Kenneth W. Fody, Esq.
HIPAA Project Executive
Independence Blue Cross
1901 Market Street
Philadelphia, PA 19103
(215) 241-3832
kenneth.fody@ibx.com
Good morning. My name is Ken Fody and I am one of two HIPAA Project Executives for Independence Blue Cross. I am appearing today on behalf of the American Association of Health Plans (AAHP) to discuss the impact of the health information privacy rule issued by the Department of Health and Human Services (HHS) on health plan operations. That rule was issued pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
AAHP is the principal national organization representing HMOs, PPOs and other network plans. AAHP's member health plans provide or arrange health care services for over 150 million members nationwide. Independence Blue Cross (IBC) operates as a Blue Cross plan covering approximately 2.8 million people in the five county Philadelphia area. IBC offers a complete product line of HMO, PPO, Point of Service and traditional coverages. We also provide Medicare+Choice, Medicare Supplement and Medicaid coverage, and IBC operates the Caring Foundation for Children, which has provided free healthcare to over 100,000 children over the last 10 years. IBC does business through subsidiaries such as La Cruz Azul de Puerto Rico (a.k.a. Blue Cross of Puerto Rico) and Blue Cross and Blue Shield of the U.S. Virgin Islands. We also have non-Blue operations in New Jersey and Delaware. The entire IBC family of companies covers approximately 4.5 million people and is expected to generate revenues of nearly $8 billion in 2001.
I have been asked to comment on the "minimum necessary" provisions of the health information privacy rule. The rule requires a covered entity that requests, discloses or uses protected health information to "make reasonable efforts" to limit itself "to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." For routine operations, a covered entity must establish policies and procedures that indicate what health information is the minimum necessary. For non-routine operations, this determination must be made on a case-by-case basis. The minimum necessary requirements affect not only a carrier's internal operations, but also the flow of information between entities covered by the privacy rule.
Generally, the Department of Health and Human Services is to be commended for its job in crafting the privacy rule. It reflects a careful balancing of individual privacy protections versus the need for information that is critical to the health care industry. I welcome the opportunity to discuss the minimum necessary requirement and the different points the subcommittee seeks to gather information about.
The primary benefit occurs when a covered entity requests protected health information (PHI). Today, entities can request whatever information they choose and the process for making those requests can be ill defined. The privacy rule requires entities to create policies and procedures that provide guidance to employees on what PHI should be requested, disclosed or used in particular situations. Requests not covered by those policies and procedures will have to be reviewed before they are made in order to verify that the minimum necessary requirement is satisfied. Ultimately, this may not reduce the amount of PHI that is disclosed or used, but it will ensure that entities are consciously aware of their uses and disclosures.
The minimum necessary requirement is problematic for a number of activities typically undertaken by health plans. Functions that are categorized as "health care operations" under the privacy rule present a special challenge. For these functions, the range of information required, and the ways in which that information is used, varies widely both within and between entities. Many of these uses and disclosures cannot be anticipated in advance. Due to the diverse nature of these operations, a health plan is likely to encounter non-routine functions that require a case-by-case determination of what particular health information is the minimum necessary.
Even routine functions that appear standardized can be complex undertakings. Routine functions can require different information from one moment to the next. A claim processor may be looking at a claim for a routine office visit one minute and a claim for open-heart surgery the next. The variation becomes even greater when this standard is applied to "health care operations" such as underwriting, authorizations or disease management.
Health plans face the problem of either developing many different specific policies and procedures concerning minimum necessary information, or adopting very broad policies that cover categories of uses and disclosures. For example, for claims processing, a plan could conceivably adopt a specific policy for every different diagnostic and treatment code, or it can formulate a very broadly worded policy (which may not identify any specific information) that applies to all claims processing. If plans do the former, it will be a very time consuming and expensive process to create and maintain the policies. If they do the latter, they expose themselves to charges that they have failed to satisfy the requirement.
The reality is that different covered entities - providers, group health plans, and carriers - will have different interpretations of what is the minimum necessary information for their purposes, and it is natural for them to use these interpretations to evaluate requests for PHI received from others. The problem is that the PHI that Covered Entity A needs is not the same PHI that Covered Entity B believes is necessary to perform the same operation. My definition of minimum necessary is not necessarily the same as your definition.
This discrepancy is harmless so long as the definitions do not conflict. They can conflict, however, when one entity has formulated a request for information and another entity is evaluating it (as will occur when a carrier requests information from a provider). If the entity providing the information uses a more restrictive definition of minimum necessary, the party making the request may be deprived of information that it needs. The entity receiving the request is inclined to be conservative; after all, it does not need the information but probably is worried about potential liability if the information ever is misused. Given the increasing pressure on carriers to process claims and authorization requests quickly, and provide greater oversight of quality, it is critical that such bickering not impede the flow of information.
The privacy rule does provide that a covered entity that has received a request for information from another covered entity "may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose." While helpful, this provision does not go far enough; there is still ample room for the entities to disagree over whether reliance is reasonable under the current circumstances. HHS should take further steps to ensure that plans and providers are not trapped in disagreements over the information that the plan requires to perform its essential functions.
Overshadowing all of a covered entity's deliberations about the minimum necessary requirement is a concern about those who will "enforce" the privacy rule. As a practical matter, "enforcement" will not only be by HHS but also by plaintiffs' lawyers. It is very easy to look at the comments and concerns being expressed from every corner of the industry as both reactionary and nitpicking. However, this is a reaction to the potential for class action litigation, the creativity of the plaintiff's bar in seeking new causes of action and the current hostile climate that exists for managed care companies. If the privacy rule is at all vague or ambiguous about what a health plan may do, the plaintiffs' bar will use it as a weapon.
Requiring all covered entities, including institutions, to review uses and disclosures of information outside of their workforce and business associates is indeed valuable. It requires covered entities to review whether they really need to ask for all of the information that they collect today. Once a covered entity reduces the intake of PHI to only that which is minimally necessary however, it does not make sense to apply the minimum necessary standard to the entity's internal use of that PHI. If the covered entity only requests information it needs, why make that entity go to the trouble and expense of repeating its minimum necessary analysis each time it uses the information?
The recent agency guidance on the privacy rule indicated that the minimum necessary requirement is not a rigid technical standard, but rather a common sense approach to prevent a covered entity from accumulating information that it clearly does not need.
The line for determining what is reasonably necessary should be drawn in a similar fashion. The privacy rule should make clear that covered entities are allowed to develop a common sense approach to determining what is minimally necessary, and it should recognize that different covered entities require different amounts and types of PHI to function effectively.
A concern we must all share is that consumers have come to believe the privacy rule is some type of "magic bullet" with respect to patient privacy. Consumers need to understand that the exchange of information is critical to the function of the health care system. Doctors need to have access to and exchange information to better treat patients. Carriers need information to properly adjudicate claims and benefits. Information drives the system. What the privacy rule does is create a framework where it is less likely that PHI will be misused.
One way to explain the minimum necessary requirement in that context would be to emphasize the following points.
On Monday, April 16, the first business day after Secretary Thompson announced that the privacy rule would be adopted as planned, I learned that a doctor was refusing to allow a team from my company to perform a HEDIS review. The reason: the HIPAA privacy rule prohibited the doctor from releasing the information. I received three more, identical phone calls within the next two weeks. I do not know how many times that situation has repeated since then because I crafted a standard letter for providers pointing out, among other things, that the privacy rule is not effective for two years. If there is confusion over something a simple as the implementation date, imagine the potential for confusion and conflict when we get to the substance of the rule.
Our evolving health care delivery system is one that increasingly relies on a team approach to delivering care. This team approach demands that health information be shared responsibly to improve quality and reduce errors. It is imperative that every effort be made to avoid placing providers at odds with plans and impeding the functioning of the health care system as a whole. The only way to achieve this is to ensure that the rules are clear and easy to apply.
So far as the "minimum necessary" requirement is concerned, HHS must ensure that the privacy rule, in conjunction with the guidance provided by the agency, accomplishes the following goals:
Finally, it is important to remember the historical backdrop that led to the enactment of HIPAA in general and the Administrative Simplification standards in particular. A key goal of HIPAA is to make health insurance more available. The Administrative Simplification standards themselves were proposed almost ten years ago as a response to help control health costs that were spiraling upwards (similar to the increases we are seeing today). It would be ironic, and tragic if we were to allow the HIPAA standards, which have such promise, to become the cause for higher costs rather than the solution.
A balanced, reasonable approach can provide individuals with greater privacy protections without causing the harm HIPAA was intended to prevent. The rules promulgated by HHS are an important step in protecting the privacy rights of individuals. AAHP and its member plans have long been committed to protecting the confidentiality of personal health information. We commend the Department for its efforts to date and encourage it to consider the recommendations presented here as it develops further guidance.
Thank you.