The Health Insurance Portability and Accountability Act need not endanger outcomes that depend on data access unless you let it.
Jack A. Rovner
Last November, the National Committee on Vital and Health Statistics reported to the Department of Health and Human Services that there exists "an extremely high level of confusion, misunderstanding, frustration, anxiety, fear, and anger" as the April 14, 2003 compliance date for the HIPAA privacy rule nears.
The committee found that HIPAA liability fear is causing health care providers to restrict disclosure of essential medical information which could result in "providers refusing to share patient medical information that would be helpful in treating another patient and a decline in reporting essential health data to public health agencies and others."
Don't give in to this fear. Medical information drives underwriting and premium rating, your utilization management and quality assurance, provider credentialing and performance evaluation, HEDIS reporting and accreditation, clinical guideline and protocol development, and more.
Your plan needs strategies to ensure its data bloodlines aren't severed by HIPAA high anxiety. Consider three:
Master the privacy rule. It allows abundant means for health plans to obtain medical information from health care providers. Is your plan prepared to implement the means that fit your data-access needs?
Educate. What is your plan doing to dispel HIPAA ignorance among its network providers?
Use your contracts. Has your plan checked its provider-participation agreements to ensure that they give you the medical data access that HIPAA allows?
There is a remarkable variety of permitted ways for your plan to obtain needed medical data from providers under the HIPAA privacy rule. Let's count them:
Your payment activities. The privacy rule allows health care providers to disclose their medical information to your plan to conduct your payment activities. All you have to do is ask.
Payment activities, as defined by the privacy rule, are much more than claims adjudication and management, and benefits coordination. They include utilization review, precertification and preauthorization, evaluating medical necessity and care appropriateness, justifying service charges, determining eligibility, and adjusting risk based on enrollee health status and demographics.
You may only ask for the minimum amount of medical information you reasonably need for these tasks. But, because of this obligation, the privacy rule doesn't make a health care provider second guess whether you're requesting more medical information than you need.
Health care operations. You may ask a health care provider to disclose medical information for your plan to carry out quality assurance activities, such as care coordination, case management, and clinical guideline and protocol development, to undertake provider credentialing and performance evaluation, to conduct HEDIS reporting and obtain NCQA or other accreditation, and to detect and prevent fraud and abuse. You may only request medical information that relates to individuals who are or were enrolled in your plan, and you must limit the amount of medical information you request to the minimum reasonably needed to carry out these health care operations.
Underwriting, premium rating, and other activities relating to the creation, renewal, or replacement of an insurance or benefit contract are also your health care operations, but the privacy rule does not allow a provider to disclose medical information for them to your plan. That's where limited data sets and organized health care arrangements come into play.
Limited data sets. A limited data set is protected health information that has been stripped of direct identifiers. The privacy rule allows a provider to disclose a limited data set to your plan to carry out any of its health care operations, including underwriting and premium rating. You may receive a limited data set from a provider to conduct research or carry out a public health activity.
Your plan must sign a data use agreement to restrict its use of the limited data set to the health care operations, research, or public health activities for which the set is intended. The data use agreement will also require your plan to preserve the privacy and anonymity of the individuals whose medical data are in the limited data set.
You may create the limited data set you need from the provider's medical information if you enter into another agreement with the provider to limit your use of the medical information to the creation of that limited data set.
Organized health care arrangements. HIPAA labels an arrangement in which providers and health plans act jointly to furnish care and benefits to individuals an "organized health care arrangement." Your plan is in an organized health care arrangement with its network providers if you all hold yourselves out to the public as participants in a joint arrangement, and you all jointly engage in one or more of the following activities:
Utilization review in which the providers and you review each other's health care decisions or have a third party do it;
Quality assessment and improvement functions in which the providers and you assess each other's treatment activities or have a third party do the work; and
Payment tasks in which the providers and you share financial risk for health care delivery and review medical information relating to the care delivery to administer the financial risk sharing, or have a third party do that review for the providers and you.
The participants in an organized health care arrangement are allowed to share the minimum amount of their medical information to carry out health care operations of the arrangement. So if your plan has a relationship with its network providers that satisfies the criteria of an organized health care arrangement, those providers may disclose their medical information to your plan for health care operations that relate to your joint arrangement.
Authorizations. When all else fails, you may obtain a written authorization from an individual to permit a provider to release the individual's medical information to your plan for any specified purpose. You may even condition enrollment in your plan or eligibility for benefits on the individual furnishing that authorization, if you request it prior to enrollment and you want the medical information for underwriting or risk rating or to determine whether the individual is eligible for benefits or enrollment.
Your network providers will not overcome their HIPAA anxiety and ignorance unless someone assuages their fear and enlightens them with awareness education. You put your plan at peril if you think they will figure out on their own what medical data the HIPAA privacy rule allows them to disclose to you.
Develop a strategy to build privacy rule awareness. Issue newsletters, compliance tips, and alerts. Describe the medical information you want and state why the privacy rule allows providers to give it to your plan. Conduct briefings; one- to three-hour sessions, with lots of time for questions, are very effective. Consider presentations for your Web site.
Remember, you're all in this together. You need to work together to keep your delivery system from coming apart because of unjustified privacy rule fright.
The privacy rule does not mandate any of the disclosures that it allows, so if you want to ensure that medical information flows, do it by contract. If your plan has not implemented a process of provider contract review and revision, start now. April 14 is at hand.
Jack A. Rovner is a partner in the Chicago law office of Michael Best & Friedrich, and coordinator of its HIPAA practice. Rovner served as a member of the secretary of health and human services' Advisory Committee on Regulatory Reform, where he chaired the subcommittee that addressed the HIPAA regulations.