The Regulatory Framework Task Force of the Accident and Health Insurance (B) Committee of the National Association of Insurance Commissioners submits this statement to the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics in response to the notice of the Subcommittee's hearings and solicitation of public comments appearing at 61 Fed. Reg. 69101 (Dec. 31, 1996). The purpose of this statement is to provide the perspective of state insurance departments to assist the National Committee on Vital and Health Statistics as it formulates recommendations to the Secretary of Health and Human Services on the regulation of individually identifiable health information pursuant to P.L. 104-191, the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The National Association of Insurance Commissioners (NAIC), founded in 1871, is an organization of the chief insurance regulatory officials of the fifty states, the District of Columbia, and the four U.S. territories. The NAIC exists to assist state insurance regulators, individually and collectively, to assure the fair and equitable treatment of insurance consumers. (NAIC Mission Statement, Article II.)
The NAIC's primary instruments of providing technical assistance and guidance to the states are its model laws, regulations, and guidelines. Model laws and regulations are developed by committees of regulators at the NAIC's national meetings, which take place four times a year. NAIC meetings are public and the regulators solicit comments on all drafts. Each model is referred to a parent committee for approval and ultimately to the plenary session of the NAIC for adoption. All NAIC members have the opportunity to vote on a model at the plenary session. A state may either adopt an NAIC model intact or modify it to meet the state's specific needs and conditions.
The NAIC's Regulatory Framework Task Force ("the Task Force"), whose parent committee is the Accident and Health Insurance (B) Committee, has been charged with the development of a model law addressing the confidentiality of health information. The initial drafting has been undertaken by a working group of the Task Force. In 1993 the NAIC established the Health Plan Accountability Working Group, under the auspices of the Task Force, to develop model acts establishing a comprehensive regulatory structure for all types of managed care entities. As part of this process, the NAIC began to examine the issues raised by the collection and reporting of health information and data, and the need to protect the confidentiality of such information. In 1993 and 1994 the working group developed a draft model act addressing the confidentiality of health information. Work on this draft, which was derived in significant part from the NAIC's existing model, the "NAIC Insurance Information and Privacy Protection Model Act," was suspended in 1995 while the working group completed five other models. This occurred because the regulators concluded that a confidentiality model could best be developed once the proposed regulatory structure for managed care health plans was complete.
In the summer of 1996 the working group returned its attention to confidentiality issues and released a new draft, the "Protected Health Information Model Act," (draft dated 12/6/96) and is currently seeking public comment on that draft, which is in a preliminary stage. The working group also released a statement of "Principles for Model Act Addressing the Confidentiality of Health Information" to guide its drafting process. In 1997 this working group, which has been renamed the Health Information and Privacy Working Group, is charged with developing a model act addressing the confidentiality of health information.
The NAIC's Regulatory Framework Task Force appreciates this opportunity to provide comments to the Subcommittee of the National Committee on Vital and Health Statistics as it formulates recommendations for the Secretary of Health and Human Services to assist her in submitting to Congress "detailed recommendations on standards with respect to the privacy of individually identifiable health information" as required by HIPAA. The NAIC has three areas of concern with respect to federal legislation setting such standards: (1) the potential preemption of state law affecting individually identifiable health information; (2) protecting the right of insurance regulators to have access to individually health identifiable information to carry out their authorized regulatory functions; and (3) protecting the right of states to establish and enforce appropriate standards for insurance carriers in their collection, use, and disclosure of individually identifiable health information.
A. Preemption
Subtitle F of Title II of HIPAA addresses the issue of the confidentiality of individually identifiable information explicitly in Section 264, which charges the Secretary with making detailed recommendations to Congress after consulting with the National Committee on Vital and Health Statistics. In addition Section 1173(d)(2) of the Social Security Act, as added by HIPAA, requires the Secretary to adopt and enforce security standards for health information that "ensure the integrity and confidentiality of the information" and that "protect against any reasonably anticipated...unauthorized uses or disclosures of the information...." There are existing state statutes that are relevant to both these charges. We believe that it is Congress's expressed intent that, in general, these statutes not be preempted by federal law or regulation.
Section 264(c)(2) of Title II of HIPAA establishes that any federal regulation promulgated pursuant to Section 264 shall not supersede a contrary provision of state law that "imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation." This language expresses the intent of Congress that any federal requirements with respect to individually identifiable health information established under HIPAA will constitute minimum requirements which do not prevent states from retaining or enacting additional protections.
Section 1178 of the Social Security Act, as added by HIPAA, contains exceptions that protect state laws if the Secretary determines that they are necessary for any of the purposes outlined in Section 1178(a)(2)(A). It also protects, without any Secretarial determination, a state law that "relates to the privacy of individually identifiable health information" and is therefore subject to HIPAA Section 264(c)(2). The language of Section 1178 also expresses Congressional intent that more stringent state laws affecting the privacy of individually identifiable health information, as well as certain other state laws, not be preempted.
It is very important that the states be accorded the maximum flexibility to supplement HIPAA's privacy standards if they so desire. It is important to allow more stringent state requirements, as well as the state laws described in Section 1178(a)(2)(A), for two reasons:
(1) A number of states have already enacted detailed provisions governing the use and disclosure of individually identifiable health information. These states laws may apply more broadly than to the individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262 of HIPAA). Preempting these existing provisions would leave consumers in these states with less protection as a result of enactment of the federal law than they already have.
(2) In states that have not developed extensive protections for individually identifiable health information, federal preemption would create a ceiling, rather than a floor, that would deprive states of the flexibility to address specific problems in unique ways. While multistate carriers and health plans may argue for uniform privacy standards, it is not clear that uniformity is as compelling a need for consumers, particularly consumers from states that already have extensive protections.
B. The Regulatory Role of State Insurance Departments
As regulators of the insurance industry, state insurance departments have long-standing expertise in obtaining and protecting the confidentiality of highly sensitive information, which takes many forms. It includes proprietary information developed by insurance companies pertaining to their products, actuarial formulas and other business practices, and certain financial information, as well as health information about specific individuals. It is the common practice of insurance departments to obtain and evaluate confidential information in order to conduct their authorized regulatory functions. Every state has laws which authorize the insurance department to collect such information from regulated entities, but which also protect the information from further disclosure by the insurance department.
It is imperative that any federal privacy standards, either promulgated by the Secretary or adopted by Congress, not be construed by insurance carriers, health plans, or other regulated entities as prohibiting them from disclosing to state insurance regulators any individually identifiable health information that is essential for the effective regulation of these entities. Without access to individually identifiable health information, state insurance regulators would not be able to fulfill their fundamental purpose of protecting consumers.
The NAIC's Special Committee on Health Insurance ("NAIC Committee") submitted a letter to Congress dated May 8, 1996, relating to H.R. 3103. This letter emphasized the importance of preserving the access of state insurance departments to individually identifiable health information necessary to perform their regulatory functions in any legislation addressing the confidentiality of health care information or data transaction standards. Section 264(c)(2) of Subtitle F of Title II of HIPAA, discussed above, and Section 1178 of the Social Security Act, as added by HIPAA, together include provisions designed to protect state flexibility and preserve state laws necessary for the "appropriate State regulation of insurance and health plans."
The NAIC's Special Committee also expressed similar concerns in a letter dated May 17, 1996, to then-Senator Kassebaum and Senator Bennett about certain provisions of S. 1360, the "Medical Information Confidentiality Act," introduced in the 104th Congress, that would have potentially impeded the ability of departments to obtain individually identifiable health information. In addition the Special Committee expressed concern about including state insurance departments in the definition of "health information trustee" as contained in some versions of S.1360. It is our understanding that similar legislation will be introduced in the 105th Congress.
State insurance departments typically need access to individually identifiable health information in three situations: (1) to investigate a consumer complaint; (2) to conduct a market conduct examination of an insurance company or other regulated entity; and (3) to conduct a financial solvency examination. Federal legislation that impeded the ability of state insurance departments to perform any of the three would greatly concern state insurance regulators. The discussion below addresses in more detail the major issues raised in our letters to Congress last year relating to S. 1360 and H.R. 3103.
Consumer complaints: In investigating a consumer complaint, a state insurance department obtains a written statement from a consumer which includes an authorization to obtain that consumer's medical records from the insurance entity about whom the complaint is made. Many complaints involve a company's denial of a claim on the grounds that the service is not a covered benefit or is an experimental treatment. Without access to the consumer's medical records and the specific policy covering the consumer, the insurance department cannot determine whether the service provided was in fact a covered benefit. Access to individually identifiable information in these situations is generally not a problem because the individual who initiates the complaint is also the subject of the information and has authorized the department's access to the information in order for the complaint to be investigated.
The willingness of most complainants to authorize access to their medical records is fortunate because many state insurance departments consider their complaint process to be the single most reliable source of identifying problem carriers. In addition, through the consumer complaint process, insurance departments recover literally millions of dollars annually, and this money goes to the consumers, not to the insurance department. For example, in 1996 the Wisconsin Insurance Department completed the investigation of 8,407 complaints and recovered $2,350,000, of which $1,650,000 involved denied claims. All this money was recovered for the complainants and is completely separate from fines or penalties obtained by the Department.
Market Conduct Examinations: In a market conduct examination, the state insurance department initiates and conducts an extensive examination of an insurance carrier, including visits to the company's offices, to determine how the company is conducting its business within that state. These examinations focus on a company's marketing and sales of policies and its payment of claims, as opposed to its financial condition. To conduct a thorough market conduct examination, state insurance regulators must examine numerous records and files, including the company's register of complaints.
Most states have broad statutes authorizing the insurance commissioner's access to all relevant records and files. (See, for example, Wis. Stat. Section 146.82.) The regulators review individually identifiable health information to ensure that a company is paying similar benefits for similar claims, and to investigate the complaints kept in the company's register. These examinations require regulators to review information identifying numerous consumers. Obtaining each consumer's authorization would be very time-consuming, expensive, and impracticable. Moreover, allowing the company to "sanitize" the information by concealing the name and address of the insured individual can, in certain situations, promote fraud by making it easier for a company to fabricate or alter claims.
Despite clear authority under the laws of most states to review a regulated entity's files and records, insurance departments do encounter carriers who attempt to withhold files on the grounds that they contain confidential information. These carriers use the pretext of protecting a consumer's privacy to avoid legitimate regulatory oversight of their activities. A federal law that called into question a state insurance department's authority to examine a carrier's records and files would foster evasive conduct and would not benefit consumers.
A state insurance department's authority to obtain access to individual records will become even more important as states implement and enforce new standards to regulate managed care entities. For example, the NAIC has very recently adopted five model acts which set standards for managed care activities in five areas: the adequacy of the health plan's provider network, including its contracts with providers; the health plan or carrier's grievance procedures; its utilization review procedures; its quality assurance activities; and its credentialing of health care professionals. To enforce the utilization review standards, the insurance department will have to examine individual records to ensure that acceptable protocols were followed with respect to specific cases. In monitoring grievance procedures, the department will have to review individual records to determine what the consumer was told, who conducted the grievance review on behalf of the carrier, and whether the procedures followed were appropriate and were in effect at the time of the consumer's grievance. To regulate the adequacy of provider networks, the insurance department will have to identify specific subsets of the covered population to determine which enrollees need access to certain services, and whether they are obtaining that access based on their clinical records. For example, to determine whether a health plan has a sufficient number of obstetrician-gynecologists, the department will have to determine how many women of child-bearing age are enrolled in the plan, and then examine their records to monitor timely access and appropriate referral, including self-referral, to these providers. None of these examinations can be effectively conducted without access to individually identifiable information.
Access to individually identifiable health information will also be critical to the efforts of state insurance departments to enforce the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). For example, HIPAA prohibits health insurance carriers in the group market from establishing rules for eligibility and continued eligibility that are based on "health status-related factors" as defined in the law. (See Public Health Service Act Section 2702(a).) It also requires guaranteed issue of individual policies to qualified individuals as defined in HIPAA. (See Public Health Service Act Section 2741.) To enforce these provisions, insurance departments will have to examine individual applications and policies to ensure that certain medical information is not requested or considered in a fashion that violates HIPAA.
It would be a particular challenge to enforce the amendments to HIPAA made by the Newborns' and Mothers' Health Protection Act of 1996 and the Mental Health Parity Act of 1996 if the access of insurance departments to individually identifiable health information were limited. Here again, in order to ensure compliance with the provisions of these laws regarding access to maternal and mental health services, state insurance departments will need to review individual records containing health information to see that health carriers are permitting maternity lengths of stay to be determined in accordance with the law and are complying with the law's provisions regarding annual and lifetime limits on mental health benefits.
State insurance departments take seriously their obligation to protect the confidentiality of information that they observe and collect. Often state regulators do not copy or remove the records that they examine. For records that they do need to copy and remove, regulators will often themselves remove identifying information. In some states, the work papers and examination papers are made confidential by law. They are not subject to subpoena or made public until the examination process is concluded. (See, e.g., Section 374.205.4 of Missouri Revised Statutes.) State insurance departments have also promulgated regulations articulating the expectation that their employees maintain the confidentiality of documents in the possession of the department. (See, e.g., Missouri Regulation 20 CSR 10-3.100.) Some of these state laws and regulations with respect to protecting the confidentiality of information possessed by the insurance department are based on the NAIC's Model Law on Examinations and on the NAIC's Market Conduct Examiners Handbook.
Financial Solvency Examinations: In addition to market conduct examinations, state insurance departments also conduct solvency examinations to review a company's financial statements. Their purpose is to ensure that the company has sufficient assets and reserves to pay the claims that have actually been incurred and that are likely to be incurred. Like market conduct examinations, financial solvency examinations require regulators to examine claims files because the number of claims filed against a company is one factor used to determine whether a carrier has adequate reserves. Again, it is not practicable for regulators to rely on records that contain no individually identifiable information. In many cases a claim and a policy must be matched in order for the regulator to evaluate the carrier's compliance, and this necessitates using records that contain identifying information.
The investigation of consumer complaints and the conducting of both market conduct and financial solvency examinations are among the most basic and important functions of state insurance departments. They could not perform these functions for the benefit of the public without complete access to all records and files of regulated entities. In return for this access, state insurance departments have a long tradition of protecting the confidentiality of information in their possession.
C. Regulating the Use and Disclosure of Health Information by Insurance Entities
State insurance departments protect consumers' privacy by regulating the collection, use, and disclosure of confidential information by insurance carriers and other regulated entities, such as health maintenance organizations. As mentioned above, the NAIC has already adopted an "Insurance Information and Privacy Protection Model Act,", which applies to "insurance institutions, agents or insurance support organizations" as defined in the model. Approximately 15 states have adopted laws based on this model,(1) and a number of other states have other laws protecting the confidentiality of certain health information.
In the course of developing a comprehensive set of model acts to regulate a variety of managed care entities, the NAIC's Health Plan Accountability Working Group concluded that an additional model specific to health information is needed to supplement the existing NAIC privacy protection model. One issue is that the current model allows for a fairly general authorization to disclose information, and this general authorization may be broader than is appropriate for health information. In addition the definitions in the existing model do not reflect the rapid changes that have occurred in the managed care industry. Finally, some of the model's provisions may not be as well-suited to electronic claims as they are to paper submissions. All these issues will be considered by the Health Information and Privacy Working Group in 1997 as it develops a draft model specific to health information and considers the relationship of the new model to this existing "Insurance Information and Privacy Protection Model Act."
The NAIC recognizes that any model it develops must be consistent with any standards promulgated by the Secretary of Health and Human Services or adopted in federal legislation pursuant to HIPAA. The NAIC's working group has been exploring many of the same issues under discussion by this Subcommittee on Privacy and Confidentiality and has received input from other interested parties, including HHS staff. These issues include:
(1) Defining the applicability of any model law. Should it apply to health carriers? to all insurance carriers? to other regulated entities? to both primary and secondary users of the information?
(2) How can "health information" be defined? How can the type of information that must be protected by the law be articulated?
(3) What structure should the law take with respect to a subject individual's authorization for disclosure? Should consent be required for most disclosures, or should the subject's consent be presumed for disclosures that have certain purposes, such as treatment or payment for treatment?
(4) What procedures should be required for a subject's access to information about himself and the opportunity to amend or supplement that information?
(5) Should there be any exceptions to the requirement that a subject have access to all information about him- or herself?
(6) How does any model law drafted for insurance carriers, health plans, and other entities regulated by the state insurance department interact with existing state and federal laws governing the behavior of providers and according special treatment for certain types of information?
(7) What are appropriate penalties for violation of the law? How should they be enforced?
(8) Is the regulatory framework appropriate for electronic transactions which include individually identifiable health information?
(9) What limits should exist on a health carrier or health plan's internal use of individually identifiable information, even if that information has been lawfully obtained from the subject individual?
Many of these issues are also raised by the requirement of HIPAA, Title II, Section 264(b), which instructs the HHS Secretary to include in her recommendations to Congress advice about rights that an individual subject should have with respect to his or her individually identifiable information, the procedures that should be established for the exercise of such rights, and the uses and disclosures of such information that should be authorized or required.
The working group recognizes the complexity of these issues and the need to proceed with extreme care. It will continue to work on a draft model law throughout 1997 that will reflect the widest possible participation of state insurance departments and other interested parties and that will ultimately serve to communicate the NAIC's policy positions on the difficult questions raised in any discussion of confidentiality issues.
The NAIC's Regulatory Framework Task Force thanks the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics for this opportunity to submit written comments on these issues. Please do not hesitate to contact NAIC staff if we can provide the assistance and expertise of our members.
(1) NAIC Insurance Information and Privacy Protection Model Act, NAIC Model Laws, Regulations and Guidelines, copyright 1997, p. 670-1, 670-23.