John Carroll

Despite all the talk about HIPAA privacy protections, there was little action. New regulations are intended to ensure compliance.

John Carroll

When legislators pieced together new provisions for the Health Insurance Portability and Accountability Act early this year in the American Recovery and Reinvestment Act of 2009 (the stimulus), they erected a complex set of legal hurdles for health plans to clear.

One of the biggest changes is a move to include “business associates” of the original covered entities — health plans, providers, and clearinghouses — under the law. For health plans, those business associates include vendors of professional services such as electronic prescribing technology and accounting. Insurance brokers too.

Now, a great number of health plan associates have legal responsibility to comply with HIPAA, including a requirement to work through health plans when there is a security breach — essentially when a member’s health care information winds up in the wrong hands. Each of those business associates is required to alert the health plan when it learns that there has been a security breach, and the health plan has to alert the member and, under certain conditions, the news media as well.

But it didn’t take long for Kirk Nahra to spot a potential trouble spot in the new provisions.

“Here is the problem,” says Nahra, a prominent health plan lawyer at Wiley Rein, a Washington area law firm, who has been grappling with the new rules. Once they take effect, a business associate will have 60 days to notify the health plan of a breach, and the plan, curiously, has the same 60 days to send out the breach notice. If the business associate waits well into that period before alerting the MCO, the health plan could be left with little or no time to comply with the law. As a result, health plans have already begun scrambling to include breach notification provisions in their contracts that will give them the time to be compliant.

This is just one of several new legal responsibilities for the clinical executives of health plans to be aware of. With security and privacy executives taking the lead, insurers are being required to execute a series of fast-paced changes to the way they do business over the rest of the year.

Aside from the key business associate rules, there is a new mandate to strip data of personal identification whenever possible. And just weeks ago, the Department of Health and Human Services consolidated enforcement of both security and privacy provisions into a modestly beefed up Office of Civil Rights (OCR), signaling to some that after more than five years of limited oversight, the federal government may be planning to step up its enforcement of the law.

What is a breach?

Under the ARRA the government added billions of dollars in new incentives to push health care into the digital age, which is likely to increase the anxiety that people have about the security of their data, according to Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology. And the government responded by making HIPAA’s security and privacy rules more comprehensive while sharpening its enforcement claws.

“We wanted breach notification,” says McGraw. “It’s important for patients to know when their data have been seen by unauthorized people, or an authorized person, for an unauthorized purpose. Previously, when data went to the business associate, if the business associate didn’t comply with the terms of its contract, the government couldn’t hold it accountable. If the covered entity did nothing, nothing was done. That was unacceptable.”

There isn’t much time left for plans and other covered entities to get ready for the change. Once HHS clarified the breach notification rules in mid-August — detailing when covered entities are required to alert people to a breach — they were slated to be in effect in 30 days. Everything else in the law takes effect in February.

Business associates

“These organizations have hundreds, if not thousands — in some cases tens of thousands — of business associates,” says Daniel Nutkis, CEO of the Health Information Trust Alliance, which collaborated with the various players in health care to work on a standardized security framework that helps organizations comply with HIPAA as well as other regulations and standards. “If you look at the process to date, health plans are likely to be the first organizations providing oversight of business associates and making sure that business associates are doing what they should be doing.”

All health plan contracts will have to reflect the new relationship, says Kimberly Gray, who recently moved from her post as chief privacy officer at the Pennsylvania insurer Highmark to the same position at IMS Health. And Gray notes that many health plans wear two hats under HIPAA — one as an original covered entity and the second as a business associate of self-insured employers. Some employers that are self-insured may want to delegate security breach notification to their business associates — in this case the health plan.”

Like other covered entities, MCOs are also going to have to learn how to strip out as much patient identifying information as can reasonably be expected from the mountain of data that they manage.

“From a privacy standpoint, use of data stripped of identifiers, such as in a limited data set, is more protective while still retaining the data’s utility,” says McGraw. “I’m not sure how new provisions encouraging the use of a limited data set are going to be interpreted by OCR, though. It tells covered entities that if they use limited data sets, they are in compliance. But you don’t have to use limited data sets if they won’t work for a particular purpose.”

In most cases, the health plans can’t use limited data sets, says Nahra. The river of claim reports that flows through health plans typically deals with the treatment a patient received — and that has to remain fully identifiable.

There is an added motivation for health plans and the other covered entities to shift stances quickly to accommodate the new law. The expansion of HIPAA includes much more muscular penalties for plans that violate the law. Individual security infractions that had warranted civil penalties of $100 each now can cost $50,000, with an annual maximum of $1.5 million. And state attorneys general were given a green light to go after HIPAA cases.

On the federal side, HHS’s recent consolidation of enforcement of both security and privacy provisions in the Office of Civil Rights is seen by some as a sign of renewed determination to make the law stick.

“It signals a degree of seriousness on the part of policymakers to deal with this issue — the need for HHS and OCR in particular, along with the National Coordinator for Health Information Technology, to really be more aggressive about HIPAA all around,” says McGraw.

“I do think the new administration with these new tools is going to be more active,” says Nahra. But he isn’t speculating yet on how much more active the feds will become. “The OCR was also accused of not enforcing the law. They have more authority [now], but it doesn’t say whether they are going to use it.”

Contributing editor John Carroll can be reached at

A health plan can only extract personal patient data when identification isn’t required, says Kirk Nahra, a health insurer lawyer. In most cases, health plans cannot use limited data sets.

“It’s important for patients to know when their data have been seen by unauthorized people,” says Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology.

Plans have long been one of the most compliant industries that have to adhere to HIPAA, says Kimberly Gray, chief privacy officer at IMS Health. She sees no surge of enforcement activity on the way.

Managed Care’s Top Ten Articles of 2016

There’s a lot more going on in health care than mergers (Aetna-Humana, Anthem-Cigna) creating huge players. Hundreds of insurers operate in 50 different states. Self-insured employers, ACA public exchanges, Medicare Advantage, and Medicaid managed care plans crowd an increasingly complex market.

Major health care players are determined to make health information exchanges (HIEs) work. The push toward value-based payment alone almost guarantees that HIEs will be tweaked, poked, prodded, and overhauled until they deliver on their promise. The goal: straight talk from and among tech systems.

They bring a different mindset. They’re willing to work in teams and focus on the sort of evidence-based medicine that can guide health care’s transformation into a system based on value. One question: How well will this new generation of data-driven MDs deal with patients?

The surge of new MS treatments have been for the relapsing-remitting form of the disease. There’s hope for sufferers of a different form of MS. By homing in on CD20-positive B cells, ocrelizumab is able to knock them out and other aberrant B cells circulating in the bloodstream.

A flood of tests have insurers ramping up prior authorization and utilization review. Information overload is a problem. As doctors struggle to keep up, health plans need to get ahead of the development of the technology in order to successfully manage genetic testing appropriately.

Having the data is one thing. Knowing how to use it is another. Applying its computational power to the data, a company called RowdMap puts providers into high-, medium-, and low-value buckets compared with peers in their markets, using specific benchmarks to show why outliers differ from the norm.
Competition among manufacturers, industry consolidation, and capitalization on me-too drugs are cranking up generic and branded drug prices. This increase has compelled PBMs, health plan sponsors, and retail pharmacies to find novel ways to turn a profit, often at the expense of the consumer.
The development of recombinant DNA and other technologies has added a new dimension to care. These medications have revolutionized the treatment of rheumatoid arthritis and many of the other 80 or so autoimmune diseases. But they can be budget busters and have a tricky side effect profile.

Shelley Slade
Vogel, Slade & Goldstein

Hub programs have emerged as a profitable new line of business in the sales and distribution side of the pharmaceutical industry that has got more than its fair share of wheeling and dealing. But they spell trouble if they spark collusion, threaten patients, or waste federal dollars.

More companies are self-insuring—and it’s not just large employers that are striking out on their own. The percentage of employers who fully self-insure increased by 44% in 1999 to 63% in 2015. Self-insurance may give employers more control over benefit packages, and stop-loss protects them against uncapped liability.