⁴, Christopher DeVore ⁴, Nirupama Shridhar ^5,⁵, Janet L Williams ^6,⁶, Katherine E Donohue ^7,⁷, Iftikhar Kullo ^8,⁸, Anya E R Prince ^9,⁹

¹ Kaiser Permanente Washington Health Research Institute, Seattle, WA, USA

² Geisinger Health System, Danville, PA, USA

³ Ohio State University, Comprehensive Cancer Center, Columbus, OH, USA

⁴ Asian Pacific American Institute for Congressional Studies, Washington DC, USA

⁵ Washington State Department of Health, Tumwater, WA USA

⁶ Geisinger Health System, Danville, PA, USA

⁷ The Icahn School of Medicine at Mount Sinai, New York, NY

⁸ Mayo Clinic, Rochester, MN, USA

⁹ University of Iowa, College of Law, Iowa City, IA, USA

^✉

Corresponding author. E-mail: Nora.B.Henrikson@kp.org

Nora B. Henrikson, PhD MPH is an assistant investigator at Kaiser Permanente Washington Health Research Institute in Seattle, Washington. Her research interests include the ethical, legal, and social implications of clinical integration of genetic and genomic testing.

Jennifer K. Wagner, JD, PhD is an assistant professor in the Center for Translational Bioethics & Health Care Policy and associate director of Bioethics Research at Geisinger. She is also a solo practicing attorney. Dr Wagner earned her JD at the University of North Carolina School of Law and her PhD in Anthropology at the Pennsylvania State University before completing postdoctoral appointments at Duke University and the University of Pennsylvania. She is a member of several professional organizations, including the American Association for the Advancement of Science, American Society of Human Genetics, American Association of Physical Anthropologists, American Association of Anthropological Genetics, Centre County Bar Association, Pennsylvania Bar Association, and American Bar Association. Dr Wagner has served as chair of the ASHG Social Issues Committee, co-chair of the AAPA Ethics Committee, and member of the PBA Cybersecurity and Data Privacy Committee.

⁴

Heather Hampel is a professor in the Department of Internal Medicine and associate director of the Division of Human Genetics. She coordinated the Columbus-area Lynch syndrome study that determined the frequency of Lynch syndrome among newly diagnosed patients with these cancers. She is the principal investigator (PI) of the Ohio Colorectal Cancer Prevention, a statewide study to identify patients with hereditary cancer syndromes and provide cascade testing to their at-risk family members. Heather was the Region IV Representative on the Board of Directors of the National Society of Genetic Counselors in 2003–04. She was on the Board of Directors for the American Board of Genetic Counseling from 2006 to 2011, serving as President in 2009 and 2010. She has been on the Steering Committee of the National Colorectal Cancer Roundtable since 2016. She was on the Council of the Collaborative Group of the Americas on Inherited Colorectal Cancer from 2016 to 2019, serving as president in 2017–18.

⁵

Nirupama Nini Shridhar, PhD, MPH is an epidemiologist and the Genetic Services specialist at the Washington State Department of Health. She works on ensuring access to genetic services, and translating evidence-based genomic research into public health practice. She earned her MPH and her PhD in Public Health Genetics from the University of Washington. Her work focuses on the use of empirical data to assess core public health functions and health equity in public health genomics.

⁶

Janet L. Williams, MS, LGC obtained a Master’s Degree in Medical Genetics at the University of Wisconsin-Madison. Ms. Williams has held a variety of genetic counseling positions in multiple locations across the country including Wisconsin, Utah, California, and Pennsylvania. For the past 25 years, she has worked in integrated healthcare systems including Gundersen Health System in La Crosse, WI, Intermountain Healthcare in Salt Lake City, UT, and now Geisinger in Danville, PA. Currently, Janet is an assistant professor and senior researcher at Geisinger in the Genomic Medicine Department. Janet is past chair of the National Society of Genetic Counselors Outcomes Committee and is past President of the Accreditation Council for Genetic Counseling.

⁷

Katherine Donohue, MS, MA, CGC is a genetic counselor in the Institute for Genomic Health at the Icahn School of Medicine at Mount Sinai in New York City. She is an investigator on the NYCKidSeq study, a clinical research trial and member of the Clinical Sequencing Evidence-Based Research (CSER) Consortium that provides whole-genome sequencing to minority pediatric patients in Harlem and the Bronx. She is also a member of the Mount Sinai Hospital Clinical Ethics Committee. Katherine is currently interested in the intersection of genetics, bioethics, and public policy, particularly in relation to cascade screening and implementation science in the context of diverse populations.

⁸

Iftikhar Kullo is a clinician–investigator in the Department of Cardiovascular Medicine at the Mayo Clinic, Rochester, MN. His research is focused on the genetic basis of atherosclerosis and lipid disorders as well as implementation of genomic medicine. He is the PI of the Mayo electronic MEdical Records and GEnomics (eMERGE) grant and is conducting a clinical trial of cascade testing in familial hypercholesterolemia.

⁹

Anya Prince is an associate professor at the University of Iowa College of Law and a member of the University’s Genetics Cluster. Her research explores the ethical, legal, and social implications of genomic technologies, with a particular focus on insurer use of genetic information. Professor Prince has published a variety of articles in legal, bioethics, and medical journals, including the Iowa Law Review, Nebraska Law Review, American Journal of Bioethics, Journal of Law, Medicine, and Ethics, JAMA, Journal of Law and the Biosciences, and Genetics in Medicine. She is a recipient of a five-year Pathway to Independence Award (K99/R00) from the National Human Genome Research Institute (NHGRI) at the National Institutes of Health (NIH).

PMCID: PMC8249115 PMID: 34221429

Abstract

Background

It is unclear how the Health Insurance Portability and Accountability Act (HIPAA) should be interpreted in the context of sharing of genomic information between family members.

Methods

The authors analyzed the HIPAA Privacy Rule, reviewed the literature and constructed a clinical scenario to inform how HIPAA can be interpreted for multiple forms of patient- and provider-mediated genetic risk notification.

Results

Under HIPAA, healthcare providers can lawfully notify relatives to recommend genetic risk assessment using multiple approaches, including supporting the patient telling their own relatives, contacting relatives directly with the patient’s authorization, or contacting a relative’s provider directly.

Conclusions

Multiple forms of patient- or provider-mediated contact of relatives are already legally permissible under HIPAA, are consistent with ethical obligations of care to patients and their families, and could result in improved population health through identification of clinically actionable disease risk. Unanswered questions remain about implementation and impacts of provider-mediated programs.

Keywords: familial implications, genetic testing, genomics, HIPAA, physician duty, privacy

I. INTRODUCTION

Cascade genetic screening is the practice of identifying and offering testing to biological relatives of individuals known to carry pathogenic genetic variants. Cascade genetic screening for certain autosomal dominant conditions, such as familial hypercholesterolemia, hereditary breast and ovarian cancer syndrome (HBOC), and Lynch syndrome (LS), involves offering testing to at-risk relatives once one individual has been identified as having a pathogenic variant through genetic testing. Cascade testing generally starts with those at the highest risk (first-degree relatives such as parents, siblings, and children) and then proceeds to the first-degree relatives of those who test positive (e.g., the biological children of the proband’s affected biological siblings and the biological siblings of the proband’s affected biological parents). In this way, testing is always being offered to an individual who has a 50 per cent chance of having inherited the pathogenic variant.

The importance of identifying affected relatives is high, since these variants are considered clinically actionable, and potential intervention—such as enhanced surveillance, early treatment, or preventive surgery—can improve health outcomes or prevent disease for individuals with these pathogenic variants.¹ With the advent of precision medicine and the rapid proliferation of massive amounts of genomic sequencing data, the number of clinically actionable variants is likely to increase, and therefore, the number of individuals who need cascade screening will also increase.

Cascade testing typically involves coordinating counseling and testing for relatives who might not receive care from the same providers as the proband. Questions remain about how providers can communicate to a patient’s relatives about cascade testing in a way that is effective medically while remaining within legal and ethical bounds.

The authors of this paper are medicine, law, public health, genetics, research, and public policy professionals. The group identified a need to summarize how federal law, specifically regulations under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, pertain to contacting the at-risk relatives of patients who carry a pathogenic variant associated with any actional autosomal dominant condition such as familial hypercholesterolemia, LS, and/or HBOC. The group members reviewed HIPAA Privacy Rule regulations, including proposed and final administrative rules, which are relevant to providers’ role in familial risk notification.² The group then created a realistic hypothetical case in which a provider might wish to notify at-risk relatives and encourage cascade genetic testing, along with seven potential clinical actions that could result. The group weighed the clinical actions against HIPAA requirements, sought input from HIPAA experts, and conducted a targeted literature search for evidence on the effectiveness each action.

In this paper, we analyze whether and how the HIPAA Privacy Rule applies to scenarios in which providers wish to encourage cascade testing of their patients’ relatives. We focus on a subsection of HIPAA regarding the treatment of others.³ We first present the current practices employed in the USA to communicate with high-risk relatives. We then discuss and analyze HIPAA in the context of a hypothetical case example. In addition to federal law, state-specific laws might restrict information sharing by providers as well. However, analysis of individual state laws or any case law is beyond the scope of this paper.⁴

II. CURRENT PRACTICES

The current standard in the USA is that providers encourage their patients to inform relatives of potential genetic risk. Each family member is then responsible for choosing to pursue genetic testing. This model is known as indirect or patient-mediated risk notification.⁵

On the opposite end of the spectrum from patient-mediated risk notification is direct or provider-mediated contact, where a provider directly contacts a patient’s relatives. There has been wide consensus that providers have no legal duty to warn relatives directly of potential inherited risk. While lower court cases in the USA found such a duty in the 1990s, these do not create precedent for the vast majority of healthcare providers and there have not been similar cases decided in the USA since.⁶ Despite this, the spector of a legal duty to warn remains a topic of discussion in the USA and across the globe. Indeed, in March 2020, a court in the UK held that healthcare providers legally must balance the interests of patient confidentiality and third-party (family member) risk.⁷

Despite no broad legal duty to warn relatives, providers often report a sense of duty to do so.⁸ A sense of conflicting obligations might be particularly evident when a patient proband cannot or will not notify their own relatives or when a provider cares for multiple biologically related individuals. A survey of US genetic counselors (n = 259) found that 46 per cent of counselors had encountered cases where a patient refused to inform a relative of their risk, and 63 per cent of the total sample endorsed the idea that genetic counselors have an obligation to inform at-risk relatives.⁹ Another study found that 69 per cent of medical geneticists (n = 209) reported an obligation to notify their patients’ relatives of a potential genetic risk.¹⁰

Although a healthcare provider’s legal and ethical duties have always been focused on an individual patient, some literature suggests an expansion of individual-level genomic medicine to include a patient’s relatives. Frameworks include an ‘ethic of care’ that expands the health professional role to include direct communication to relatives of genetic testing patients¹¹ or an expansion of the provider role in genetic medicine to include a ‘family covenant’ that recognizes a physician duty to all family members.¹² The idea of a ‘joint account’ has also been put forward to conceptualize the unique nature of shared genetic information among family members.¹³ A number of clinical recommendations advocate for genetic testing of an individual for the benefit of others.¹⁴

These arguments may challenge the prevailing emphasis on individual patient privacy and autonomy. Further, questions remain about how a provider could simultaneously focus on both a patient and relatives while meeting ethical and legal norms regarding caring for the individual patient. Literature notes the tensions between individual and family interests and interpretation of duty considering the heterogeneity of conditions served by genetic services,¹⁵ along with other questions such as relatives’ right not to know and how best to respect both patient and family privacy.¹⁶

III. HIPAA AND GENETIC TESTING

The principal federal legislation governing providers’ protection of patient privacy is the HIPAA Privacy Rule.¹⁷ This Rule defines whether and how a patient’s protected health information (PHI) may be shared with third parties by ‘covered entities’, which include healthcare providers, health plans, and healthcare clearinghouses. These rules have been extended to apply to ‘business associates’ as well.¹⁸

While HIPAA itself is predominantly an insurance legislation, the HIPAA Privacy Rule establishes regulations for how covered entities must protect individually identifiable health information, called ‘protected health information’ or PHI.¹⁹ Genetic information can be a form of PHI if it is identifiable.²⁰ In general, HIPAA requires written authorization of the individual (patient) for uses and disclosures of PHI but includes a number of exceptions when PHI may be disclosed beyond the provider–patient dyad. These include patient care, law enforcement activities, healthcare operations, oversight and regulation activities, or activities required by medical examiners.

One of the most notable exceptions to patient authorization of health information disclosure is when information is shared for treatment. This allows disclosure between providers for treatment purposes: ‘a covered entity may disclose PHI for treatment activities of a healthcare provider’.²¹ Treatment is defined as ‘the provision, coordination, or management of healthcare and related services by one or more healthcare providers, including the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another’.²²

Typically, the treatment specification applies to the care of a single patient. A primary care physician, for example, can communicate with a genetic counselor about their patient in order to coordinate a treatment plan. However, in final rules regarding HIPAA regulations and in an accompanying FAQ, U.S. Department of Health and Human Services and its Office of Civil Rights has interpreted this to apply also to the treatment of another individual, such as family members.²³ The Rule permits, but does not require, such disclosure. A patient may request nondisclosure of PHI by filing a restriction, but generally the provider is not required to agree to or comply with the request.²⁴ Further, a covered entity is not required to obtain patient authorization for uses or disclosure of PHI for treatment, payment, or healthcare operations.²⁵

This interpretation of the treatment specification to HIPAA authorizations could expand how providers can approach cascade testing in the USA but is not without its controversy, mainly around the role of providers in direct contact of relatives.²⁶ A primary question is whether it is appropriate for providers to play such an active role in cascade testing, particularly if it is at the perceived expense of their patients’ privacy. What would use of this specification look like in practice? What should it be? What other ways can providers communicate with relatives under HIPAA? The following section explores these questions and others through the lens of a hypothetical clinical case.

IV. CLINICAL ACTIONS RELATED TO CASCADE TESTING PERMISSIBLE UNDER HIPAA

The following is a fictional clinical scenario, intended to be a composite of realistic choices faced by clinicians recommending familial notification for cascade testing. Clinical actions and their permissibility under HIPAA are described in Table 1 and described below in terms of whether each action is patient mediated or provider mediated.

Table 1.

Clinical sharing scenarios

*Considering only HIPAA and not any relevant state laws, may the covered entity (provider)…*	*Answer*
Patient-mediated approaches
Scenario 1: provide their patient with a letter or other information to share with her family members regarding their risk and testing options?	Yes. Any disclosure under this scenario would be made by the patient, who is not a covered entity.
Scenario 2: provide their patient with a ‘consent to contact’ form to provide to their relatives?	Yes. Any disclosure under this scenario would be made by the patient, who is not a covered entity.
Provider-mediated approaches
Scenario 3: directly contact their patient’s adult relatives, with authorization from the patient, for the purpose of recommending testing?	Yes. With authorization from the patient, the provider may contact the patient’s adult relatives.
Scenario 4: directly contact a patient’s adult relatives, without authorization from the patient, for the purpose of recommending testing?	No. Direct contact with a relative would not be permissible without authorization from the patient unless state public health law(s) acknowledge genetic risk information for a particular disease or condition as a ‘reportable condition’ for public health intervention.
Scenario 5: directly contact her patient’s adult relatives, over the patient’s objection, for the purpose of recommending testing?	No. If a patient has directed nondisclosure, even under the treatment of others exception, a covered entity is bound by this restriction.
Scenario 6: directly contact the provider of their patients’ relative, for the purpose of recommending testing?	Yes. A covered entity may disclose PHI without authorization for the purpose of treating another patient.
Public health-mediated approach
Scenario 7: directly contact the public health authorities to report a patient’s genetic risk, for the purposes of recommending cascade testing?	No, unless a state public health law acknowledges a particular genetic disease or condition as a ‘reportable condition’ thereby authorizing its disclosure to the public health authority.

Open in a new tab

Hypothetical case: Mary, after finding out she has breast cancer, receives genetic testing and learns that she has a pathogenic variant in the BRCA1 gene. Dr. G, her physician, recommends that her brother and sister also be tested. However, Mary is not in touch with her brother and is not willing to contact him. While she is willing to tell her sister, Mary is afraid she will not provide the correct information. Dr. G wants to contact Mary’s brother and sister to inform them that they have a 50 per cent risk for inheriting the causative pathogenic variant and to recommend testing. Dr. G knows that the brother is being treated by a colleague in the same health system. Both providers are covered entities.

IV.A. Patient-mediated approaches (Scenarios 1 and 2)

Patient-mediated approaches include those where the main responsibility for informing relatives falls with the patient but where the provider offers support to that process, most typically in the form of providing a letter (Scenario 1) or a consent to contact form (Scenario 2) for the patient to share with their relatives. These are the traditional methods currently used in clinical genetics for notifying at-risk relatives.

Any disclosures under these scenario would be made by the patient. HIPAA regulates when and how covered entities can disclose a patient’s PHI, but the patient is free to disclose their own health information to anyone.

Providers may also provide a letter for the patient to share with relatives, explaining why testing might be important within the family, to notify them about the mutation that has been identified in the family, their risk for inheriting it, the health conditions associated with it, and the benefits of getting tested.

Alternatively, providers might offer the patient a form to pass along to their relatives, where the relative can indicate their consent for the provider to contact them directly. The family member then completes the form and returns it to the clinic. Upon receipt, the provider could then contact the relative directly to recommend testing. This approach avoids any direct disclosure to relatives who might not want to know about their own risks. However, its effectiveness in promoting uptake of testing by relatives might be limited.

IV.A.1. Patient-mediated approaches: evidence for effectiveness

A growing corpus of evidence finds that patient-mediated approaches are not effective at reaching all needed relatives.²⁷ Only half of relatives of people with LS receive genetic testing,²⁸ and uptake of testing for HBOC (BRCA testing) among eligible relatives is only 20–30 percent.²⁹ A systematic review for HBOC and LS found that uptake of testing in at-risk relatives after the standard patient-mediated procedure was low, ranging from 21 to 44 per cent in studies where the genetic center reported testing outcomes in relatives and from 15 to 57 per cent in studies where the proband reported testing outcomes in relatives.³⁰

A relative may always choose to decline testing when offered, but once at-risk relatives receive adequate information, a majority will pursue genetic testing.³¹ However, up to a third of at-risk relatives go unnotified or remain unaware of their potential risk.³² Even studies designed to improve rates of relative testing show minimal improvement, including for consent-to-contact forms.³³ Thus, patient-mediated models ultimately result in missed opportunities: high-risk individuals not receiving recommended screening and follow-up care, potentially resulting in life-threatening disease that could have been prevented or diagnosed earlier.

IV.B. Provider-mediated (direct contact) approaches (Scenarios 3–5)

Provider-mediated approaches include those where the provider communicates directly with their patient’s relatives to recommend cascade testing. Under the HIPAA Privacy Rule, an individual may ‘direct[] the covered entity to transmit [a] copy of protected health information directly to another person designated by the individual’.³⁴ This purpose is separate from both disclosures to individuals involved in the patient’s care and disclosures necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death, which are subject to different requirements.³⁵ Thus, if the patient has provided authorization for direct contact, the provider may contact the relative directly (as in Scenario 3).

There is some concern that the covered entity would violate the relative’s right to privacy by contacting the relative without their prior authorization. Some have argued that a relative would need to provide consent to be contacted in the USA³⁶ This concern, however, is not necessarily grounded in the actual text of the HIPAA Privacy Rule and would seem inconsistent with a patient’s ability to direct their own PHI to a third party. Legally, a provider can contact the relative about a patient’s PHI with that patient’s authorization. It is then an ethical, not a legal, question as to whether this would violate privacy norms for the relative. For example, relatives may be uncomfortable to learn of genetic risk from someone outside their care team or that the patient shared their contact information.

Under HIPAA, disclosure of Mary’s PHI to a relative would not be permissible without authorization from the patient (Scenarios 4 and 5). While Dr G does not need Mary’s authorization to contact a family member, the potential issue is in the disclosure of Mary’s PHI. In Scenario 4, the provider did not specifically ask the patient for authorization to disclose test results, for example, at the time of testing or if the patient is now deceased or otherwise unavailable, where the patient neither actively declined nor provided authorization.

Even under the treatment of others specification, a patient may request nondisclosure of their PHI through a request that a covered entity restrict how it uses the patient’s PHI (Scenario 5).³⁷ If the provider agrees to such a request, a covered entity is bound by this restriction except under the public health exception. There are limited instances when a provider must agree to a requested restriction, such as when the patient has paid for the service that generated the information.³⁸

IV.B.1. Provider-mediated approaches: evidence for effectiveness

Data from outside the USA suggest provider-mediated approaches might be both effective and acceptable to patients. One center improved the proportion of at-risk first- and second-degree relatives being tested from 23 per cent (using patient-mediated processes) to 40 per cent of at-risk relatives being tested after implementation of provider-mediated direct contact of relatives in HBOC families through direct mail.³⁹ Another study used direct contact of at-risk relatives in HBOC families who had not come forward for testing after a patient-mediated approach, successfully contacting additional relatives, of whom virtually all decided to have testing.⁴⁰ In both studies, probands had provided their relatives’ contact information to researchers and the provider-mediated contact followed unsuccessful patient-mediated outreach. In Denmark, 66% of directly contacted relatives preferred contact from the hospital rather than from their own relative.⁴¹ Two USA-based studies found that provider-mediated approaches were largely acceptable to patients.⁴²^,⁴³

IV.C. Provider-to-provider approaches

A provider may contact the provider of a patient’s relative to recommend cascade testing (Scenario 6). Under the treatment of others specification and the HHS Office of Civil Rights interpretation of HIPAA,⁴⁴ the Rule permits a doctor to ‘disclose protected health information about a patient to another healthcare provider for the purpose of treating another patient (e.g., to assist the other healthcare provider with treating a family member of the doctor’s patient).”⁴⁵ In this context, it may be possible for genetic information to be disclosed for the purposes of care of multiple family members. However, though permissible, under HIPAA the provider is not required to conduct such outreach or disclosure. Additionally, as in Scenario 5, the patient may request that disclosures be limited and, if the request is agreed to, the provider must abide by this request.

In Scenario 6, the HIPAA treatment of others text is limited to communication between two providers. In this case, contact and information sharing between the patient’s provider and the relative’s provider would be permissible even without patient authorization. Provider-to-provider approaches are not well studied, and their acceptability to patients and relatives is, not well understood. One small study suggested that provider to provider contact might be less preferred than provider-to-relative direct contact.⁴⁶ It is also unclear how information should be disclosed between the relative and the relative’s provider.

IV.D. Public health-mediated approaches

While this paper has focused on the treatment of others specification to HIPAA, another exception could also be important in the context of cascade testing—the public health exception (Scenario 7). Under HIPAA, a covered entity may disclose PHI without patient authorization to a public health authority ‘for the purpose of preventing or controlling disease, injury, or disability’⁴⁷ or directly to any person who may ‘be at risk of contracting or spreading a disease or condition’ if the covered entity is ‘authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation’.⁴⁸ The public health exception has been used primarily in the context of communicable disease, where a standard of imminent harm has been applied given the time-sensitive nature of disease transmission. Countries outside the USA have explored public health approaches to cascade testing.⁴⁹

For the public health exception to encompass genetic risk, a change in law (either a change to the HIPAA exception itself or to authorizing state public health statutes) would be required to acknowledge genetic risk information as a reportable condition. The high risk of disease associated with some pathogenic variants and the effectiveness of preventive intervention (for example, some variants in the BRCA1/2 genes increase breast cancer risk to 45–65 per cent by age 70 years⁵⁰) in addition to the higher rates of transmission (50 per cent to all first-degree relatives), which is much higher than the risks of transmission for most communicable diseases, might one day warrant more active public health involvement in risk notification. If this happens, providers might be required to report certain genetic risk variants to public health authorities, who would then take responsibility for contacting at-risk relatives. Providers may then be permitted or required to intervene directly with at-risk relatives.

V. DISCUSSION

Familial notification of genetic risk is a major part of the promise of genomic medicine, as it might lead to improved health outcomes not just for individuals but for their biological relatives. As genomic medicine enters the mainstream healthcare practice, the current law needs to be clarified on the permissibility of directly contacting relatives and their providers to communicate potential genomic risk. This clarification is particularly needed given the little-known HHS treatment interpretation that disclosures can be made for other individuals without patient authorization. Increased knowledge of this interpretation might greatly expand the ability of healthcare providers to participate in risk notification. Moreover, the current lack of inclusion of autosomal dominant, highly penetrant genetic conditions as ‘reportable conditions’ drastically limits providers’ ability to pursue cascade testing through the public health exception, so in the current state, direct-contact cascade screening programs mediated by providers or health systems may be the only way that providers can reach at-risk relatives.

To date, interpretations of HIPAA have focused primarily on protecting individual patient privacy during the transmittal of PHI between covered entities and payers. Thus, a de facto standard has developed favoring patient-mediated approaches consistent with the strictest interpretation, and thus, the burden of disclosure has fallen to the patient. However, the HHS treatment interpretation, particularly considering the limitations of patient-mediated risk notification approaches, has the potential to drastically alter common conceptions of HIPAA and the goals of protecting patient privacy. Its implications should be carefully assessed.

Our analysis finds that several provider-mediated approaches are currently permissible under HIPAA, including contact of relatives with patient consent and provider-to-provider contact. Several approaches are also not permissible. In cases where the patient does not give permission or explicitly forbids disclosure,⁵¹ the legal authority to override patient objection would need to be clear, so direct contact of relatives over a patient’s explicit objection (Scenario 5) is likely to be unrealistic in most circumstances. The most likely scenario for a provider-to-provider approach (Scenario 6) might be between providers within single covered entity are treating multiple relatives, but provider-to-provider contact could also occur across covered entities.

It is possible that discourse could move toward a public health model for genetic risk (Scenario 7), particularly for conditions associated with very high risk of serious disease and where clinical intervention could alter the natural history of disease. However, this would require legal action, and debates are ongoing about the merits of such an approach.

Many unanswered questions remain around how direct contact programs could be implemented in the USA. For example, it is unclear what information would or should be shared between the relative and the relative’s provider in the provider-to-provider sharing. HIPAA sets forth a requirement that only the minimum necessary amount of information be shared for some allowable disclosures, but this primarily applies to disclosures under payment and healthcare operations.⁵² However, given that the HHS treatment of others interpretation would allow for the sharing of patient information for purposes beyond their own care, we suggest that the minimum necessary standard should be applied both to risk communications between providers for the treatment of relatives and to the information relayed from the relative’s provider to the relative. This would help to maximize privacy (for example, a provider might contact relatives directly to encourage genetic testing, but not include the patient’s name or the exact pathogenic variant), even in a context when the law might allow for broader sharing than patients realize. However, the effectiveness of varying levels of PHI in communicating potential risk to relatives is not well understood. Comparative studies of different approaches to implement such programs are needed.

In the absence of implementation of provider-mediated approaches in US settings, many knowledge gaps remain, including potential unintended consequences. Research needs include evidence on how to operationalize ‘minimum necessary’ information in the context of familial risk sharing; studies of provider-mediated contact in US settings and their impact on providers and health systems as well as patient and family experiences and outcomes; and continued legal and ethical analysis of needs and obligations of individual providers and care teams versus health systems. Special attention should be given to unintended consequences or harms to patients, families, and providers, including an unintended scope of practice creep over time from permissibility to an ethos of duty to warn relatives, and thus liability, which could negatively impact smaller practices in particular.

VI. CONCLUSION

Multiple forms of provider-mediated direct contact of relatives are already legally permissible under HIPAA. These approaches are consistent with ethical obligations of care to patients and families and could demonstrate improved health outcomes through identification of clinically actionable disease risk. Unanswered questions remain about whether this should or could become a legal duty to warn relatives and about the optimal implementation and effectiveness of direct contact programs in improving population health.

ACKNOWLEDGEMENTS

The authors are participants of a subgroup of the Genomics and Population Health Action Collaborative, an ad hoc activity associated with the Roundtable on Genomics and Precision Health at the National Academies of Sciences, Engineering, and Medicine, which considers the integration of evidence-based genomics applications. This article does not necessarily represent the views of any one organization, the Roundtable, or the National Academies and has not be subjected to the review procedures of, nor is it a report or product of, the National Academies. Jennifer K. Wagner’s contributions to this work were supported in part by Grant No. 1 U01 CA240747-01A1 ‘Feasibility and assessment of a cascade traceback screening program—FACTS’ from the National Institutes of Health and National Cancer Institute to Geisinger Clinic (PIs: Henrikson, Cabell, and Rahm).

Footnotes

R. C. Green et al., ACMG Recommendations for Reporting of Incidental Findings in Clinical Exome and Genome Sequencing, 15 Genet. Med. (2013); S. S. Kalia et al., Recommendations for Reporting of Secondary Findings in Clinical Exome and Genome Sequencing, 2016 Update (ACMG SF V2.0): A Policy Statement of the American College of Medical Genetics and Genomics, 19 Genet. Med. (2017).

Id.

⁴

Legal research focused on state-by-state considerations relevant to the HIPAA Public Health Exception is now underway, led by coauthor Jennifer K. Wagner with funding support from Grant No. 1 U01 CA240747-01A1 ‘Feasibility and Assessment of a Cascade Traceback Screening Program—FACTS’ from the National Institutes of Health and National Cancer Institute to Geisinger Clinic (MPIs: Henrikson, Cabell, and Rahm).

⁵

M. A. Rothstein, Reconsidering the Duty to Warn Genetically At-Risk Relatives, 20 Genet. Med. (2018).

⁶

Id.

⁷

R. Gilbar & C. Foster, Doctors’ Liability to the Patient’s Relatives in Genetic Medicine: ABC V St George’s Healthcare NHS trust[2015] EWHC 1394 (QB), 24 Med. Law Rev. (2016); ABC v. St George’s Healthcare NHS Trust [2020] EWHC 455.

⁸

B. Godard et al., Guidelines for Disclosing Genetic Information to Family Members: From Development to Use, 5 Fam. Cancer (2006); M. J. Falk et al., Medical Geneticists’ Duty to Warn At-Risk Relatives for Genetic Disease, 120A Am. J. Med. Genet. A (2003).

⁹

R. B. Dugan et al., Duty to Warn At-Risk Relatives for Genetic Disease: Genetic Counselors’ Clinical Experience, 119C Am. J. Med. Genet. C Semin. Med. Genet. (2003).

¹⁰

M. J. Falk et al., Medical Geneticists’ Duty to Warn At-Risk Relatives for Genetic Disease, 120A Am. J. Med. Genet. A (2003).

¹¹

M. Weaver, The Double Helix: Applying an Ethic of Care to the Duty to Warn Genetic Relatives of Genetic Information, 30 Bioethics (2016).

¹²

M. J. Falk et al., Medical Geneticists’ duty to warn at-risk relatives for genetic disease, 120A Am. J. Med. Genet. A (2003).

¹³

M. Parker & A. M. Lucassen, Genetic Information: A Joint Account?, 329 BMJ (2004).

¹⁴

A. E. R. Prince & B. E. Berkman, Reconceptualizing Harms and Benefits in the Genomic Age, 15 Per. Med. (2018).

¹⁵

S. Dheensa et al., Approaching Confidentiality at a Familial Level in Genomic Medicine: A Focus Group Study with Healthcare Professionals, 7 BMJ Open (2017); D. D’ Audiffret Van Haecke & S. de Montgolfier, Genetic Test Results and Disclosure to Family Members: Qualitative Interviews of Healthcare Professionals’ Perceptions of Ethical and Professional Issues in France, 25 J. Genet. Couns. (2016).

¹⁶

Ellen Wright Clayton et al., The Law of Genetic Privacy: Applications, Implications, and Limitations, J. Law Biosci. (2019); Donna M Gitter, The Ethics of Big Data in Genomics: The Instructive Icelandic Saga Of The Incidentalome, 18 Wash. U. Global Stud. L. Rev. (2019); B. E. Berkman et al., Scrutinizing the right not to know, 15 Am. J. Bioeth. (2015).

N. Juth, The Right Not to Know and the Duty to Tell: The Case of Relatives, 42 J. Law Med. Ethics (2014).

¹⁷

Office of the Secretary, Standards for Privacy of Individually Identifiable Health Information. § 65 Fed. Reg. 82,462 (Department of Health and Human Services ed., Federal Register 2000); Office of the Secretary, Standards for Privacy of Individually Identifiable Health Information. § 67 Fed. Reg. 53,182 (Department of Health and Human Services ed., Federal Register 2000).

¹⁸

Id.

¹⁹

Id.

²⁰

Id.

²¹

Office of the Secretary, Standards for Privacy of Individually Identifiable Health Information. § 67 Fed. Reg. 164.506 (Department of Health and Human Services ed., Federal Register 2000).

²²

Office of the Secretary, Standards for Privacy of Individually Identifiable Health Information. § 67 Fed. Reg. 164.501 (Department of Health and Human Services ed., Federal Register 2000).

²³

Office of the Secretary, Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and GINA; Other Modifications. § 78 Fed. Reg. 5668 (Department of Health and Human Services ed., Federal Register 2013).

²⁴

Office for Civil Rights, Under the HIPAA Privacy Rule, May a Health Care Provider Disclose Protected Health Information about an Individual to Another Provider, When Such Information is Requested for the Treatment of a Family Member of the Individual?, US Department of Health & Human Services (2009), https://www.hhs.gov/hipaa/for-professionals/faq/512/under-hipaa-may-a-health-care-provider-disclose-information-requested-for-treatment/index.html (accessed Mar. 2020).

²⁵

M. A. Rothstein, Reconsidering the Duty to Warn Genetically At-Risk Relatives, 20 Genet. Med. (2018)

²⁶

Id.

²⁷

F. H. Menko et al., The Uptake of Presymptomatic Genetic Testing in Hereditary Breast-Ovarian Cancer and Lynch Syndrome: A Systematic Review of the Literature and Implications for Clinical Practice, 18 Fam. Cancer (2019).

²⁸

R. N. Sharaf et al., Uptake of Genetic Testing by Relatives of Lynch Syndrome Probands: A Systematic Review, 11 Clin. Gastroenterol. Hepatol. (2013).

²⁹

G. Samimi et al., Traceback: A Proposed Framework to Increase Identification and Genetic Counseling of BRCA1 and BRCA2 Mutation Carriers Through Family-Based Outreach, 35 J. Clin. Oncol. (2017).

³⁰

³¹

E. Sermijn et al., The Impact of Proband Mediated Information Dissemination in Families With a BRCA1/2 Gene Mutation, 41 J. Med. Genet. (2004); K. I. Aktan-Collan et al., Sharing Genetic Risk With Next Generation: Mutation-Positive Parents’ Communication With Their Offspring in Lynch Syndrome, 10 Fam. Cancer (2011); M. B. Daly et al., Communicating Genetic Test Results Within the Family: Is It Lost in Translation? A Survey of Relatives in the Randomized Six-Step Study, 15 Fam. Cancer (2016); C. H. Leenen et al., Genetic Testing for Lynch Syndrome: Family Communication and Motivation, 15 Fam. Cancer (2016).

³²

J. M. Taber et al., Prevalence and Correlates of Receiving and Sharing High-Penetrance Cancer Genetic Test Results: Findings From the Health Information National Trends Survey, 18 Public Health Genomics (2015); K. D. Graves et al., Communication of Genetic Test Results to Family and Health-Care Providers Following Disclosure of Research Results, 16 Genet. Med. (2014); J. Fehniger et al., Family Communication of BRCA1/2 Results and Family Uptake of BRCA1/2 Testing in a Diverse Population of BRCA1/2 Carriers, 22 J. Genet. Couns. (2013); E. M. Stoffel et al., Sharing Genetic Test Results in Lynch Syndrome: Communication With Close and Distant Relatives, 6 Clin. Gastroenterol. Hepatol. (2008).

³³

M. C. Roberts et al., Delivery of Cascade Screening for Hereditary Conditions: A Scoping Review of the Literature, 37 Health Aff. (Millwood) (2018).

³⁴

Health Information Privacy Division, 45 CFR 164.524—Access of individuals to protected health information (US Department of Health & Human Services 2011).

³⁵

45 CFR 164.510—Uses and disclosures requiring an opportunity for the individual to agree or to object (US Department of Health & Human Services 2013).

³⁶

R. Andersen & L. Andersen, Examining Barriers to Cascade Screening for Familial Hypercholesterolemia in the United States, 10 J. Clin. Lipidol. (2016).

³⁷

³⁸

Id.

³⁹

G. K. Suthers et al., Letting the Family Know: Balancing Ethics and Effectiveness When Notifying Relatives About Genetic Testing for a Familial Disorder, 43 J. Med. Genet. (2006).

⁴⁰

E. Sermijn et al., The Impact of an Interventional Counselling Procedure in Families With a BRCA1/2 Gene Mutation: Efficacy and Safety, 15 Fam. Cancer (2016).

⁴¹

Helle Vendel Petersen et al., Unsolicited Information Letters to Increase Awareness of Lynch Syndrome and Familial Colorectal Cancer: Reactions and Attitudes, 18 Fam. Cancer (2019).

⁴²

N. B. Henrikson et al., ‘It Would Be So Much Easier”: Health System-Led Genetic Risk Notification-Feasibility and Acceptability of Cascade Screening in an Integrated System, J. Community Genet. (2019).

⁴³

R. Schwiter et al., Perspectives From Individuals With Familial Hypercholesterolemia on Direct Contact in Cascade Screening. J. Genet. Couns. (2020).

⁴⁴

Office for Civil Rights, Under the HIPAA Privacy Rule, May a Health Care Provider Disclose Protected Health Information About an Individual to Another Provider, When Such Information Is Requested For the Treatment of a Family Member of the Individual?, US Department of Health & Human Services (2009), https://www.hhs.gov/hipaa/for-professionals/faq/512/under-hipaa-may-a-health-care-provider-disclose-information-requested-for-treatment/index.html.

⁴⁵

M. A. Rothstein, Reconsidering the Duty to Warn Genetically At-Risk Relatives, 20 Genet. Med. (2018).

⁴⁶

N. B. Henrikson et al., “It Would Be So Much Easier”: Health System-Led Genetic Risk Notification-Feasibility and Acceptability of Cascade Screening in an Integrated System, J. Community Genet. (2019).

⁴⁷

45 C.F.R. § 164.512(b)(1)(i).

⁴⁸

45 C.F.R. § 164.512(b)(1)(iv)

⁴⁹

Carla G van El et al., Stakeholder Views on Active Cascade Screening for Familial Hypercholesterolemia, 6 InHealthcare 108 (2018).

⁵⁰

US Preventive Services Task Force et al. Risk Assessment, Genetic Counseling, and Genetic Testing for BRCA-Related Cancer: US Preventive Services Task Force Recommendation, 322 JAMA 653 (2019).

⁵¹

For pre-HIPAA Privacy Rule discussion of the ethical and legal challenges related to this situation, see, e.g., Sonia M. Suter, Whose Genes Are These Anyway? Familial Conflicts Over Access to Genetic Information, 91 Mich. L. Rev. 1854 (1993).

⁵²

Ellen Wright Clayton et al., The Law of Genetic Privacy: Applications, Implications, and Limitations, J. Law Biosci. (2019).

Contributor Information

Nora B Henrikson, Kaiser Permanente Washington Health Research Institute, Seattle, WA, USA.

Jennifer K Wagner, Geisinger Health System, Danville, PA, USA.

Heather Hampel, Ohio State University, Comprehensive Cancer Center, Columbus, OH, USA.

Christopher DeVore, Asian Pacific American Institute for Congressional Studies, Washington DC, USA.

Nirupama Shridhar, Washington State Department of Health, Tumwater, WA USA.

Janet L Williams, Geisinger Health System, Danville, PA, USA.

Katherine E Donohue, The Icahn School of Medicine at Mount Sinai, New York, NY.

Iftikhar Kullo, Mayo Clinic, Rochester, MN, USA.

Anya E R Prince, University of Iowa, College of Law, Iowa City, IA, USA.

PERMALINK

What guidance does HIPAA offer to providers considering familial risk notification and cascade genetic testing?

Nora B Henrikson

Jennifer K Wagner

Heather Hampel

Christopher DeVore

Nirupama Shridhar

Janet L Williams

Katherine E Donohue

Iftikhar Kullo

Anya E R Prince

Abstract

Background

Methods

Results

Conclusions

I. INTRODUCTION

II. CURRENT PRACTICES

III. HIPAA AND GENETIC TESTING

IV. CLINICAL ACTIONS RELATED TO CASCADE TESTING PERMISSIBLE UNDER HIPAA

Table 1.

IV.A. Patient-mediated approaches (Scenarios 1 and 2)

IV.A.1. Patient-mediated approaches: evidence for effectiveness

IV.B. Provider-mediated (direct contact) approaches (Scenarios 3–5)

IV.B.1. Provider-mediated approaches: evidence for effectiveness

IV.C. Provider-to-provider approaches

IV.D. Public health-mediated approaches

V. DISCUSSION

VI. CONCLUSION

ACKNOWLEDGEMENTS

Footnotes

Contributor Information

ACTIONS

PERMALINK

RESOURCES

Cite

Add to Collections

PERMALINK

What guidance does HIPAA offer to providers considering familial risk notification and cascade genetic testing?

Nora B Henrikson

Jennifer K Wagner

Heather Hampel

Christopher DeVore

Nirupama Shridhar

Janet L Williams

Katherine E Donohue

Iftikhar Kullo

Anya E R Prince

Abstract

Background

Methods

Results

Conclusions

I. INTRODUCTION

II. CURRENT PRACTICES

III. HIPAA AND GENETIC TESTING

IV. CLINICAL ACTIONS RELATED TO CASCADE TESTING PERMISSIBLE UNDER HIPAA

Table 1.

IV.A. Patient-mediated approaches (Scenarios 1 and 2)

IV.A.1. Patient-mediated approaches: evidence for effectiveness

IV.B. Provider-mediated (direct contact) approaches (Scenarios 3–5)

IV.B.1. Provider-mediated approaches: evidence for effectiveness

IV.C. Provider-to-provider approaches

IV.D. Public health-mediated approaches

V. DISCUSSION

VI. CONCLUSION

ACKNOWLEDGEMENTS

Footnotes

Contributor Information

ACTIONS

PERMALINK

RESOURCES

Similar articles

Cited by other articles

Links to NCBI Databases