Chairman Rothstein, distinguished members of the Subcommittee, I am Dr. Henry R. Desmarais,
Senior Vice President for Policy and Information for the Health Insurance Association of America (HIAA). I am very pleased to be here today to discuss the "minimum necessary" standard contained in the health privacy regulation issued by the Department of Health and Human Services (HHS). As you know, Congress directed HHS to develop the privacy regulation under the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HIAA is the nation's most prominent trade association representing the private health care system. Our more than 300 members provide health, long-term care, dental, disability, and supplemental coverage to more than 123 million Americans. We are also the nation's premier provider of self-study courses on health insurance and managed care.
I want to emphasize that HIAA supports strong, nationally uniform confidentiality standards, and our members are committed to maintaining the confidentiality of the health information entrusted to them. We are anxious to work with all stakeholders to ensure that the privacy regulation strikes the right balance between strong confidentiality protections and maintaining the beneficial flow of information within the health care system.
We are encouraged by recent statements from HHS indicating that they intend the minimum necessary standard to be applied with flexibility, taking into account the capabilities of the health plan, health care provider, or other covered entity involved. We are hopeful that this guidance will help mitigate problems that may arise with the minimum necessary standard. Nevertheless, we continue to have several significant concerns:
Because of these problems, we believe that the minimum necessary standard simply may not be a workable concept as a regulatory standard. As HHS implicitly acknowledged in the Guidance on the privacy regulation released on July 6, 2001,(1) it is impossible to say with any certainty what constitutes "reasonable efforts" to limit information to the "minimum necessary" amount. Accordingly, we have recommended to HHS that the minimum necessary standard should be removed from the privacy regulation. In our view, the other substantial protections established by the regulation are sufficient to create strong safeguards for the confidentiality of protected health information while avoiding the potentially serious complications the minimum necessary standard presents.
To put this discussion in context, let me review the major requirements established by the minimum necessary standard.
The privacy regulation provides that covered entities must make "reasonable efforts" when using or disclosing "protected health information" (PHI) and when requesting PHI from another covered entity to limit the information to the "minimum necessary" amount needed to accomplish the intended purpose of the use, disclosure, or request.
With respect to uses of PHI within a covered entity, the regulation requires that the covered entity:
With respect to disclosures of PHI, the requirements vary according to whether the disclosure is routine or non-routine:
Parallel rules apply to requests for disclosure of PHI from a covered entity.
In addition, the regulation provides that covered entities may not use, disclose, or request an entire medical record unless the entire record is "specifically justified" as the amount of information reasonably necessary. According to the Guidance, the required justification need not be made on a case-by-case basis and may be contained in policies and procedures established by the covered entity.
The regulation creates certain exceptions to the minimum necessary standard. Disclosures to, or requests by, a provider for treatment purposes are exempt from the standard. In addition, the Guidance states that most uses or disclosures that are made pursuant to a written authorization from the individual are exempt, although we believe that further clarification is needed in this area. Finally, there are some circumstances where a covered entity may rely on the amount of PHI requested as being the minimum necessary if reliance is "reasonable under the circumstances." For example, a covered entity may rely on a requested disclosure of PHI from another covered entity as being the minimum necessary amount.
HIAA is concerned that the legal uncertainty and risk created by the minimum necessary standard may lead to "defensive" information practices, resulting in restrictions on the appropriate and beneficial flow of information within the health care system. Health plans must have access to PHI maintained by providers to perform quality assessment and improvement programs. In addition, disclosure of PHI by providers is necessary for utilization review, case management, disease management, and other functions performed by health plans to maintain the affordability of health coverage and improve outcomes. If the minimum necessary standard results in diminished availability of information for these purposes, the quality and affordability of health coverage inevitably will suffer.
As HHS implicitly acknowledges, the minimum necessary standard is inherently subjective and highly fact-based. The Guidance released on July 6, 2001 states that HHS expects covered entities to exercise "substantial discretion as to how to implement the minimum necessary standard, and appropriately and reasonably limit access to the use of identifiable health information...."(2) Similarly, the Guidance states that the standard "requires covered entities to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly."(3)
On the one hand, this flexibility is helpful to covered entities as they seek to develop compliance programs that fit with their operations. On the other hand, the flexibility introduces a great deal of uncertainty regarding what is necessary to comply with the regulation. With this uncertainty comes legal risk. We are concerned that covered entities seeking to minimize their exposure to liability will, understandably, err on the side of being overly restrictive.
This problem is compounded by the fact that the minimum necessary standard inappropriately places covered entities receiving requests for information in the position of evaluating whether the requested information is the "minimum necessary" amount. Only the entity making a request for information has an informed basis for determining whether the information is the minimum necessary for its purposes. This aspect of the standard almost certainly will lead to inappropriate restrictions on the disclosure of health information.
We also are concerned that the minimum necessary standard may be used to shield wasteful, abusive, and fraudulent activities. Because the standard is highly subjective, it will be all too easy for bad actors to use it to justify withholding information that would provide evidence of upcoding, misdiagnosis, over-treatment, or outright fraud. We think our concerns are justified in light of recent reports documenting the pervasiveness of fraudulent and abusive practices in the health care system. A recent study by the General Accounting Office found that popular health care billing consultants were advising providers to engage in a number of abusive practices, including failing to report or refund overpayments from insurers and performing tests that are not medically necessary in order to justify billing for evaluation and management services at a higher level.(4) The GAO has estimated that as much as 10 percent of the nation's total expenditures on health care is attributable to fraudulent or abusive activities.(5) According the HHS Office of the Inspector General, the Medicare fee-for-service program made an estimated $11.9 billion in improper payments last year.(6) HIAA's own research shows that private health plans investigated over 42,000 suspected fraud cases in 1998.(7)
In addition, we are concerned that unless HHS clarifies the application of the minimum necessary standard to uses and disclosures authorized by the individual, the regulation could compromise the ability of health plans to assess risk and obtain information necessary to evaluate and process claims. Proper assessment of risk through underwriting is essential to setting premium levels that are fair and sufficient to cover expected claims. Efficient and timely processing of claims, of course, is an equally important function.
HHS states in the Guidance that the minimum necessary standard does not apply to most uses and disclosures of PHI made pursuant to a written authorization from the individual. The Guidance specifically states, for example, that the standard does not apply to an authorization to disclose PHI for purposes of underwriting insurance products that are not covered by the regulation--for example, life insurance policies--or for purposes of processing a claim under such non-covered products. The Guidance, however, fails to clarify that the minimum necessary standard does not apply to authorized disclosures of PHI made for purposes of underwriting, claims payment, or other "treatment," "payment," or "health care operations" (TPO) functions relating to covered insurance products. This important issue and should be clarified in further guidance or rulemaking. I should mention that we do not believe an authorization should be required in the first place for underwriting, claims payment, or other TPO functions performed in connection with covered products, and we will be asking HHS to make that change to the rule.
It is proving difficult for our members to move forward in implementing the minimum necessary standard without having the benefit of a final regulation on data security. As you know, HHS issued a proposed regulation on data security in August of 1998.(8) No final regulation has yet been issued, and it is unclear when the final regulation will be available.
There are many areas in which the requirements of the minimum necessary standard and the proposed security rule substantially overlap. To offer just one example, the proposed security regulation provides that covered entities must establish formal, documented policies and procedures for granting different levels of access to health care information, including all of the following:
Clearly, each of these requirements has implications for the policies and procedures limiting internal access to PHI that covered entities are required to establish under the minimum necessary standard. HHS has stated that it does not intend to change the requirements of proposed security rule when it is issued in final. We hope that the agency will make good on that promise, as any substantial changes to the security regulation will mean that covered entities will have to retool their privacy compliance programs at substantial cost. We believe that the final security rule should be issued without further delay.
The minimum necessary standard will be very costly to implement. HHS determined that the standard would be among the most costly requirements of the privacy rule. According to HHS, the total cost of implementing the standard over 10 years will be $5.75 billion.(10) We believe this estimate is much too low. A recent study by First Consulting Group prepared for the American Hospital Association found that implementing the minimum necessary standard could cost as much as $19.8 billion over five years for hospitals alone.(11)
Even without the minimum necessary standard, the privacy regulation contains considerable restrictions on the amount of information and types of information that can be used and disclosed by covered entities. In our view, these restrictions are far more susceptible to objective and consistent application by covered entities than the minimum necessary standard. Moreover, they create strong confidentiality protections for individually identifiable health information.
It is a core principle of the rule that a covered entity may not use or disclose PHI for purposes other than treatment, payment, health care operations, and certain other limited purposes without obtaining a written authorization from the individual. In addition, the regulation requires that any use or disclosure of PHI by a covered entity must be consistent with the stated uses and disclosures of PHI in the covered entity's notice of privacy practices, which must be furnished to all individuals. We believe that these central requirements of the regulation, coupled with the privacy policies and procedures that every covered entity must establish and enforce, are sufficient to ensure that the confidentiality of PHI is maintained.
1 U.S. Department of Health and Human Services, Office of Civil Rights, "Standards for Privacy of Individually Identifiable Health Information," July 6, 2001.
2 Guidance at p. 17.
3 Id.
4 U.S. General Accounting Office, Health Care Consultants' Billing Advice May Lead to Improperly Paid Insurance Claims, GAO-01-818, June 2001.
5 U.S. General Accounting Office, Health Insurance: Vulnerable Payers Lose Billions to Fraud and Abuse, T-HRD-92-29, May 7, 1992.
6 Department of Health and Human Services, Office of Inspector General, Improper Fiscal Year 2000 Medicare Fee-for-Service Payments, A-17-00-02000, February 2001.
7 Thomas D. Musco and Kathleen H. Fyffe, Health Insurers' Anti-Fraud Programs, HIAA, 1999.
8 Security and Electronic Signature Standards; Proposed Rule, 63 Fed. Reg. 43241, August 12, 2001.
9 Proposed Security and Electronic Signature Standards § 142.308(a)(5).
10 65 Fed. Reg. 82461, 82767, December 28, 2000.
11 First Consulting Group, Report on the Impacts of the HIPAA Final Privacy Rule on Hospitals, Prepared for the American Hospital Association, March 2001.