It may not come as a surprise that Congressman Tom Price, MD (R-GA), a vocal critic of the Affordable Care Act who introduced legislation to replace it last spring, was selected to serve as Secretary of the U.S. Department of Health and Human Services (HHS) in the Trump administration. What may come as a bit of a surprise is how Price’s proposed replacement bill appears to favor transparency over individual privacy when it comes to certain health care claim information.

Section 601 of the “Empowering Patients First” bill (Bill) would require a health insurance issuer to send a report including specific claim information to a health plan, plan sponsor or plan administrator upon request (Report). The Bill would require the Report to include all information available to the health insurance issuer that is responsive to the request including … protected health information [PHI] … .”

Since a “plan sponsor” includes an employer (in the case of an employee benefit plan established or maintained by the employer), the Bill would entitle an employer to receive certain PHI of employees and employees’ dependents, as long as the employer first certifies to the health insurance issuer that its plan documents comply with HIPAA and that the employer, as plan sponsor, will safeguard the PHI and limit its use and disclosure to plan administrative functions.

The Report would include claim information that would not necessarily be PHI (such as aggregate paid claims experience by month and the total amount of claims pending as of the date of the report), but could also include:

“A separate description and individual claims report for any individual whose total paid claims exceed $15,000 during the 12-month period preceding the date of the report, including the following information related to the claims for that individual –

(i) a unique identifying number, characteristic or code for the individual;

(ii) the amounts paid;

(iii) the dates of service; and

(iv) applicable procedure and diagnosis codes.”

After reviewing the Report and within 10 days of its receipt, the plan, plan sponsor, or plan administrator would be permitted to make a written request for additional information concerning these individuals. If requested, the health insurance issuer must provide additional information on “the prognosis or recovery if available and, for individuals in active case management, the most recent case management information, including any future expected costs and treatment plan, that relate to the claims for that individual.”

Price transparency has been studied as a potentially effective way to lower health care costs, and employers are often in a difficult position when it comes to understanding what they pay, as plan sponsors, to provide health insurance coverage to employees and their families.   Laws and tools that increase the transparency of health care costs are desperately needed, and the Empowering Patients First bill valiantly attempts to create a mechanism whereby plan sponsors can identify and plan for certain health care costs. On the other hand, in requiring the disclosure of procedure and diagnosis codes to employers, and in permitting employers to obtain follow-up “case management” information, the bill seems to miss the HIPAA concept of “minimum necessary”. Even if an employer certifies that any PHI it receives will be used only for plan administration functions, employees might be concerned that details regarding their medical condition and treatments might affect employment decisions unfairly and in ways prohibited by HIPAA.

If Dr. Price steps up to lead HHS in the coming Trump administration, let’s hope he takes another look at this Section from the perspective of HHS as the enforcer of HIPAA privacy protections.

The recent United States Supreme Court decision in Burwell v. Hobby Lobby Stores, Inc. has  attorneys, pundits, policy-makers and businesses (yes, corporations are people, too) pondering big, quintessentially American issues like the free exercise of religion, compelling government interests, and our fundamental right to make money (and, as a corollary issue, what distinguishes for-profit from not-for-profit corporations).  Perhaps not many people are pondering the HIPAA implications of this historic decision, but if you are reading this blog, you might be among the very few of us wondering what this decision means in terms of HIPAA protection.  Or, more likely, you are wondering why I don’t have better things to think about on the eve of a national holiday.

The majority notes that the Department of Health and Human Services (HHS) has effectively exempted certain religious nonprofit organizations (“eligible organizations”) from the contraceptive mandate imposed by the Affordable Care Act (ACA).  If an employer certifies that it is an eligible organization, its health insurance issuer must exclude contraceptive coverage from the employer’s plan and must provide separate payments for contraceptive services for plan participants without imposing fees or cost-sharing requirements on the eligible organization, its insurance plan, or its employee beneficiaries.  HHS regulations implementing this eligible organization contraceptive policy make it clear that the health insurance issuer is not acting as an insurance carrier under state insurance law because the payments for contraceptive coverage “derive solely from a federal regulatory requirement, not a health insurance policy… .”  If the eligible organization is self-funded, its third party administrator (TPA) must pay for contraceptive services (without imposing fees or cost-sharing requirements) or arrange for an insurer or other entity to pay for these services.

The Hobby Lobby majority endorses this “reasonable accommodation” for use by religious for-profit, closely-held corporations such as Hobby Lobby – it points out that HHS has the means to achieve its desired goal (here, employer plan coverage of contraceptives) without imposing a substantial burden on the exercise of religion by these closely-held corporate entities.

Back to HIPAA.  If a beneficiary of an eligible organization’s health plan seeks contraceptive coverage, and the health plan is not covering this benefit, who is the covered entity for purposes of HIPAA compliance?  If the eligible organization has a self-funded plan, is the TPA (which acts the business associate in relation to the self-funded plan in its normal course of operations) the “covered entity” for purposes of protected health information (PHI) related to contraceptive services?   This is an important question because presumably the beneficiary who is seeking contraceptive services must obtain coverage for these services someone other than the eligible organization’s health plan.

Women whose health plans do not cover contraception, whether because their employer plans were exempt from the ACA contraceptive coverage mandate under the pre-Hobby Lobby religious nonprofit exemption, or because the Hobby Lobby decision casts open the doors to new employer plan exemptions, may want to think about who’s responsible for protecting this very personal PHI.

The requirements of HIPAA impose other specific obligations on a covered entity and raise additional questions.  For example, what will the Notice of Privacy Practices of the covered entity (assuming we know who that is) look like for contraceptive services?  If the TPA (or other person now responsible for paying for contraceptive services) normally acts as a business associate in relation to the employer plan, does it now need its own Notice of Privacy Practices and business associate agreements with third parties to deal with its receipt of PHI related to contraceptive services?  These types of issues will likely become more clouded as cases involving other challenges to the ACA move through the courts.  Certainly, religious freedom is important and worth protecting, but so too is health information privacy.  Happy Fourth!

 

If you are a federally-facilitated health insurance exchange (FFE), a “non-Exchange entity”, or a State Exchange, the answer is “Quick, report!”  Those involved with the new health insurance exchanges (or “Marketplaces”?  The name, like the rules, seems to be a moving and elusive target) should make note that privacy and security incidents and breaches are to be reported within one hour of their discovery, according to regulations proposed by the Department of Health and Human Services (HHS) on June 19, 2013 (“Exchange Regulations”).  That’s right – within one hour, or a measly 60 minutes, of discovery of a breach involving personally identifiable information (PII), the entity where the breach occurs must report it to HHS.  Even a mere security “incident” would have to be reported within one hour.  The broad term “incident” would include:

[t]he act of violating an explicit or implied security policy, which includes attempts (either failed or successful) to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent. 

Whereas HIPAA breaches (those involving protected health information, or PHI) affecting more than 500 individuals must be reported to HHS “without unreasonable delay and in no case later than 60 days after discovery” and (as discussed here in an earlier blog post) there is no express requirement for reporting of security incidents to HHS , HHS’s new proposal requires a 60-minute turn-around for PII breaches and incidents alike.  HHS says that it “considered but declined to use the definitions” for “incident” and “breach” provided under the HIPAA regulations because “the PHI that triggers the HIPAA requirements is considered a subset of PII, and we believe that the HIPAA definitions would not provide broad enough protections… .” 

The 60-minute turnaround time may sound familiar to Medicare Shared Savings Programs (MSSPs, also known as Medicare Accountable Care Organizations or ACOs).  Approved MSSPs must sign a Data Use Agreement with the Centers for Medicare & Medicaid Services (CMS) before it can obtain data from CMS that contains Medicare beneficiaries’ PHI.  The 60-minute turnaround under the Data Use Agreement is even a bit more onerous than that proposed in Exchange Regulations in that breaches of PII must be reported within 60 minutes of the breach, loss, or unauthorized disclosure itself, rather than within 60 minutes of discovery of the breach, loss, or unauthorized disclosure.  Then again, the Data Use Agreement doesn’t require reporting of “incidents” like attempted access or power interruptions, and CMS is thoughtful enough to provide a phone number and email address to be used in making the reports.

On June 25, 2012, William Maruca, Esq., the Editor of this blog and my health law partner at Fox Rothschild LLP, published an article entitled "What small business owners should know about each possible Supreme Court health-care ruling" on washingtonpost.com.  In the article Bill highlights the likely impact on small business owners of the numerous possible Supreme Court rulings in the pending Accountable Care Act case.  While the subject matter goes beyond the usual focus of this blog, I thought that the comments would be of significant assistance to many of those who are following this continuously unfolding drama.

Buried in the 906 pages of the healthcare reform bill signed into law on March 22 are a number of changes that will have an impact on health information technology. Among the changes are standards which, when implemented, will reduce or eliminate the need to submit paper attachments with claims, a pet peeve of many healthcare providers. The inability of most electronic systems to accept required attachments digitally has discouraged many providers from fully implementing electronic claims submission.

Section 1104 of the Act tweaks HIPAA’s administrative simplification provisions by requiring the Secretary of Health and Human services to adopt standards for health care transactions which enable point-of-care eligibility determinations; minimize the need for paper attachments to claims submissions; describe all data elements (including reason and remark codes) in unambiguous terms, require that such data elements be required or conditioned upon set values in other fields, and prohibit additional conditions (except where necessary to implement State or Federal law, or to protect against fraud and abuse). 

 

The Secretary is directed by Congress seek to reduce the number and complexity of forms (including paper and electronic forms) and data entry required by patients and providers.

 

Health plans will be also required to adopt “unique health plan identifier” numbers by 2012.

 

Health plans will need to certify their compliance with the new standards by 2015. Penalties for noncompliance begin on April 1, 2014.