Marriott Baltimore Waterfront Hotel
700 Aliceanna Street
Baltimore, MD 21202
Good morning. My name is Ron Hoffman. I am pleased to be here today on behalf of Mutual of Omaha Insurance Company in Omaha, Nebraska where I am a member of our Corporate Privacy Team. I am also pleased to be here today on behalf of the Health Insurance Association of America (HIAA), the nation’s most prominent trade association representing the private health care system. The nearly 300 members of HIAA provide a full array of health insurance products, including medical expense, long-term care, dental, disability and supplemental coverage to more than 100 million Americans. Mutual of Omaha and the HIAA support strong, nationally uniform privacy standards. We thank the Committee for holding these hearings and are grateful for this opportunity to testify before you.
Before I focus on HIPAA itself, I want to talk for a moment about Mutual of Omaha, so that there is a context in which I can set my remarks. Mutual of Omaha is one of the largest providers of health insurance in America. We are also one of the nation’s largest administrators of Medicare Part A claims. As our name reveals, we are a “mutual” insurance company, meaning we are operated for the benefit of our policyholders and their beneficiaries. In 2001, we processed nearly 16 million health insurance claims totaling more than $3.4 billion in benefits. This averages nearly 63,000 health insurance claims, resulting in nearly $13.5 million in benefits, every working day.
In the context of HIPAA and compliance to privacy initiatives in general, Mutual of Omaha’s perspective comes from being:
Given the complexity of coordinating compliance activities associated with a patchwork of federal and state privacy laws, Mutual of Omaha authorized creation of a Corporate Privacy Team in 2000 and assigned ten associates to work full-time on this team.
The first project undertaken by the Team was a privacy impact assessment with a focus on GLB. Though this project was led and managed by the Team, we did utilize the services of a major consulting firm with whom we had previously engaged to perform a similar assessment for our EDI and Security Project Teams. The assessment took approximately 12 weeks to complete. While the consultant brought value to the project for Security and Transaction/Code Set requirements, it was obvious that both of us underestimated the complexities of privacy.
With compliance implementation work completed on Gramm-Leach-Bliley, our Corporate Privacy Team focus turned to HIPAA Privacy in July of 2001. Our original Project Initiation reports estimated the total human resource effort needed to implement all the HIPAA privacy requirements would be approximately 10,000 workdays (one FTE x 7.75 hours/day). As our project management work plans have evolved, that estimate is now approximately 8,000 workdays – lower than our original estimates, but a significant undertaking nevertheless. Through September 2002, our HIPAA Privacy compliance project cost has now surpassed $1 million. By April 2003, we estimate our initial (one-time) compliance costs will exceed $2.75 million. When you add the one-time costs associated with bringing HIPAA EDI standards online by October 16, 2002; and, complying with the GLB privacy mandates, our initial (one-time) cost to comply with GLB and HIPAA by April 2003 will be about $11 million. Given the amount of work we have completed and the amount of work we have left, it is beyond my comprehension how any covered provider or health plan, who has not yet begun their formal compliance efforts, will be able to meet the April, 2003 compliance deadline.
With regard to the HIPAA Privacy Rule training mandate, Mutual of Omaha is in the process of developing its own computer-based privacy training modules/lessons. When considering whether to seek outside vendors or perform the work in-house, we considered the multitude of federal and state privacy laws affecting our collection, use, storage and disclosure of personal financial and medical information, concluding it would be more effective and less costly to develop our own training material. Since our associates were given training on the privacy policies and procedures established to comply with Gramm-Leach-Bliley, we concluded that it would not be sufficient to simply develop HIPAA Privacy training to place over top the G-L-B. Rather, there could often be a need to explain the relationships between these and other applicable privacy-related policies and standards so associates understand and are able to distinguish between requirements, as applicable. Our outreach for privacy training will be limited to our workforce and captive agents. We have released some general HIPAA awareness newsletters to our Group Offices for distribution to their group health plan clients.
You have also requested information on the availability of compliance resources from trade associations. HIAA has a rich tradition of insurance education resources and publications. Earlier this year HIAA published a four-part series on HIPAA Privacy Rules. The first publication is entitled “HIPAA Primer, An introduction to HIPAA Rules, Requirements, and Compliance.” HIAA followed the Primer with three separate publications offering implementation guidance: “HIPAA Action Items” for Physicians’ Offices, Home Care Providers and Insurers. HIAA also offers an educational opportunity for individuals to earn a designation as a HIPAA Associate or HIPAA Professional, based on the successful completion of course work derived from its published materials. However, HIAA’s attempt to provide reasonable and accessible HIPAA Privacy Rule education has been a frustrating experience for the association. The August changes in the Privacy Rule set back HIAA’s publication distribution efforts until a compatible update for the series can be developed. For educational purposes, the lack of clarification available from the Office of Civil Rights (OCR) on fundamental interpretations of the standards and requirements creates uncertainty in the design of educational materials beyond a basic content level. No trade association should be asked to serve in the role of interpreting the Privacy Rule for its covered entity industry segment as a substitute for OCR’s failure to provide guidance. OCR should have covered entity industry teams in place to assist each industry with its own unique implementation issues.
With regard to employers and other plan sponsors of group health plans; I must echo many of the comments and concerns voiced by health plan panel presenters during your previous hearing in Boston. Though we plan to offer sample documents (plan document language, certification, and notices), we will encourage the plan sponsor to review these documents with their own legal counsel, and then personalize them to fit their specific circumstances. Mutual of Omaha has just begun to contact its groups, but we anticipate that employers will request or expect far more guidance from us than we are comfortable providing or should be responsible for providing.
Reliable resources to assist employers as sponsors and health plans appear scarce. Certainly, the “Covered Entity Decision Tool” posted on the (OCR) web site is helpful; however, the OCR provides no clear direction and needed clarification once a plan sponsor determines they are a group health plan. Clear direction from OCR is needed to ensure that plan sponsors acknowledge their responsibilities under the rule. Numerous law firms, consulting firms and employee benefit organizations are sending “Client Alerts” and other “public” documents summarizing the impact of HIPAA on employers and the group health plans they sponsor. The information communicated from these sources regarding the requirements for a plan sponsor who wants to be involved in plan administration and receive PHI appears generally consistent. However, information on the requirements for group health plan sponsors who are willing to accept only summary or de-identified information does not appear consistent. For example, some of these sources conclude self-funded group health plan sponsors always receive PHI and therefore, must comply fully with HIPAA, while other sources do not reach that conclusion. The private sector advice on the requirements for insured group health plan sponsors is far less consistent – ranging from advising that the plan sponsors can “avoid” having to comply with HIPAA if they don’t receive PHI, to advising that plan sponsors still must perform nearly all of the group health plan requirements other than plan document revision and certification.
Our efforts to educate employers, as issuers or administrators of group health plans, is further complicated by the fact that a large number of plan sponsors will offer more than one type of health plan option (self-funded and insured) and often, these may come from more than one issuer/administrator. Interestingly, however, no publication I have seen to-date has addressed the nonfederal government groups (e.g., school districts and municipalities) who offer self-funded health plans and who elected to “opt-out” of certain requirements of HIPAA’s Title I health insurance reforms provisions. Some of these groups believe that because they “opted-out” of complying with certain HIPAA Title I provisions, they are also exempt from HIPAA’s Title II Administrative Simplification provisions! Further complicating this issue is the fact that CMS administers the annual HIPAA exemption elections of nonfederal government plans, while OCR will enforce the HIPAA Privacy Rules. To the best of my knowledge, neither office has addressed or clarified this issue for these governmental plans.
Another issue that needs to be addressed is the dichotomy of practical compliance for insurers as covered entities in their relationships with small health plans. The recent CMS Q&A clarification aimed at assisting health plans determine what receipts to use to decide whether they qualify, as a “small health plan” was very helpful and appreciated. As you know, small health plans receive an extra year to come into compliance with the rule, until April of 2004. This extra year to comply with HIPAA’s Privacy Rule will benefit qualifying small health plan sponsors. There is, however, current confusion about and potential inconsistent implementation of HIPAA Privacy compliance because these small group health plans’ insurance issuers and third-party administrators (TPAs) will need to be in compliance by April 2003 as covered entities in their own right.
You might assume that the issuers’ and administrators’ compliance in 2003 would ease the compliance burden for their small plans. In fact, the industry has begun to encounter resistance to its cooperative compliance efforts from the small health plans it fully insurers and/or administers. Anecdotal evidence suggests that many small plans have not yet begun to focus on their HIPAA Privacy responsibilities. Some expect to continue “business as usual” through 2003 and resent insurers efforts to meet the requirements and obligations of implementation and compliance as it changes an insurer’s standards and methods of operations. For example, small health plans may expect to continue to receive PHI from their insurers and TPAs after April of 2003. Conversely, the insurers and TPAs may feel compelled to require proof that the Privacy Rule requirements can be met before releasing any PHI to a small plan business partner. Other issues will undoubtedly arise during the transitional year as insurers attempt to follow and implement their own compliance policies and procedures at the same time their small plan business partners’ compliance programs are still under development. OCR guidance and engagement in these areas will be crucial to encourage small health plan compliance and assure consumers their privacy rights are being appropriately protected under the HIPAA Privacy standards.
I now would like to address federal preemption -- an issue of major importance to insurers. Congress chose not to give HIPAA privacy full federal preemption status. States are free to establish privacy standards more stringent than those in the federal Privacy Rule. Most states already have a multitude of laws and regulations detailing when and how and what personal information may be used or disclosed, including health information and identifying information. Much of it is not traditional insurance regulation but now necessarily affects insurers’ operations. And more such legislation and regulation is considered and passed in state legislatures and state agencies every year.
To assist insurers with the preemption question, HIAA and other industry associations jointly commissioned a national HIPAA Privacy Rule Preemption Analysis by the Washington, D.C. law firm of Shaw Pittman, LLP. This analysis is accessed through the Internet and is available on a subscription basis. It provides a comprehensive overview of each state’s laws and regulations that directly affect the application of the federal Privacy Rule standards to the operations of health insurers and the PHI insurers create, obtain, hold, use or disclose. This preemption analysis took 5 months to complete at a cost well in excess of $1 million – and must be continually updated and revised. Even so, this analysis is only a starting point for insurers, who must subsequently apply its findings to their products and operations. The industry is spending exorbitant amounts of time and money addressing inconsistent state and federal privacy requirements.
The industry cannot over-emphasize the scope of the administrative burden stemming from this lack of federal preemption. For a local physician, it may be burdensome to change a notice or authorization form, be more discrete with a subset of information or offer certain patients more privacy protections than others. For a health insurer, with health insurance products that are sold and subscribed to on a nationwide basis, such diversity and constant change can be overwhelming. For covered entities with multi-state operations, such as health insurance issuers, this state-based diversity is the antithesis of administrative simplification. Again, much of the state individual health information privacy protections are not specifically insurance regulation, unsettling decades of industry work with organizations, like the National Association of Insurance Commissioners (NAIC), to develop and implement standard laws and rules for the regulation of insurance. The health insurance industry needs full federal preemption for the HIPAA Privacy standards and we encourage you to recommend it.
Finally, for the benefit of directly addressing the questions you are seeking answered here today, I would like to list our specific recommendations:
On behalf of Mutual of Omaha and HIAA, I thank you for this opportunity to present this testimony to the Committee. If you have any questions regarding my remarks or recommendations, I would be happy to entertain them at this time.