Jack A. Rovner

The Health Insurance Portability and Accountability Act need not endanger outcomes that depend on data access unless you let it.

Jack A. Rovner

Last November, the National Committee on Vital and Health Statistics reported to the Department of Health and Human Services that there exists "an extremely high level of confusion, misunderstanding, frustration, anxiety, fear, and anger" as the April 14, 2003 compliance date for the HIPAA privacy rule nears.

The committee found that HIPAA liability fear is causing health care providers to restrict disclosure of essential medical information which could result in "providers refusing to share patient medical information that would be helpful in treating another patient and a decline in reporting essential health data to public health agencies and others."

Don't panic

Don't give in to this fear. Medical information drives underwriting and premium rating, your utilization management and quality assurance, provider credentialing and performance evaluation, HEDIS reporting and accreditation, clinical guideline and protocol development, and more.

Your plan needs strategies to ensure its data bloodlines aren't severed by HIPAA high anxiety. Consider three:

  • Master the privacy rule. It allows abundant means for health plans to obtain medical information from health care providers. Is your plan prepared to implement the means that fit your data-access needs?
  • Educate. What is your plan doing to dispel HIPAA ignorance among its network providers?
  • Use your contracts. Has your plan checked its provider-participation agreements to ensure that they give you the medical data access that HIPAA allows?

There is a remarkable variety of permitted ways for your plan to obtain needed medical data from providers under the HIPAA privacy rule. Let's count them:

Your payment activities. The privacy rule allows health care providers to disclose their medical information to your plan to conduct your payment activities. All you have to do is ask.

Payment activities, as defined by the privacy rule, are much more than claims adjudication and management, and benefits coordination. They include utilization review, precertification and preauthorization, evaluating medical necessity and care appropriateness, justifying service charges, determining eligibility, and adjusting risk based on enrollee health status and demographics.

You may only ask for the minimum amount of medical information you reasonably need for these tasks. But, because of this obligation, the privacy rule doesn't make a health care provider second guess whether you're requesting more medical information than you need.

Health care operations. You may ask a health care provider to disclose medical information for your plan to carry out quality assurance activities, such as care coordination, case management, and clinical guideline and protocol development, to undertake provider credentialing and performance evaluation, to conduct HEDIS reporting and obtain NCQA or other accreditation, and to detect and prevent fraud and abuse. You may only request medical information that relates to individuals who are or were enrolled in your plan, and you must limit the amount of medical information you request to the minimum reasonably needed to carry out these health care operations.

Underwriting, premium rating, and other activities relating to the creation, renewal, or replacement of an insurance or benefit contract are also your health care operations, but the privacy rule does not allow a provider to disclose medical information for them to your plan. That's where limited data sets and organized health care arrangements come into play.

Limited data sets. A limited data set is protected health information that has been stripped of direct identifiers. The privacy rule allows a provider to disclose a limited data set to your plan to carry out any of its health care operations, including underwriting and premium rating. You may receive a limited data set from a provider to conduct research or carry out a public health activity.

Your plan must sign a data use agreement to restrict its use of the limited data set to the health care operations, research, or public health activities for which the set is intended. The data use agreement will also require your plan to preserve the privacy and anonymity of the individuals whose medical data are in the limited data set.

You may create the limited data set you need from the provider's medical information if you enter into another agreement with the provider to limit your use of the medical information to the creation of that limited data set.

Organized health care arrangements. HIPAA labels an arrangement in which providers and health plans act jointly to furnish care and benefits to individuals an "organized health care arrangement." Your plan is in an organized health care arrangement with its network providers if you all hold yourselves out to the public as participants in a joint arrangement, and you all jointly engage in one or more of the following activities:

  • Utilization review in which the providers and you review each other's health care decisions or have a third party do it;
  • Quality assessment and improvement functions in which the providers and you assess each other's treatment activities or have a third party do the work; and
  • Payment tasks in which the providers and you share financial risk for health care delivery and review medical information relating to the care delivery to administer the financial risk sharing, or have a third party do that review for the providers and you.

The participants in an organized health care arrangement are allowed to share the minimum amount of their medical information to carry out health care operations of the arrangement. So if your plan has a relationship with its network providers that satisfies the criteria of an organized health care arrangement, those providers may disclose their medical information to your plan for health care operations that relate to your joint arrangement.

Authorizations. When all else fails, you may obtain a written authorization from an individual to permit a provider to release the individual's medical information to your plan for any specified purpose. You may even condition enrollment in your plan or eligibility for benefits on the individual furnishing that authorization, if you request it prior to enrollment and you want the medical information for underwriting or risk rating or to determine whether the individual is eligible for benefits or enrollment.

Education, awareness

Your network providers will not overcome their HIPAA anxiety and ignorance unless someone assuages their fear and enlightens them with awareness education. You put your plan at peril if you think they will figure out on their own what medical data the HIPAA privacy rule allows them to disclose to you.

Develop a strategy to build privacy rule awareness. Issue newsletters, compliance tips, and alerts. Describe the medical information you want and state why the privacy rule allows providers to give it to your plan. Conduct briefings; one- to three-hour sessions, with lots of time for questions, are very effective. Consider presentations for your Web site.

Remember, you're all in this together. You need to work together to keep your delivery system from coming apart because of unjustified privacy rule fright.

The privacy rule does not mandate any of the disclosures that it allows, so if you want to ensure that medical information flows, do it by contract. If your plan has not implemented a process of provider contract review and revision, start now. April 14 is at hand.

Jack A. Rovner is a partner in the Chicago law office of Michael Best & Friedrich, and coordinator of its HIPAA practice. Rovner served as a member of the secretary of health and human services' Advisory Committee on Regulatory Reform, where he chaired the subcommittee that addressed the HIPAA regulations.

Managed Care’s Top Ten Articles of 2016

There’s a lot more going on in health care than mergers (Aetna-Humana, Anthem-Cigna) creating huge players. Hundreds of insurers operate in 50 different states. Self-insured employers, ACA public exchanges, Medicare Advantage, and Medicaid managed care plans crowd an increasingly complex market.

Major health care players are determined to make health information exchanges (HIEs) work. The push toward value-based payment alone almost guarantees that HIEs will be tweaked, poked, prodded, and overhauled until they deliver on their promise. The goal: straight talk from and among tech systems.

They bring a different mindset. They’re willing to work in teams and focus on the sort of evidence-based medicine that can guide health care’s transformation into a system based on value. One question: How well will this new generation of data-driven MDs deal with patients?

The surge of new MS treatments have been for the relapsing-remitting form of the disease. There’s hope for sufferers of a different form of MS. By homing in on CD20-positive B cells, ocrelizumab is able to knock them out and other aberrant B cells circulating in the bloodstream.

A flood of tests have insurers ramping up prior authorization and utilization review. Information overload is a problem. As doctors struggle to keep up, health plans need to get ahead of the development of the technology in order to successfully manage genetic testing appropriately.

Having the data is one thing. Knowing how to use it is another. Applying its computational power to the data, a company called RowdMap puts providers into high-, medium-, and low-value buckets compared with peers in their markets, using specific benchmarks to show why outliers differ from the norm.
Competition among manufacturers, industry consolidation, and capitalization on me-too drugs are cranking up generic and branded drug prices. This increase has compelled PBMs, health plan sponsors, and retail pharmacies to find novel ways to turn a profit, often at the expense of the consumer.
The development of recombinant DNA and other technologies has added a new dimension to care. These medications have revolutionized the treatment of rheumatoid arthritis and many of the other 80 or so autoimmune diseases. But they can be budget busters and have a tricky side effect profile.

Shelley Slade
Vogel, Slade & Goldstein

Hub programs have emerged as a profitable new line of business in the sales and distribution side of the pharmaceutical industry that has got more than its fair share of wheeling and dealing. But they spell trouble if they spark collusion, threaten patients, or waste federal dollars.

More companies are self-insuring—and it’s not just large employers that are striking out on their own. The percentage of employers who fully self-insure increased by 44% in 1999 to 63% in 2015. Self-insurance may give employers more control over benefit packages, and stop-loss protects them against uncapped liability.