Joined at the Hip: Health Care Reform and HIPAA

When Congress recently passed an enlargement and extension of the State Children’s Health Insurance Plan (SCHIP), President Obama observed that it was “a down payment on my commitment to cover every single American.”

If that’s the case, then his plan must envision a federally run, single-payer system, which is what Medicare, Medicaid, Veterans Administration health care, and SCHIP all are. Perhaps the road to that future initially will feature a half-private, half-government approach with individual mandates so that people are forced to buy health insurance. In the long run, however, since the government plans would be priced to outbid their private counterparts—basically, through shaving costs by covering a larger pool and offering fewer features and more rationing—the result would be the crowding out of the insurance companies until only the federal component remained viable.

Currently, both state mandates and federal regulation—through the 1996 Health Insurance Portability and Accountability Act (HIPAA) and other laws—dictate who and what must be medically covered by group health insurance plans. The federal government, if it gets into the game, could easily override state mandates and create its own product, however. It could also rewrite Title IV of HIPAA, the part detailing group health plan requirements, to suit its needs (if indeed that section would even apply to a federal program). By entering the game that previously was played only by private insurance companies, the feds could thereby change all the rules.

HIPAA Incorporates HITECH and EHRs

Regardless of how health care reform plays out, HIPAA is already in a constant state of flux. The recent stimulus package that sailed through Congress contains a law entitled the Health Information Technology for Economic and Clinical Health (HITECH) Act that envisions a nationwide grid of networked electronic health records (EHRs) to the starting tune of $19 billion. This is being touted as a means to save costs and facilitate better treatment of individuals, whose health care records would be available electronically at any location in the United States (under the proverbial best-case scenario). With the stimulus package, HITECH is being folded into HIPAA, though some critics have sniffed out stealth language in the stimulus bill that can be used to regulate which medicines and which treatments health care providers would be allowed to use. (See “Ruin Your Health With the Obama Stimulus Plan.”)

Interestingly, the Hill Web site reported in early December 2008 that Senate Finance Committee Chairman Max Baucus (D-Mont.) wanted health IT in the stimulus bill to help avoid a fight on health care in 2009 when lawmakers were drafting broader health care legislation. “There are going to be certain costs of health care reform—upfront costs. If I can put some of those upfront costs in the so-called stimulus bill, I’d rather put them there…. We’ve got to create a very significant upfront effort early on and keep the momentum going on health care,” said Baucus, who added he was in regular contact with the Obama team, Senator Ted Kennedy and other key lawmakers.

In addition to funding EHRs (also called electronic medical records, or EMRs), HITECH adds some privacy-enforcement teeth to HIPAA, which has long been criticized for loopholes’ allowing the release of medical record information to health care vendors for marketing purposes. Pharmaceutical companies, for instance, have frequently used prescription information from these records to target their mailings for new or alternative drugs and treatments. HITECH now mandates that individual patients’ consent be obtained before releasing any information to vendors—or to anyone not in the immediate health care loop that includes physicians and hospitals as well as insuring and billing entities (for a scary look at how easily this loop can expand, read “Health Privacy—The Way We Live Now”). The new provisions also require voluntary and affirmative disclosure of any breaches or violations of private records. However, as the final stimulus package wended its way through Congress, so many loopholes (five pages’ worth) were added that just about any group with political connections, or with loose medical affiliations, could gain access to everyone’s personal EHR just by asking for it or by paying for it.

HIPAA Enforcement

Another ongoing criticism of HIPAA has been its lax enforcement. In fact, it was the states that ended up taking the lead on enforcement by passing their own privacy violation laws. California was spurred to action when confidential medical records from the UCLA Medical Center were leaked to the media to feed the celebrity health scandal mill. (It didn’t help the leakers’ cause when information was made public about the governor’s wife, Maria Schriver.) Some 126 workers at UCLA were ultimately terminated. Courts are also finally beginning to hear HIPAA privacy-violation cases involving health care employees and dishing out fines and punishment. Spurred by state efforts, HITECH includes steeper federal civil fines and penalties for negligence (or downright theft) of protected health care data, and oddly, hands over to state attorneys general the power to enforce these provisions.

Individuals, however, are still barred from suing health care providers under HIPAA. Instead, they must file a complaint with the department of Health and Human Services (HHS), which promises to remit a portion of the subsequent fines, if assessed, to the petitioner.

The history of HIPAA gets a little murky at this point. The act itself did not define any rules or laws governing medical privacy but instructed HHS to develop regulations. In 2001, HHS issued its long-awaited “privacy rule,” which gave individuals the “right of consent.” One year later, however, the agency removed the right of consent, under which patients could specify which information they would be willing to share and which they would not, and replaced it with a “disclosure rule” that opened up medical records to marketers and others. In the first four years of this ever-evolving privacy rule, tellingly, some 24,000 patients filed complaints with HHS, and not one (zero, to be clear) of these cases resulted in a fine. The department was routinely satisfied once the HIPAA-covered entity submitted a corrective action plan.

As for EHRs, HITECH mandates that all data be encrypted and that HHS carry out audits to ensure compliance on all levels. However, the law also states that physicians and others will be reimbursed under the $19-billion program only if they adopt “certified EHRs.” In other words, the federal government will be picking winners and losers in the health IT (HIT) field, so this may become a 21st-Century version of the “Friends of Bill” winners’ list from the last administration that focused on government-based health care reform. Curiously, though, funds won’t even be disbursed until 2011, so there won’t be any immediate stimulus from this part of the stimulus package.

Medical researchers, however, maintain that HIPAA needs to be loosened, not tightened, regarding health research. As it currently stands, the research portion of HIPAA requires each study volunteer to authorize, in writing, the use of any personal information before it is used. Also, the HIPAA rule dictates very specific rules that researchers must follow in order to protect privacy such as listing the data, the confidentiality and privacy plans, and a time period for keeping the data. Early in 2009, a committee at the Institute of Medicine called on Congress to develop an entirely new approach to protecting personal health information in research, separate from the HIPAA privacy rule, which the committee claims is too cumbersome paperwork-wise.

Charges of Too Much, Too Little Privacy Protection

HITECH envisions full implementation of EHRs by 2014, which is widely regarded as too optimistic if not downright impossible, and it mandates that every person in America establish and maintain an EHR. This, of course, brings up howls of Big Brotherism. A group called the Institute for Health Freedom (IHF) lambastes the bill for not permitting opt-out and patient consent for information to be added to individuals’ EHR in the first place. Despite the provision that (somewhat) shields patients from unauthorized vendor disclosure, the bill mandates that all information on every patient be stored electronically, and then widely shared, whether the patient wants it to be or not.

"Congress needs to add opt-out and patient-consent provisions to ensure true patient privacy," says Sue Blevins, IHF president. "The bottom line is that if you want to control the flow of your personal health information, your consent to share the information must be a prerequisite and you must have the right to withhold permission. And neither the current federal (HIPAA) privacy rule nor the economic stimulus bill guarantees Americans the right of consent."

While IHF looks out for the consumer, other groups look out for the vested interests. Karen Ignagni, CEO of America’s Health Insurance Plans, the trade and lobbying organization for the nation’s health care insurers, announced that her group was just fine with the grants to implement EHRs but had some concerns over the privacy provisions. For instance, marketing restrictions that go beyond those already in HIPAA would prevent providers and payers from sending consumers prescription refill reminders and preventive care notices, Ignagni said. She also threw up red alerts about the provisions’ impeding emergency room care and adversely affecting disease management programs. She thinks the privacy provisions go too far while Ms. Blevins thinks they don’t go far enough.

HIPAA in the Workplace

HIPAA affects employers with two or more employees who offer group health plans, but some states lower that to employers with one employee. Specific provisions of HIPAA regarding group plans cover pre-existing conditions, nondiscrimination in coverage, the right of employers to purchase group plans, and the right of employers and employees to renew the plans regardless of health conditions. (If an employee leaves the company, she or he might then be entitled to continue it under the provisions of COBRA, the Consolidated Omnibus Budget Reconciliation Act of 1985.) However, HIPAA also defers to the states in the matter of overall health insurance regulation, so nationwide there is a crazy mosaic of what each state requires and permits, forcing insurers to craft different plans for different states or limiting themselves to certain states or areas of the country.

HIPAA in the main applies to “Covered Entities,” defined as a health care provider, a health care clearinghouse, or a health plan, but it also affects “Business Associates” who deal with the covered entities’ records, so potentially it covers everyone who comes in contact with personal health records. Bottom line is that all employers are covered by HIPAA if they maintain any personal health information (dubbed PHI) on their employees. Certainly, if they offer health insurance, all personal information relating to the group plan is confidential. In other cases, however, even employers without health insurance must honor HIPAA privacy provisions. Say an employer routinely requires a physical or a drug test for new employees. In that case, the results become HIPAA-protected personal health information. So the long hand of the HIPAA law extends deeply into society.

Though, as noted, fines are a rare occurrence in HIPAA compliance, they can get stiff if imposed. Penalties for non-compliance include civil monetary penalties of up to $100 per person per violation and up to $25,000 for violations of a single standard within a single calendar year. Criminal penalties may apply for wrongful disclosures of personal health information.

Future of HIPAA and Health Care Reform

Health care and HIPAA are joined at the hip (pun intended) as Congress and the Obama Administration mull reform of the nation’s health care delivery system. As noted earlier, federal solutions are stacked to trump private solutions, given the nature of the people now calling the shots in Washington, D.C., and the power of the government to make health care appear more accessible and affordable while masking the fact that it is only being more regulated (paying less to providers), more restricted (mandating which prescriptions and procedures doctors can use), and more rationed (limiting consumer choice).

We’ve already seen the first step—Obama’s “down payment”—in the form of the expanded, government-run SCHIP program. The stimulus plan also conveniently slipped in the creation of a federal agency to begin cataloguing the most effective medicines and medical procedures, which incited great debate about whether effective meant cost only or also included clinically best. Drug companies pushed hard for the second definition. On such a semantic distinction could hinge the quality of health care Americans in the future will receive.

Regardless of the twists and turns that health care reform may take, so long as employers are involved in employees’ health or health insurance, any records will be subject to HIPAA, COBRA, ERISA (Employee Retirement Income Security Act), and ADA (Americans With Disabilities Act) privacy provisions. (On Nov. 21, 2009, GINA—the Genetic Information Nondiscrimination Act—also takes effect.)

Personnel Concepts, the leader in the labor law poster compliance industry, tracks and follows all changes in workplace laws and regulations and offers a variety of HIPAA-related products. Employers and human resources professionals can thoroughly immerse themselves in needed knowledge with Personnel Concepts’ HIPAA Compliance Kit.

About the author:
Gary McCarty is a researcher and Web Content Manager for Personnel Concepts.

Note: The details in this white paper are provided for informational purposes solely. All answers are general in nature, not legal advice and not warranted or guaranteed. Readers are cautioned not to rely on this information. Because laws change over time and in different jurisdictions, it is imperative that you consult an attorney in your area regarding legal matters and an accountant regarding tax matters.