Featured Health Business Daily Story, Aug. 6, 2012

Health Insurance Exchanges Are Sure to Create New HIPAA Compliance Challenges

Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1 source of timely news and business strategies for safeguarding patient privacy and data security.

August 2012Volume 12Issue 8

Health plans and their hospital partners that intend to participate in state insurance exchanges called for under the Affordable Care Act are likely to find a host of new privacy and security requirements.

Now that the constitutionality of the act has been upheld, most states are moving forward more quickly since the law requires exchanges to be established by January 2014, although some Republican governors and legislators are delaying efforts until after the November elections.

While some states will operate their own exchanges, others will establish exchanges through partnerships with the U.S. government and its contractors.

Exchanges will facilitate the purchase of health insurance coverage by small business and individuals, with functions ranging from determining eligibility and vetting plans for compliance with required benefits packages to making plans available online and processing enrollment.

In most cases, the exchanges themselves will not be covered entities under HIPAA, falling instead under the federal Privacy Act and relevant state laws, among others.

Exchanges are governed by a number of rules issued by HHS. One of the HHS regulations issued in late March made it clear that the agency wasn’t requiring exchanges to be CEs, but that this determination would depend on governance issues and the types of information the exchange would be handling.

The Center for Democracy & Technology (CDT)has been tracking the privacy and security protections throughout the development of the exchanges. Kate Black, CDT’s staff counsel, based in San Francisco, says most exchanges have been set up as government or quasi-government entities and won’t be CEs.

In contrast, participating insurers — called qualified health plans — will continue to be CEs, and as such, must continue to comply with HIPAA, as well as the new privacy and security measures that exchanges choose to impose on their participating plans.

HHS Not Did Harmonize Regulations With States

HHS issued proposed rules governing the exchanges in July and August of 2011, with a final rule published on March 27. The final rule adopted the proposed rules’ provisions for protecting patient information, which require exchanges to adopt “safeguards that ensure a set of critical security outcomes” and lay out the “framework within which an exchange must create its privacy and security policies and protocols.”

Complicating this already complicated picture: Multi-state plans participating in more than one exchange will operate under a patchwork of regulations.

If plans struggle to comply, their battles will have been predicted. In the final rule, HHS admitted it pushed back against “many commenters” who “recommended that HHS set a national minimum standard for use and disclosure of personally identifiable information (PII) under proposed §155.260(b) rather than allow each exchange flexibility to develop and implement standards customized to its operations.”

The agency was also asked to harmonize federal and state laws “for the development and operation of information technology systems across all states.”

HHS said it recognized “that there should be robust minimum privacy and security standards to ensure the confidentiality and integrity of PII created, collected, used, or disclosed by an exchange.”

“We also accept the comment that each exchange will need to consider any state and federal laws governing individuals’ privacy and security rights for the geographic area(s) in which it operates in order to ensure PII is protected against any reasonably anticipated uses or disclosures that are not permitted or required by law,” the final rule states. “We acknowledge the current variance among states’ laws governing privacy and security.”

But a single standard would be impracticable and costly, HHS maintained.

Agency officials “believe that eliminating this variance would, in many cases, apply federal standards to existing state privacy and security frameworks,” the final rule states. “This would be prohibitively expensive for many states, and could be detrimental to the goal of maintaining the confidentiality of PII. In addition, multiple security frameworks increase the complexity of the technological environment — if a state must follow two different frameworks, there is an increased risk of applying the wrong security controls to the exchange.”

Fair Information Principles Will Apply

The rule contends there is a “need for flexibility in the implementation of these standards in order to minimize implementation costs. The imposition of uniform standards would increase costs related to re-training staff, engaging contractors, investing in additional physical and technological infrastructure, and other tasks related to implementation of the new standards. We believe it would increase the complexity of state operations, with associated risks and costs, without providing meaningful improvements to the protection of PII.”

Instead, under section §155.260(a) of the final rule, HHS explains it chose not to “establish a single, baseline standard” but is directing exchanges to develop privacy and security policies based on the following Federal Trade Commission Fair Information Practice Principles:

“(i) Individual access. Individuals should be provided with a simple and timely means to access and obtain their personally identifiable health information in a readable form and format;

“(ii) Correction. Individuals should be provided with a timely means to dispute the accuracy or integrity of their personally identifiable health information and to have erroneous information corrected or to have a dispute documented if their requests are denied;

“(iii) Openness and transparency. There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their personally identifiable health information;

“(iv) Individual choice. Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their personally identifiable health information;

“(v) Collection, use, and disclosure limitations. Personally identifiable health information should be created, collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately;

“(vi) Data quality and integrity. Persons and entities should take reasonable steps to ensure that personally identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner;

“(vii) Safeguards. Personally identifiable health information should be protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure; and,

“(viii) Accountability. These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.”

In addition, the final rule requires that “exchanges impose privacy and security standards that are the same or more stringent than the privacy and security standards in §155.260(a) as a condition of the agreement with other individuals or entities that will receive information through the exchange.”

Final Rule Is ‘Very Pleasing’ for CDT

Deven McGraw, director of CDT’s Health Privacy Project, tells RPP the final rule reflects many of the changes CDT proposed in its comments on the proposed rule, leaving the organization “very pleased.”

There were “a few things we asked for and didn’t get,” such as “requiring consumer input in the development of the policies and that they be shared with the public and subject to public comment,” she says.

“But on the whole, nearly everything we suggested in our comments to the proposed rule was incorporated into the final rule,” McGraw says.

Black says that it makes sense to not apply HIPAA whole cloth to exchanges because the information to be shared isn’t the same as HIPAA governs. Privacy and security safeguards “need to be tailored to the information flows,” Black says. Applying HIPAA might be “simplified, to some extent. But it might not be a good fit.”

For example, the exchanges will collect more than just health information, but “a lot of demographic information, including immigration status and incarceration status,” Black explains. U.S. residents not in the country legally and individuals incarcerated are ineligible to purchase insurance through the exchanges.

Exchanges will also “access personal information from a federal Data Services Hub in order to comply with the Affordable Care Act,” Black says. This hub “will collect personal information from a host of federal agencies in one system, which then must be linked with differing computer systems in states. The information it collects and processes will include tax information from the IRS and verifying Social Security numbers,” and more, she says.

Requirements Vary From One State to Another

The requirements states come up with may be more stringent than HIPAA, but that isn’t certain and “will vary entirely by state for the most part, “Black says.

Covered entities will notice some common HIPAA elements missing from the operations of exchanges, at least at this point. For example, the final rule does not specify whether any federal agency, akin to the Office for Civil Rights, would enforce compliance with the exchange regulations or whether that would be left up to a state.

While the regulation does establish penalties for violations, they are less than under HIPAA. The final rule states that “any person that knowingly and willfully uses or discloses personally identifiable information in violation of section 1411(g) of the Affordable Care Act will be subject to a civil money penalty of not more than $25,000 per disclosure and be subject to any other applicable penalties that may be prescribed by law.”

Similarly, the regulations don’t mandate breach notification or issuance of a HIPAA notice of privacy practices. But exchanges will have to implement policies that comply with the “openness and transparency” principles. The form these policies take may resemble what is already required in a particular state, Black says.

Because few exchanges are operational, “there is an opportunity for this to be done right from the onset,” says Black, who has been advising California officials as they set up their exchange.

California was the first state to pass legislation establishing an exchange. Black and Consumers Union provided the state with a “matrix” that lays out ways it can operationalize the principles HHS is requiring of exchanges.

One aspect that all exchanges must address is giving patients some control over their information. This is increasingly an issue with electronic health records (see story, p. 1).

“Individuals should have reasonable opportunities to exercise some choice with respect to collection, use & disclosure of their individually identifiable information. What choices should be provided depends on the context for information sharing,” the matrix states.

© 2012 by Atlantic Information Services, Inc. All Rights Reserved.

For hard-hitting news and strategies on state and private health insurance exchanges, check out the monthly newsletter Inside Health Insurance Exchanges the AIS Marketplace.

It's quick and easy to sign up for FREE access to AISHealth.com!

Why do I need to register?