Good morning, and thank you for the opportunity to address the National Committee on Vital and Health Statistics.
My name is Christine Williams, and I’m a shareholder with Gordon, Feinblatt, Rothman, Hoffberger & Hollander, LLC, a firm of 80 lawyers located here in Baltimore, Maryland. I practice exclusively in the area of employee benefits, and many of the clients I represent are employer-sponsored group health plans and third-party administrators (TPAs) that provide services to group health plans.
Over the last two years, I have worked with group health plans and TPAs to provide them with advice on HIPAA Administrative Simplification, and to assist them in preparing to comply with the Administrative Simplification requirements, including transactions, privacy, and security.
All of the group health plans with which I’ve worked are committed to protecting the privacy of the health information of their participants, and all of the TPAs with which I’ve worked are committed to protecting the privacy of their clients’ information. All of them already have procedures in place to help ensure that sensitive information is not disclosed improperly, and all of them view the protection of sensitive information as a high priority. Most of the group health plans and TPAs with which I’ve worked are also committed to achieving compliance with the HIPAA Administrative Simplification requirements.
However, achieving compliance with the HIPAA privacy and requirements is proving to be difficult, for reasons which I will discuss shortly.
Perhaps more worrying, however, is what I believe to be a significant number of group health plans that have never heard of HIPAA Administrative Simplification; or that do not yet recognize that they are, in the language of HIPAA Administrative Simplification, “Covered Entities”; or that believe, based on blind faith, that an insurer, a TPA, a broker, or another service provider can and will take care of everything that needs to be done to comply with the HIPAA Administrative Simplification requirements. Some anecdotal evidence illustrates my point.
About a week before the October 15th deadline for filing a Model Compliance Plan with CMS in order to obtain a one-year extension of the transactions deadline, a Gordon, Feinblatt paralegal identified approximately 15 group health plans for which the firm had done work in the past, but with which we had not recently been in touch. The paralegal called a representative of each of the plans to remind them that if they were not small health plans, and they had not yet filed a Model Compliance Plan, the deadline to do so was coming up.
Over two-thirds of the plan representatives had not heard about HIPAA Administrative Simplification and had no idea that the plans were covered by it. A few of the plan representatives asked us to assist them in filing a Model Compliance Plan, but were unaware of the nature of the Administrative Simplification requirements and were obviously unprepared for compliance.
One plan representative stated flatly that the plan was not covered and later called back to say that she had called the “HIPAA Hotline” at HHS, and had been advised that the Model Compliance Plan was only for doctors and hospitals that bill Medicare. (I assume that she spoke to someone at HHS who was thinking of the provider compliance plans that many physicians and hospitals have in place to assist them in accurately billing Medicare.)
Obviously, the first step in achieving group health plan compliance with HIPAA Administrative Simplification will be to make group health plans aware that they are Covered Entities. Part of the confusion around this issue stems from the close relationship that most group health plans have with the employers that sponsor them. A single-employer group health plan is usually nothing but a document: the plan has a separate legal identity under the Employee Retirement Income Security Act (ERISA), but no practical separate existence. The plan’s decisionmakers are employees of the employer; many plan administrative functions are handled by employees of the employer; and the employer pays some, most, or all of the costs associated with the plan. Under these circumstances, it is understandable that most employers that sponsor group health plans do not think of the plans as separate entities, and instead think of the plans as just another of many administrative and management functions that the employer performs.
The magnitude of this problem may be a surprise to those who tend to think of HIPAA Administrative Simplification as affecting health care providers and insurance companies. Based on figures used by the U.S. Department of Labor in November, 2000, there are approximately 2,802,000 group health plans in the country. In the Preamble to the final privacy regulations, HHS uses a figure of 2,125,000 fully-insured group health plans and a few thousand self-insured group health plans. In the same Preamble HHS states that there are approximately 7,000 hospitals and 630,000 non-hospital providers. Regardless of whether one accepts the DOL number of 2.8 million, or the HHS number of 2.1 million group health plans, that number exceeds the total of other Covered Entities by a factor of more than three.
Even if many or most of the group health plans are “small health plans,” and therefore have an extra year to comply with HIPAA Administrative Simplification requirements, they are still virtually all Covered Entities and will have to comply eventually. The problem, of course, is that they do not know they are Covered Entities.
The Preamble to the final privacy regulations indicates that HHS was under the impression that someone other than the group health plan sponsor (i.e., the employer) would take care of privacy compliance for group health plans. For example, at page 82765, the Preamble states that there are approximately 12,200 health plans that will bear implementation costs. In footnote 45, HHS clarifies that the 12,200 are “licensed insurance carriers who sell health products; third party administrators that will have to comply with the privacy regulation for the benefit of the plan sponsor; and self-insured health plans that are at least partially administered by the plan sponsor.” (Emphasis added.)
To date, at least in my experience, insurance carriers and TPAs have not taken a leading role in group health plan compliance. In many instances, insurers filed Model Compliance Plans for themselves, but not for the group health plans they cover. Similarly, many TPAs did not file for themselves, because they are not Covered Entities, nor did they file for their group health plan clients. The insurers and TPAs may perhaps be faulted for not taking very good care of their customers, but they are probably on solid legal ground: it was the obligation of the Covered Entity to file the Model Compliance Plan, not the obligation of an insurer or a business associate of the Covered Entity, unless the insurer or business associate had assumed that obligation by a contract.
The October 15, 2002 deadline to file a Model Compliance Plan would have been a golden opportunity for HHS to make a concerted effort to alert group health plans to their status as Covered Entities, and to begin the process of educating group health plans about the Administrative Simplification requirements. Instead, the HIPAA Administrative Simplification grapevine reports that approximately 500,000 Model Compliance Plans were filed by the October 15, 2002 deadline. Depending on whether one sees the glass as half-full or half-empty, this leaves us either in awe that all of the other Covered Entities (including group health plans) are prepared to comply with the transactions standards, or suspicious that all the other Covered Entities don’t know they are Covered Entities. Personally, I suspect that most of the non-filers are group health plans, and they didn’t file because they don’t know they are Covered Entities.
Of the group health plans that know they are Covered Entities, I believe many are multiemployer plans. Because of the nature of multiemployer plans, they typically have a structure (and a real existence) that is entirely separate from that of any of the contributing employers. Multiemployer plans are administered by boards of trustees, the trustees usually that the plan is an entity separate from any of the employers, and the plans usually have their own counsel. Based on anecdotal evidence, I believe that multiemployer group health plans are, in general, far ahead of single-employer group health plans in awareness of HIPAA Administrative Simplification, and are farther down the road to compliance, precisely because they are treated as entities separate from employers and they have legal advisors that focus on plan issues.
Of the group health plans that recognize that they are Covered Entities, there is a great deal of concern about the cost of complying with the HIPAA Administrative Simplification requirements, as well as concern as to whether the April 14, 2003 deadline for privacy compliance for group health plans that are not small health plans is realistic. The privacy regulations include 58 separate standards and 60 separate implementation specifications. In many cases, compliance must be tailored very specifically to the plan’s individual operations. And, in some cases, the standards and implementation specifications were modified in August of this year, leaving only eight months to achieve compliance.
In my view, the heart of compliance with the privacy requirements is the creation of policies and procedures appropriate for the Covered Entity: policies and procedures that not only reflect the requirements of the regulations, but that also reflect the Covered Entity’s structure and business operations, and policies and procedures that the Covered Entity can live with from an operational standpoint and can live up to from a compliance standpoint.
In the Preamble to the final privacy regulations, HHS seems to indicate its belief that privacy policies and procedures will come in packages and “a few sizes will fit all.” For example, at page 82769 the Preamble states:
[T]he final rule is designed to encourage the development of policies by professional associations and others, that will reduce costs and facilitate greater consistency across providers and other covered entities.
The development of policies will occur at two levels: first, at the association or other large scale levels; and second, at the entity level. Because of the generic nature of many of the final rule’s provisions, the Department anticipates that trade, professional associations, and other groups serving large numbers of members or clients will develop materials that can be used broadly. . . .
. . . .
For larger health care entities such as hospitals and health plans, the Department assumed that the complexity of their operations would require them to seek more customized assistance from outside council [sic] or consultants. Therefore, the Department assumes that each hospital and health plan (including self-administered, self-insured health plans) will, on average, require 40 hours of outside assistance.
My experience in advising group health plans on HIPAA privacy compliance has led me to the conclusion that a generic set of policies and procedures designed for the “average” group health plan would probably sit on a shelf and gather dust, instead of being used by the plan to achieve compliance with the requirements of the regulations. If policies and procedures are not designed with the group health plan’s specific operations in mind, and if there is not an understanding by the group health plan of what needs to be changed and why, the policies and procedures are worthless.
To take just one example of the difficulties facing group health plans, the privacy regulations impose strict limits on what information may be disclosed to the sponsor of a group health plan. In order for the plan to disclose anything more than enrollment and disenrollment information, and summary health information for limited purposes, the regulations require that the plan document be amended to include specific provisions, that the sponsor provide a certification to the plan that the amendments have been made and the sponsor will abide by them, and that the sponsor ensure adequate separation between the health plan administration functions that it performs, and its other functions. However, in most businesses, the health plan administration functions performed by the sponsor are housed in the HR department, which also receives much non-PHI medical information from employees, and which has employment-related functions as well as plan administration functions. In addition, in most businesses, decisionmaking power relating to both employment-related functions and plan administration functions is often vested in the same individual, such as the Vice President for HR. This structure often makes it difficult to achieve adequate separation and, realistically, few businesses will undertake major structural changes to the decisionmaking hierarchy. This means that complying with the privacy regulations’ requirements for disclosure of PHI by a group health plan to the plan sponsor cannot be done by merely printing a set of documents from a “HIPAA For Dummies” CD (an imaginary product, at least so far as I know). Instead, it requires understanding the operations and structure of the plan and the business and, within the existing structures and hierarchies, finding a way to comply with the privacy regulations without turning the plan and the business upside down. This is usually not a task that can be achieved in a one- or two-hour meeting, and it is not something that an insurer or a TPA can effectively manage for its plan customers.
With these issues in mind, I would like to make a couple of suggestions.
First, many of the group health plans that are required to comply with the HIPAA Administrative Simplification requirements are also required, under ERISA, to file an annual Form 5500 with the U.S. Department of Labor. The 5500s are a matter of public record. It would seem to be possible for HHS to obtain the names and addresses of the group health plans that filed 5500s within the last year, and send each a notice that the plan may be a Covered Entity and should contact a qualified professional for additional information and to determine whether it is a Covered Entity. Alternatively, the notice could direct the recipients to the CMS website and the “Covered Entity Decision Tools,” or HHS could establish an “Am I a Covered Entity” hotline, staffed by trained counselors who can assist group health plans in determining whether they are Covered Entities and what their compliance deadlines are.
Second, an extension of the privacy compliance deadline may be necessary. It seems unrealistic to expect group health plans that do not yet know they are Covered Entities to have policies and procedures, and other compliance mechanisms, in place by this coming April.
Third, if, as HHS expected, “trade, professional associations, and other groups serving large numbers of members or clients [have developed] materials that can be used broadly,” HHS should undertake to make those sources known to Covered Entities. A database of such sources, with information on the type of Covered Entity for which the materials are designed, the price of the materials, and any membership or other criteria for obtaining access to the materials, could be made available on the internet, to assist Covered Entities in finding the materials. HHS would probably object that establishing such a database would be expensive and time-consuming, and would place HHS in the role of passing on the quality of materials created by others. Those objections are valid. However, as things stand right now, virtually every group health plan in the country is on its own in finding and evaluating such materials.
In conclusion, I believe that group health plan compliance with HIPAA Administrative Simplification will take longer than was predicted, largely because most group health plans are unaware of their compliance obligations, and will cost much more than was estimated. Group health plans, as the most numerous of the Covered Entities, need more than has been offered by HHS to achieve compliance. HHS should make group health plans a major focus of its efforts during the next few months.
Thank you.