Last December, just before the Christmas holiday, Congress and the Clinton administration sent a special package to the health care industry. It was a package of sweeping new regulations to protect patient confidentiality, the first regulations ever to establish national standards for how personal health information is issued and distributed, and to set civil and criminal penalties for breaching patient privacy.
On the surface, the new regulations, which are mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), appear to affect only health care providers, i.e., doctors, hospitals, HMOs, etc. But in reality, the voluminous 1,500-page document could have a profound effect on all employers, small and large, because the regulations affect any organization that collects and disseminates personal health information. Therefore, independent agents must realize that their commercial clients with health insurance plans, workers compensation plans and life insurance programs will have to comply. The time frame for compliance is two years, three for very small firms. The cost of non-compliance can be as much as $50,000 and up to a year in prison for intentional disclosure of private information, and $250,000 and up to 10 years in prison for disclosure with intent to sell the data.
Compliance with the new privacy regulations, which are being enforced by the Department of Health and Human Services (DHHS), mandates that all health plans and providers will be required to inform patients about how their information is being used and to whom it is being disclosed. The regulations also will give each patient a right to a "disclosure history" listing the entities that received their personal medical information.
Patients will also have the right to access their own medical files, as well as the right to request amendments or corrections. Moreover, doctors and hospitals will be required to obtain written consent before using a patient's health information, even for routine purposes. The regulations also contain requirements relating to disclosures of protected health information by employer-sponsored health plans. Before these plans may share protected health information with the employer, there must be specific restrictions on the employer's use and disclosure of the information.
The rules have a far greater scope of coverage than the DHHS proposed a year earlier. "Rather than being strictly tied to electronic records, it's going to cover all health information, regardless of form," according to Don Asmonga of the American Health Management Association, which supports the extended coverage. That means that written records and even medical information that is transmitted orally will fall under the new regulations.
Consumer activists have hailed the new rules, saying that they give the public unprecedented access to and control over their personal medical information. They admit there will be implementation issues and significant costs involved, but they say that overall it is a major positive development.
The health care industry, on the other hand, sees the new regulations as onerous and overly expensive. New computer systems will have to be installed and new processes initiated. Staff training also will be necessary, they say. "This is a regulation that is going to have a deep and serious impact on the business of health care," Larry Ponemon, senior partner with PricewaterhouseCoopers, told Reuters Health.
Furthermore, Karen Ignagni, president and CEO of the American Association of Health Plans (AAHP), at a special press briefing immediately following the release of the new regulations, said the rules could undermine the efforts to remind women to have a mammogram, for instance, or to encourage diabetes patients to get retinal screenings. "We are going to be looking at all available options for addressing the problem," she said.
The new regulations are sweeping indeed, and agents who represent commercial interests, where workers compensation and health plans come into play, will have to be aware of all the implications. Many questions remain unanswered. How will state workers compensation laws, that deal with an employee's personal medical information relating to on-the-job injuries, be affected by the new rules? Will state regulation have a role or will the DHHS be calling the shots? And, is technology ready to assist those affected by the rules in complying?
"The original intent of HIPAA was to handle the medical records and claims pertaining to the health care industry," says Larry McArthur, president and CEO of the San Jose, California-based TrustData Solutions, a firm that designs special software programs to protect the security of e-commerce environments in the health care and financial services businesses. He says also that there have already been cases of hackers tapping into corporate files and hospital records and posting the information in Internet bulletin boards for all to see. Sometimes these hackers operate out of malicious mischief; sometimes for profit, "kidnapping" the information for ransom.
"That's what brought about the need for these new stringent regulations," says McArthur. "The government realized that it could save billions of dollars by computerizing the medical and claims records in digital form. But some very bright Congressional representatives began to realize that they had opened a Pandora's box. One click of a mouse could send private health information anywhere. We can't do anything about the information that has already been improperly acquired and disseminated, but these new regulations are intended to protect future records and to make it more difficult for hackers to do their mischief."
Having recognized the intention and the complexity of the new regulations, TrustData Solutions is targeting the health care industry to market its software packages to secure privacy of information. In addition, TrustData Solutions is considering working with agents' and brokers' associations to adapt its existing software to fit their members' needs.
In fact, TrustData Solutions struck a deal last December with J.S. Wurzler Underwriting Managers, Inc., a global enterprise specializing in e-business, where Wurzler will offer customers preferred liability coverage and rates through Lloyd's of London when using TrustData's software applications. "With these new regulations, this alliance could become a model for similar agreements with other producers whose clients have to comply," he said.
"The growth and widespread acceptance of Internet-based e-commerce business solutions is hampered by the potential liability associated with unauthorized access to and use of sensitive business information," continued McArthur. "Health care and financial services companies are increasingly concerned with potential liability resulting from unauthorized disclosure of personal and private data. The new federal regulations provide strong guidelines for data privacy and a framework for damage assessment. Our software solutions have been developed specifically to manage and track the unauthorized use of digital content in any file format including documents, form data, images, software, audio and video."
Therefore, according to McArthur, technology is poised to deal with the new privacy regulations. But what about regulators? We all know that the insurance industry in the United States is state regulated, although the federal government is making inroads into the state regulatory scene every day. Most states, if not all, have their own privacy laws. Which will have supremacy, the new regulations handed down by the federal government or state laws? McArthur says that, as currently written, the new regulations call for states to have supremacy if a state's law is at least as strict as the new federal rules. But it already has been acknowledged that the new federal laws are the most stringent of anywhere in the United States. Therefore, unless states begin to enact tougher privacy laws, the federal government will take control.
In addition, it should be remembered that this document is 1,500 pages long and is very complex. It also is untested. McArthur agrees that these new rules will probably end up in the courts. "In many ways, HIPAA is not much different from OSHA or ERISA," said McArthur. "Like those laws, these new regulations will be put out and tested in the judicial process."
McArthur says that these new rules could represent a new opportunity for agents and brokers. "If insurance producers bone up on the new regulations, develop some expertise, they could be of immeasurable value to their insureds by providing necessary compliance information on a fee-for-service basis," he said.
However, agents who intend to take advantage of this opportunity must be very careful, lest they leave themselves open to errors and omissions lawsuits should they not provide their clients with accurate and complete information, he said. *