Filed Under:Health Insurance, Disability

HHS explains how to hide care from health plans

HHS Secretary Kathleen Sebelius  (AP photo/Charles Dharapak)
HHS Secretary Kathleen Sebelius (AP photo/Charles Dharapak)

When patients pay for medical care out of pocket, they should be able to keep doctors and hospitals from telling their health insurers about the care.

Officials at the U.S. Department of Health and Human Services (HHS) have included a discussion of that issue, handling of genetic information, and other matters in a new, 563-page set of final regulations, "Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act" (RIN: 0945-AA03).

The privacy provisions in the new final rule include many sections that refer to health plans, health insurers, health plan administrators and health care providers by the term "covered entity," and a long section on use of genetic information in long-term care insurance (LTCI) underwriting.

The final rule also includes many references to the obligations of the "business associates" of the entities covered by the regulations. The term "business associate" appears to include health insurance agents and brokers, and many health insurance agent agreements posted on the Web state in the list of definitions that "business associate" means "agent."

Mechanics
HHS began developing the regulations to reflect the changes in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 health data rules made by the Genetic Information Nondiscrimination Act of 2008 (GINA), the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, and the Patient Protection and Affordable Care Act of 2010 (PPACA).

In some cases, health insurers and agents can use existing contracts that don't reflect the new health data privacy and security rules for up to one year beyond the compliance date, officials said. 

"We decline to provide a longer time for compliance with the business associate agreement provisions," officials said.

HIPAA offered a similar one-year phase-in period after it updated HIPAA rules in 2002, and that transition period seemed to give most entities enough time to adapt, officials said.

The final regulations are set to appear in the Federal Register Jan. 25.

The final rule is set to take effect March 26.

Health insurers and health producers, and other covered entities and business associates must start to comply with the applicable requirements by Sept. 23.

Officials expect the regulations to apply to about 698,000 covered entities, including about 34,000 longterm care (LTC) facilities and nursing homes, about 15,000 home health providers, 730 health insurers and 750 independent benefit plan administrators, and 419,000 doctors.

First-year costs for implementing the regulations could be between $114 million and $225 million, and annual costs could be about $35 million to $43 million, officials estimated.

What the regulations do
The new final rule:
  • Makes the business associates of health insurers, health care providers and other covered entities "directly liable for compliance" with some HIPAA privacy and security requirements.
  • Prohibits holders of "protected health information" from selling it without authorization from the patient.
  • Expands patients' right to get electronic copies of health information.
  • Eases the requires involved when providers send child immunization information to school, or the health information of dead people to the dead people's relatives.
  • Implements a GINA provision that prohibits most health plans from using or disclosing genetic information for underwriting purposes.

Still another provision restricts "disclosures to health plan concerning treatment for which  the individual has paid out of pocket in full," officials said in a preamble to the regulations. 

Hide the test
One provision in the draft regulations that may have started some in the health insurance community is that provision that lets patients who pay for particular services, such as blood tests, out of pocket ask the providers to keep information about those services from their health plans.

Traditionally, health insurers have argued that they need complete information about the care plan enrollees are getting to understand the health care risks enrollees face, encourage the enrollees to take good care of themselves, and estimate future claims costs.

The rules that have been in place require providers to consider requests from patients to keep certain sensitive services from insurers, and for providers to honor those requests if the providers agree to keep the services confidential. The existing rules do not require providers to agree to the requests for confidential treatment.

In the draft regulations, HHS said patients could keep services from plans even if they were seeing providers in their health plans' networks and the plans were paying for some of the other care the patients were getting.

Some commenters wrote to express concerns about how the provisions would really work, and how a doctor providing many services during a single office visit could really keep some services secret from a health plan, especially if the doctor were providing a bundle of services, splitting up the bundle would be costly, or billing for the non-sensitive services would give a health plan the clues the health plan needs to determine what the sensitive services are.

"Many commenters expressed support for the suggestion that [health maintenance organization (HMO)] patients would have to use an out-of-network provider for treatment to ensure that the restricted information would not be disclosed to the HMO," officials said. "Conversely, some commenters stated that individuals should not have to go out-of-network when requesting a restriction and instead, providers could and should treat the services as non-covered services and accept payment directly from the patient. Several commenters also suggested that managed care contracts would have to be revised or renegotiated in order to comply with this provision and as such, ample time for renegotiation should be provided."

Commenters also asked what providers should do when patients said they would pay for sensitive care out of pocket but failed to pay for it.

HHS officials adopted the draft regulations with some clarifications.

Providers do not have to set up separate records for sensitive procedures, but they must somehow flag the sensitive information, to avoid sending information about those procedures to carriers, officials said.

When billing for a sensitive service on an unbundled basis is difficult, a provider should offer to let the patient pay for the entire bundle out of pocket, officials said.

When a patient uses a health savings account (HSA) or a flexible spending account (FSA) to pay for sensitive care, but the patient cannot restrict the kind of disclosure to the HSA or FSA that's necessary to effectuate the payment, officials said.

GINA and LTCI underwriting

The HIPAA privacy rule includes LTCI policies other than nursing home fixed-indemnity policies as "health plans.

In a discussion of the effects of GINA on health insurance underwriting, HHS officials noted that a commenter told it that 16 states regulate the use of genetic information in underwriting disability insurance and 10 states regulate the use of genetic information in LTCI underwriting.

Some commenters argued that LTCI plans are not mentioned in GINA, and that applying GINA to plans other than the types of health plans listed in GINA is contrary to the intent of GINA.

HHS officials believe that GINA does not override HIPAA and does not limit the department's ability to set genetic information standards for "any and all health plans that are governed by the HIPAA Administrative Simplificiation provisions," officials said.

"We also continue to believe that individuals have a strong privacy interest in not having their genetic information used in an adverse manner for underwriting purposes and to believe that this privacy interest outweighs any adverse impact on most health plans covered by the privacy rule," officials said.

But a number of sources said a prohibition on use of genetic information in LTCI underwriting could hurt LTCI carriers and affect the viability of the LTCI market, officials said.

"While we exempt long-term care plans from the underwriting prohibition in this final rule, we continue to believe an individual has a strong privacy interest in the way his or her genetic information is used for the underwriting of long-term care insurance," officials said.

HHS does not believe it has enough information to set the proper balance between privacy interest and insurers' interests, officials said.

HHS is responding to that concern by having the National Association of Insurance Commissioners (NAIC) or some other entity study the matter.

"Long-term care plans, while not subject to the underwriting prohibition, continue to be bound by the privacy rule, as are all other covered health plans, to protect genetic information from improper uses and disclosures, and to only use or disclose genetic information as required or expressly permitted by the rule, or as otherwise authorized by the individual who is the subject of the genetic information," officials said.

Softeners
Officials refer briefly to "transitional relief" in the final rule.

In some cases, health insurers and agents can use existing contracts that don't reflect the new health data privacy and security rules for up to one year beyond the compliance date, officials said. 

"We decline to provide a longer time for compliance with the business associate agreement provisions," officials said.

HIPAA offered a similar one-year phase-in period after it updated HIPAA rules in 2002, and that transition period seemed to give most entities enough time to adapt, officials said.

The topic of safe harbors comes up in a section on health data breach rules. Covered entities now must tell affected individuals about almost any breach of health data, even if there is no known risk of harm to the patient. Breaches also can lead to big fines.

Covered entities can get an easing of the breach notification requirements by taking advantage of a safe harbor for entities that encrypt health data, officials said.

HHS is expecting to get about 19,000 data breach notifications per year, with about 250 affecting more than 500 individuals and the rest involving fewer patients. Individuals could get a total of about 6.7 million breach notices per year, officials estimated.

See also:

Top Sales and Marketing Ideas - 2014

Special Feature

2014 100 Best Sales & Marketing Ideas

There are a million ways to sell an insurance product, and any one of them may work depending on your target market, your product lineup and your own unique skill set.

Explore Now
More Resources

Comments

   

Advertisement. Closing in 15 seconds.