Michael Levin-Epstein
Washington Watch

Get any mail about the Financial Services Modernization Act? You're not alone. Insurers and financial institutions are flooding customers' mailboxes about their rights to protect medical and financial information under what's better known as the Gramm-Leach-Bliley Act. But just how GLB will affect health plans isn't totally clear.

GLB requires affected institutions to mail privacy notices to customers, stating their policies for protecting people's information and how that information is shared with third parties. With respect to health insurers, it allows states to set rules for use of medical information they keep on file. But Charles Kahn, president of the Health Insurance Association of America, asked states to keep the expense of various initiatives in mind and not "throw more fuel on the cost fire." No one seems certain exactly how much compliance will cost insurers.

HIAA has reason to be concerned. Transgressing GLB could mean fines of up to $11,000 per violation, as well as criminal penalties.

Christi Harlan, a spokesman for the Senate Banking Committee, says privacy notices appear to be more of an issue for financial institutions than for health plans. Insurers, she says, "seem to be meeting Congress's intent, but we're in a wait-and-see position," because not every state has enacted legislation.

GLB requires state legislatures and insurance regulators to craft requirements for complying with the federal guidelines. "Most states have a July 1 compliance date, the same as the federal financial institutions — and most of them have passed legislation," notes Kathleen Jensen of the National Association of Independent Insurers. In those states, a majority of insurers already have sent out notices, Jensen reports.

Now follow closely

Generally, the privacy notifications used by insurers about disclosure of financial information are similar to those used by banks. The National Association of Insurance Commissioners (NAIC) and National Conference of Insurance Legislators have models that follow the language of GLB very closely.

However, while both models include health insurance lines, NAIC's model also includes workers' compensation (which falls under property and casualty). Under both models, consumers would "opt in" for disclosure of health information, and "opt out" for disclosure of financial information. "If nonpublic personal health information is being disclosed to third parties, it's opt-in," Jensen explains.

She notes that "quite a few states" have not adopted the health portion of the NAIC model — called Article 5 — such that references in some states may refer to adoption of the NAIC provisions "except for Article 5."

"From what I understand from our member companies, there is a little concern that all state legislatures have not closed yet" and are still looking at bills that could suddenly change the requirements for insurers operating in those states. California and Texas, for instance, haven't yet acted. "In California, one of the pieces of legislation calls for opt-in for everything. If that passes, insurers that have mailed out notifications would need to send out another notice."

That, Jensen admits, is "frustrating to a number of insurers" that hoped to know by now what they would need to do to comply in all states, though, "I don't think any have held off sending notices to customers" as a result.

Joe Holahan, director and counsel for policy development at HIAA, agrees that it's "a little soon to tell" what the effects of GLB may be. The NAIC model regulation may not be perfect, he says, "but in states that pass it, there shouldn't be any immediate problems." That regulation allows insurers and health plans to continue to use consumers' information for insurance- and health care-related activities without individual permission. But Holahan sees a potential problem: "There's a specific list of activities that are permitted that could develop into a problem later. There may be legitimate activities not contemplated in that list. Ten years ago, we would never have dreamed of some of the things that plans are doing today, in terms of case management and other areas. A fixed list could become a problem."

What's most worrisome to Holahan is the possibility that some states would adopt opt-in requirements "for things that are generally considered insurance-related." Even small variations among state laws may add to the cost of compliance, and could increase the time needed to provide benefits or process claims.

"Information zips from state to state, so you could have several states involved. Look at utilization review. You could have a patient in one state, a doctor in another, the UR agent in a third, and the insurance company with a database in a fourth." In such a situation, Holahan says, the insurer would have to determine what the each of the states' laws are and which has the most stringent requirements. That could become a problem in states such as Massachusetts, which is looking at requirements that could differ substantially from the NAIC model.

Medical vs. financial

Jose Montemayor, Texas insurance commissioner and vice chairman of the NAIC task force on GLB, says the law is part of a larger attempt by legislators and regulators to overhaul insurance and financial practices.

"In general, the big push is to modernize all of our regulatory processes, to acknowledge the realities of a more globalized market," Montemayor says. GLB, he adds, is part of that effort.

The biggest consideration in crafting GLB-compliance laws is determining how to treat medical, versus financial, privacy concerns. "Medical information is different from financial information. We all recognize that," he says. The financial information is an opt-out standard, which was developed with the guidance of the Federal Reserve Board, the Office of Thrift Supervision and the Comptroller of the Currency. "When you get to medical information, it's treated differently." Part of the reason is that medical information is needed by third-party administrators for determination of benefits; by agents who produce the business; and by "carve-outs" to assure that the information is available to entities that really need it, while preventing its dissemination to others who don't.

Financial institutions, more than insurers, have been the object of federal scrutiny — in part because insurance regulation is still largely left to the states, and because of the rise of "identity theft." The Federal Trade Commission cited GBL in its "Operation Detect Pretext," an effort to protect consumers from companies that obtain customer information under false pretenses — a practice known as pretexting. The Federal Deposit Insurance Corp. has issued guidelines aimed at preventing identify theft via unintentional release of information about customers to those who shouldn't have access to the information. GLB, the FTC noted, "prohibits individuals from obtaining a customer's information from a financial institution or from the customer [by way of] false representation, fictitious documents or forgery."

Meanwhile, health plans are waiting to see what changes GLB ultimately will make and hoping for some uniformity of standards.

"We'd at least like to get beat with the same stick," says one health plan executive.

Michael Levin-Epstein

Managed Care’s Top Ten Articles of 2016

There’s a lot more going on in health care than mergers (Aetna-Humana, Anthem-Cigna) creating huge players. Hundreds of insurers operate in 50 different states. Self-insured employers, ACA public exchanges, Medicare Advantage, and Medicaid managed care plans crowd an increasingly complex market.

Major health care players are determined to make health information exchanges (HIEs) work. The push toward value-based payment alone almost guarantees that HIEs will be tweaked, poked, prodded, and overhauled until they deliver on their promise. The goal: straight talk from and among tech systems.

They bring a different mindset. They’re willing to work in teams and focus on the sort of evidence-based medicine that can guide health care’s transformation into a system based on value. One question: How well will this new generation of data-driven MDs deal with patients?

The surge of new MS treatments have been for the relapsing-remitting form of the disease. There’s hope for sufferers of a different form of MS. By homing in on CD20-positive B cells, ocrelizumab is able to knock them out and other aberrant B cells circulating in the bloodstream.

A flood of tests have insurers ramping up prior authorization and utilization review. Information overload is a problem. As doctors struggle to keep up, health plans need to get ahead of the development of the technology in order to successfully manage genetic testing appropriately.

Having the data is one thing. Knowing how to use it is another. Applying its computational power to the data, a company called RowdMap puts providers into high-, medium-, and low-value buckets compared with peers in their markets, using specific benchmarks to show why outliers differ from the norm.
Competition among manufacturers, industry consolidation, and capitalization on me-too drugs are cranking up generic and branded drug prices. This increase has compelled PBMs, health plan sponsors, and retail pharmacies to find novel ways to turn a profit, often at the expense of the consumer.
The development of recombinant DNA and other technologies has added a new dimension to care. These medications have revolutionized the treatment of rheumatoid arthritis and many of the other 80 or so autoimmune diseases. But they can be budget busters and have a tricky side effect profile.

Shelley Slade
Vogel, Slade & Goldstein

Hub programs have emerged as a profitable new line of business in the sales and distribution side of the pharmaceutical industry that has got more than its fair share of wheeling and dealing. But they spell trouble if they spark collusion, threaten patients, or waste federal dollars.

More companies are self-insuring—and it’s not just large employers that are striking out on their own. The percentage of employers who fully self-insure increased by 44% in 1999 to 63% in 2015. Self-insurance may give employers more control over benefit packages, and stop-loss protects them against uncapped liability.