Mark L. Hill
Director, Group Compliance
The Principal Financial Group
711 High Street
Des Moines, IA 50392-0220
(515) 247-6347
hill.mark@principal.com
Good afternoon. My name is Mark Hill and I am the Director for Group Compliance with The Principal Financial Group. I want to thank the Privacy and Confidentiality Subcommittee of the National Committee on Vital and Health Statistics for the opportunity to discuss the challenges of implementing the HIPAA privacy rule. I am appearing today on behalf of AAHP-HIAA and its nearly 1,300 member companies.
AAHP-HIAA is the national trade association representing the private sector in health care. AAHP-HIAA’s member companies provide health, long-term care, dental, vision, disability, and supplemental coverage to more than 200 million Americans. The Principal Financial Group is a leading global financial institution offering businesses, individuals, and institutional clients a wide range of financial products and services. Our products include electronic banking, group retirement and employee benefits, individual life insurance, annuity, and disability income policies, international services, mutual funds, and residential mortgages. We provide group life and health benefits to nearly 92,000 employer clients and pension plans for more than 43,000 employer sponsors with total enrollment of more than 1.6 million members.
AAHP-HIAA’s members strongly support protections for the confidentiality of health information. Much of the daily activities of our member companies involve protected health information (PHI) and as a result, our members have well-established systems for safeguarding health information privacy.
I will focus my remarks today on two topics – first, the efforts of health plans and insurers to implement the HIPAA privacy rule, and second, a discussion of some of the administrative issues that we believe pose challenges for health plans and insurers.
Implementing the HIPAA Privacy Rule
Implementation of the HIPAA privacy rule’s requirements has been a tremendous undertaking for health plans and insurers because of the extensive and extremely complex nature of its provisions. The rule includes detailed regulatory requirements and contains numerous terms of art, such as “minimum necessary,” that add to its complexity. The regulatory text (including the preamble guidance) of the proposed privacy rule (issued November 3, 1999), the “final” rule (issued December 28, 2000), the proposed rule modifications (issued March 27, 2002), and the final privacy rule modifications (issued August 14, 2002) take up 648 densely packed pages in the Federal Register.
In addition, the Office for Civil Rights (OCR) of the Department of Health and Human Services (which is responsible for interpreting and enforcing the privacy rule) has issued 214 separate “Frequently Asked Questions” providing guidance on the application of the privacy rule to various situations and has developed HIPAA rule “fact sheets” and other compliance materials. As discussed later in my testimony, the HIPAA rule requirements are in addition to numerous other state and federal confidentiality laws that apply to health plans and insurers.
The privacy rule did not change the long-standing commitment of health plans and insurers to protect health information confidentiality, however, the regulation required the development of additional comprehensive administrative and procedural compliance mechanisms. Our member companies have taken the following steps over the past three years to implement the HIPAA privacy rule:
These efforts have involved a significant expenditure of staff time and financial resources. For example, one of AAHP-HIAA’s members, a national health insurance carrier, estimates that it spent in excess of $2.5 million to implement the privacy rule.
Administrative Challenges
There are a number of administrative issues concerning the HIPAA privacy rule that we believe must be addressed. My comments will focus on the following concerns: (1) interaction of the rule with other state and federal confidentiality laws; (2) requirements to provide notice to individuals about uses and disclosures of PHI; (3) business associate contracting; (4) authorization for information sharing; and (5) development of additional guidance and educational materials by OCR.
Reconciling State and Federal Privacy Requirements
Perhaps the most difficult challenge faced by health plans and insurers is determining the privacy rule’s interaction with confidentiality requirements imposed by other state and federal laws. As an example of this complexity, let me call your attention to Attachment A which lists state confidentiality requirements applicable to health plans and insurers. In addition, there were 232 legislative proposals involving health information confidentiality introduced in 43 states in 2003 and 43 of these proposals were ultimately enacted into law.
Analyzing conflicts between the federal HIPAA privacy standards and state confidentiality laws is complicated. Consider the laws of just one state, detailed in the chart included as Attachment B which shows the relationship of the provisions of the HIPAA privacy rule (as it existed in 2001) and Virginia laws dealing with uses and disclosures of health information.
The preemption standard in the HIPAA privacy rule requires a determination if the state law is “contrary” to the federal rule (in which case the state law may be preempted) or if it is “stricter” than the federal rule (in which case the federal rule may be preempted). In addition to state privacy laws, there are a number of federal confidentiality requirements, such as the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act that may be applicable to the business operations of health plans and insurers.
AAHP-HIAA believes that consumers are best served by uniform, clearly defined standards applicable to the use and disclosure of health information by health plans and insurers. The Department of Health and Human Services should work cooperatively with the Congress and state regulators to clarify when the privacy rule governs the operations of health plans and insurers and to eliminate conflicts between competing federal and state confidentiality requirements.
Providing Notice of PHI Uses and Disclosures
The privacy rule requires covered entities to provide individuals with notice of how their PHI is used and disclosed along with a statement of the individual’s rights and the covered entity’s responsibilities with regards to health information. Attachment C is an example of a model privacy notice form developed for use by health plans in preparing their own specific privacy notices.
Health plans and insurers were required to provide an initial notice to their members and insureds prior to the April 14, 2003 compliance date of the privacy rule. Thereafter, the notice must be given to any new member or insured and a new notice must also be provided within 60 days after any material change in the contents of the notice or at least every three years.
The privacy rule requires covered entities to include in their privacy notice information about other federal or state laws that prohibit or materially limit the use or disclosure of PHI for treatment, payment or health care operations. As noted above, there are a significant number of federal and state confidentiality laws that may impact a covered entity. As a result, health plans and insurers doing business in more than one state must have multiple privacy notices which must be continually updated. Multiple notices add to the administrative cost of the rule and do not provide any significant benefit to consumers. The privacy rule should be modified or additional guidance provided to clarify that the notice of privacy practices may include a statement that, “Our use and disclosure of health information and your rights may be affected by other federal laws or by the laws of your state. Information on these requirements may be obtained by contacting [include contact information].”
Contracting With Business Associates
There continues to be uncertainty about who is or is not a “business associate.” For example, our members report that some state agencies are insisting that the health plan or insurer is a business associate of the agency, even though the agency itself is not a covered entity. While the OCR has provided regarding business associates, additional clarification of the rule’s provisions would be useful. We recommend that the OCR provide additional guidance on the definition of a business associate, including specific examples of when a business associate relationship does and does not exist.
The HIPAA security rule also includes requirements for specific contract provisions between covered entities and certain trading partners who receive PHI from the entity. Although compliance with the security rule is not required for most covered entities until 2005, health plans and insurers have already begun updating their business associate agreements to incorporate these requirements. The Office for Civil Rights was very helpful in preparing model business associate contract provisions for use by covered entities and a similar effort should be undertaken for the security rule’s requirements. We believe OCR and the Centers for Medicare and Medicaid Services (which is responsible for enforcing the security rule) should develop model business associate agreement provisions that combine the requirements of the privacy rule and the security rule.
Authorizations for Use and Disclosure of PHI
The privacy rule requires covered entities to obtain an authorization from an individual prior to using or disclosing his or her PHI in most situations outside of functions related to treatment, payment, or health care operations. These authorizations must be sufficiently detailed to indicate a description of the information that will be used or disclosed, the person(s) authorized to make the use or disclosure, the person(s) authorized to receive the PHI, and a description of each purpose of the use or disclosure. The authorization must also include an expiration date or event that relates to the individual or to the purpose of the use or disclosure. While the authorization requirement is an important safeguard that gives individuals control over their health information, administrative improvements could be made to the authorization process.
First, it is important to distinguish between situations where a third party requests PHI from a covered entity and cases where the individual directly asks the covered entity to release their health information. For example, if the individual contacts a health plan or insurer and asks them to release their PHI to a third party, the need for a detailed authorization spelling out each particular use or disclosure of PHI may not be as great. In most cases, if an individual asks a covered entity to share their information, they are aware of how it will be used and who the information will be disclosed to. AAHP-HIAA recommends that the privacy rule be modified to clarify the authorization requirements in situations where the individual (and not a third party) initiates the request for release of his or her PHI.
In addition, it may not always be appropriate to list a specific end date or event in an authorization. Consider, for example, situations involving health insurers offering long-term care coverage. In most cases, an authorization will be required because a family member or friend will be assisting the covered individual with their benefits, however, the coverage will not be required for many years after the policy is sold to an individual. AAHP-HIAA asks that the privacy rule be modified or guidance issued to clarify that an authorization is valid until revoked by the individual without specifying an end date or end event for the authorization in situations where it is not practical to specify such a date or event.
Finally, we believe it is necessary to clarify the situations under which a personal representative may have access to an individual’s PHI and may authorize the release of his or her health information. Most states permit individuals to have a personal representative act on their behalf though legal notifications such as a durable power of attorney for health care decisions. It is not always clear when a covered entity may disclose PHI to a personal representative and when the representative is allowed to authorize the release of an individual’s health information. AAHP-HIAA asks that the OCR clarify how the privacy rule affects a personal representative’s uses and disclosures of PHI on behalf of an individual.
Development of Additional Guidance on the HIPAA Privacy Rule
It is clear that there continues to be uncertainty about the application of the privacy rule to covered entities and to others who may use or disclose PHI as part of their daily business activities. While we would like to commend the Office for Civil Rights for its efforts to provide guidance on the privacy rule and for its outreach to health care providers, health plans, and others, we believe a great deal of work remains to be done.
One particular concern involves the employer community and other entities that sponsor ERISA group health plans subject to the privacy rule. Many of these ERISA group health plans are considered “small health plans” for purposes of the HIPAA privacy rule and therefore have until April 14, 2004 to implement the regulation. Although our member companies have conducted outreach and educational activities with the employer community, it is critical that OCR focus and intensify its efforts to inform employers and other ERISA plan sponsors about the application of the HIPAA privacy rule to ERISA group health plans. AAHP-HIAA recommends that the Office for Civil Rights develop specific educational programs and compliance tools for employers and other ERISA plan sponsors on the application of the HIPAA privacy rule to the administration of health benefits.
Another area of uncertainty involves the disclosure of PHI by health care providers. There have been numerous news reports about difficulties encountered by family members and friends in getting timely access to health and medical status information about loved ones. There have also been problems reported by patients trying to get medical files transferred from one treating health care provider to another. The barriers to information sharing cause confusion and distress for consumers and may delay treatment in some situations.
Recently, the Office for Civil Rights issued several Frequently Asked Questions that clarified when and how PHI may be disclosed by health care providers and we hope that this guidance will clear up some of the problems. The OCR should also work with the health care provider community and develop simple, easy to understand, brochures for providers and consumers explaining how the privacy rule works and when it is appropriate to share PHI. AAHP-HIAA recommends that the OCR develop additional educational materials, such as consumer brochures, explaining how the HIPAA privacy rule impacts the sharing of medical information by health care providers.
Conclusion
AAHP-HIAA and its member companies support protections for the confidentiality of health information. Our members have worked hard and expended considerable resources over the past three years to implement the HIPAA privacy standards. We believe that there are a number of issues that should be addressed to assist covered entities with their compliance activities. Our member companies will continue with their efforts to protect the confidentiality of health information.