Hubert H. Humphrey Building
200 Independence Avenue,
S.W.
Room 505-A
Washington, D.C.
MS. FYFFE: The Subcommittee on Privacy and Confidentiality working session begins now. It is approximately 11:15 and we will go on to 12:30, at which time we will break for lunch.
I am Kathleen Fyffe. I am not Kathleen Frawley. Kathleen Frawley is on her way and until she gets here, I am going to sit in as chair of the subcommittee.
This morning we are honored to have with us two folks from the National Association of Insurance Commissioners, also known as the NAIC, as our guest speakers. We have Wendy Pellow, who is legislative counsel in the federal health affairs area of the NAIC and also Jennifer Cook, who is assistant counsel for health policy.
For those of you that might not be familiar with the National Association of Insurance Commissioners, it is an association consisting of the insurance commissioners in almost every state and territory. And to give you an idea of how active the states are in terms of regulating insurance and health insurance in particular, on an annual basis, it is not unusual for the states to introduction 40,000 pieces of legislation, which could potentially affect insurance companies.
Obviously, not all of those pieces of legislation are enacted in the states, but there is quite a bit of legislative activity that goes on.
Now, the insurance commissioners in the various states, some are elected and some are appointed and the NAIC itself as a very, very comprehensive structure of committees and working groups and they meet about four times a year, including weekends. They work very, very hard and produce a number of model acts.
And the one that is of particular interest to us this morning -- and I will be passing this out to everybody -- is something called the Health Information Privacy Model Act that was adopted on September 14th, 1998. Now, to avoid confusion, back in the 1980s, there was a model act passed by the NAIC that had to do with privacy broadly defined in insurance, not just health care. And that act still stands, but this new act, again, is the Health Information Privacy Model Act.
I am going to pass this around to the members of the subcommittee. Before we get started, let me introduce the folks that are around the table here, starting with Jim.
MR. SCANLON: I am Jim Scanlon. I am staff to the National Committee and I work at HHS here in the Office of the Assistant Secretary for Planning and Evaluation.
MR. BLAIR: Jeff Blair, member of the committee
MS. HORLICK: Gail Horlick, CDC, and I am the lead staff person to this subcommittee.
MR. STONE: I am Walter Stone with the Health Care Financing Administration.
DR. FITZMAURICE: Michael Fitzmaurice, Agency for Health Care Policy and Research.
MR. GELMAN: Bob Gelman, privacy consultant, member of the committee.
DR. COHN: Simon Cohn, member of the committee.
MS. FYFFE: Okay. I will turn it over to you.
MS. PELLOW: Thank you for having us here today.
As Kathleen stated, the NAIC represents the insurance commissioners in all 50 states, the District of Columbia and all FOIA territories. The NAIC staff is set up to -- the NAIC staff basically supports the insurance commissioners in all of their responsibility and that includes protecting insurance consumers.
As Kathleen mentioned, the NAIC is set up in committee structures. We have an elected executive committee and then we have various committees and subcommittees and then under each committee, main committee, there are working groups and task forces. Those groups do the bulk of the work and report back to the full committee for its review and approval and it just moves up through the process of being approved by the executive committee and being approved by the full membership.
The NAIC, as Kathleen stated, develops model laws and this is basically our way of developing public policy. These model laws are flexible enough to allow the states to adopt them in full or adopt them in part and structure it for their state's needs, but it also develops some degree of uniformity to help the states regulate insurance.
In terms of this particular model and this working group, Jennifer was going to go into more detail about the Health Information Privacy Act and the working group that developed and did all the leg work on this model.
MS. COOK: I was the staff person who staffed this Health Information Privacy Model Act and what I thought I would do is just sort of informally -- take a little more informal format and go through the model, sort of stating the thrust of each particular section, what we were going for and see if anybody has any questions as I go along.
Will that work?
MS. FYFFE: Fine.
MS. COOK: Well, just to say another thing, it was the Health Information Privacy Working Group that developed this model. We met formally at the four annual meetings NAIC has. We also had many interim conference calls and interim meetings. Everything was open to the public. We had lots of comment from all sectors of the insurance industry and consumer representatives of all types.
Ultimately, this model was passed by the whole NAIC membership. The vote was 37 for the model, 13 opposed.
MS. FYFFE: How many years did this take you? Because I remember seeing the beginning of this, I think, back in 1995 or something.
MS. COOK: This was quite the process. It took us four years, most vigorously for two, the last two.
The whole purpose for the Health Information Privacy Model Act was to set standards to protect health information, as well as procedures for the treatment of all health information. A couple of key definitions defined on page 3, (i) health information, works very closely with the definition on page 4 of (l), which is protected health information, which is basically what people have come to understand is individually identifiable health information and that, the focus of this model, deals with health information.
Another important focus is the scope. The scope of this model is only insurance carriers. It is all insurance carriers, not just health carriers. It deals with protected health information and it also deals with the collection, use and disclosure of protected health information. Those are major terms that are used throughout.
MR. BLAIR: Was HCFA or state Medicaid agencies involved or observers just as inputs, since they are also payers?
MS. COOK: I believe they were aware but I am wouldn't say that their involvement was extensive.
MR. BLAIR: Private sectors, though?
MS. FYFFE: Generally, the insurance commissioners or the insurance departments in states have jurisdiction over insurers, who are listened as businesses in those states or do business in that state. I guess one question I would have is where do managed care plans fall.
MS. COOK: "Carriers" is a defined term in the model. And it does include health maintenance organizations. Section 5 talks about general health information policies, standards and procedures that carriers are obligated to have in place. This is things such as limiting access to health information to only those persons who need it to perform their jobs or having the care, have disciplinary measures for violations, procedures for authorizing, restrict the collection used for disclosure, protected health information, that sort of broad thing to cover all health information.
This section also states that a carrier shall pay attention to its contractual relationships. The model recognizes that a carrier often contracts out for a lot of what it does, but it should not be able to abdicate its responsibilities to protect privacy through that contractual relationship. We try to address that.
Section 6 provides for a notice. A carrier shall have a written notice of these health information policies, standards and procedures they just talked about in Section 5 and shall provide that notice to any person upon request. The model provides a right to access protected health information and sets out time frames and the circumstances under which the request may be denied.
An example of that is when the protected health information is then compiled in preparation for litigation or disclosure of the protected health information would be otherwise prohibited by law. The model also allows for an individual to amend their protected health information. What is meant by that is to correct or amend.
It sets out the circumstances when -- actually this is -- it also says that although an individual has a right to amend their record, (e) on page 16 says nothing in the section shall require the carrier to alter, delete, erase or obliterate medical records.
The model requires that the carrier keep a list of the persons to which the information has been provided. Section 10 sets out the general rule, which is the carrier is not to collect, use or disclose protected health information without a valid authorization. And it sets out what are the components of a valid authorization.
It sets out circumstances where a separate authorization is required. The members do not take a position of prohibiting any use of health information but thought that situations, such as marketing, warranted a specific authorization. So, it sets out on page 13 in Section (e) the circumstances when a carrier shall obtain a separate authorization.
It also allows the individual to revoke an authorization at any time.
MR. BLAIR: By "individual," do you mean individual patient or individual within the insurance company?
MS. COOK: Individual who is the subject of the protected health information. That is generally the way we define it.
Then Section 11 sets out the exceptions to the general rule, when a carrier may engage in activities with regard to protected health information without an authorization. Some examples are those -- it allows for intercarrier collection or disclosure, provided that the carrier is investigating a claim or to deal with a merger or acquisition of liability from one carrier to another.
Another example of when a carrier may collect, use or disclose, without an authorization may do so to investigate, evaluate, subrogate or settle third party claims.
Another example is in the case of fraud -- I was looking for it to point it out to you. It also allows the carrier to disclose protected health information to federal or state local government authorities to the extent required by law.
Section 12 sets out the circumstances when a carrier may disclose protected health information without an authorization for scientific medical and public policy research.
MR. BLAIR: Does the audit of people or individuals or organizations that have access, does that also apply to the release of information to law enforcement agencies and to public and health research agencies?
I am not talking about authorization. I am just simply saying that -- you said before that it requires that a list be maintained of who had access to the information.
MS. COOK: Right.
MR. BLAIR: Does that list extend to law enforcement, as well as the research agencies?
MS. COOK: Yes, it does.
Section 13 lists some general unauthorized collection uses and disclosures. It lists things such as the unauthorized publication of protected health information, the unauthorized sale of protected health information, the unauthorized manipulation of coded or encrypted health information to reveal protected health information.
Section 14 establishes a right of an individual to limit the disclosure of information to specific named individuals. The membership was trying to get at the battered spouse situation or circumstances where state law recognizes the right of minors to consent to health services.
And the model also provides for sanctions, several sanctions and criminal sanctions. The model does not contain a private right of action, but does contain a drafting note saying that states should consider, consistent with their state laws, whether they wish to allow a private right of action for a violation of privacy.
MR. BLAIR: This may have been on your chart. I just can't see it. Did it expressly prohibit the extension of providing health care information to an employer?
MS. COOK: It addresses employers and, in general, defers to state workers compensation laws and also provides, I believe, for one of the specific authorization -- one of the specific authorization sections addresses the employer relationship.
MR. BLAIR: By addresses, does that mean it is prohibiting it or does it -- what do you mean by addresses?
MS. COOK: No. It just states that a carrier shall obtain a separate authorization to disclose protected health information to an individual's employer, including the employer's designated risk manager, unless the protected health information is disclosed pursuant to the employer's workers compensation program to the extent necessary for the performance of the employers and carriers rights and duties under state laws governing workers compensation.
(2), the protected health information is disclosed pursuant to the employer's administration of the health and welfare benefit plan or (3) the protected health information is necessary to the administration of claims pursuant to a commercial line's policy.
MR. GELMAN: Let me highlight No. 2 there, just so you will understand the significance of it. It says the protected health information is disclosed pursuant to the employer's administration of a health and welfare benefit plan. If you are running a health plan and offering it to your employees, then they can give you the information without consent.
PARTICIPANT: Really?
MR. GELMAN: Yes.
MS. COOK: That was a separate authorization. Well, I suppose if it is to administer -- one of the overriding themes of our model was to allow carriers to continue to do the job of the business of insurance. So, when the exchange of information is for legitimate insurance business purposes, the model tried not to unduly inhibit the flow of information in the circumstances.
MR. GELMAN: Let me offer a further comment. I don't think this is the world's worst health bill, but it has got a lot of problems and this is one of them. Employers who are offering health insurance to their employees are the customers of the insurance companies and I have been told by -- I have heard this from both employers and insurance companies that the employers say give me data or I will take my business somewhere else. This law says -- this proposal says the insurance companies can give them the data without any restriction, without any limit in order to satisfy whatever use -- I mean, all the employer has to say is that it qualifies for administration of a health program, which is, of course, what they are providing. And once they get the information, they can do anything they want with it.
MS. FYFFE: Would this model, however, supersede state laws that protect sensitive medical information due to substance abuse or --
MS. COOK: No.
MS. FYFFE: This would not supersede. It would depend on the state law. Okay.
MS. COOK: And actually this is a model. So, that would have to be addressed by states when they adopt it.
MS. FYFFE: So, if there is a state law that says that employers cannot have particular information about a person's health and that could supersede this provision, depending --
[Multiple discussions.]
MR. GELMAN: I don't know a lot of state laws that say that.
MS. FYFFE: You know, when you look at the table of contents of this model act -- of course, this could all be a bad dream in my mind but I keep seeing the same table of contents in proposed federal bills and it seems -- I am not saying identical, but it certainly seems similar at least in terms of major headings and provisions.
MR. GELMAN: All of the bills generally address the basic elements of fair information practices, which is pretty much what you find here. The devil is always in the details, but the basic structure is the same in all of the bills. There is only one bill that really has a different structure of the federal bills. And that is the SHAYS(?) bill.
MR. BLAIR: Could you help me understand this a little bit better because I don't want to draw an inappropriate conclusion from what you have just told me. It sounded to me like what you were saying that -- thank goodness I am retired and I am past this point, but let's say, you know, I was still working a major employer and they were providing health benefits to me and I had either a history of drug abuse or AIDS or some psychological problems or a genetic defect or whatever. And in the process of -- or maybe cancer or whatever and in the process of my going to the managed care organization that was providing health care in conjunction with my employer, you know, as contracted for by my employer and a claim is submitted and it goes to an insurance company, I, as an individual, would not be notified that that information -- maybe I have this predisposition to cancer -- that information could then we shared underneath this model with my employer.
Is that correct?
MS. COOK: I have to say that I am hesitant to answer hypotheticals because I haven't had time to consider it and to look at the model and to study it. It is not something I feel comfortable just answering.
MR. GELMAN: I feel comfortable answering it. The answer is "yes."
MS. FYFFE: However, there is this other set of laws called ERISA and -- the ERISA plans are not covered by this.
MS. COOK: No, this does not cover --
MS. FYFFE: Okay. Can you explain that a little bit? Can you talk about that a little bit or --
MS. COOK: The ERISA quandary?
MS. FYFFE: Yes.
MS. COOK: This model covers insurers. To the extent that an ERISA plan is fully insured, the state regulators regulate the insurance company that an ERISA plan contracts with. There has been some disturbing case law that may call into question certain state laws and the extent to which states can continue to regulate insurers that contract with ERISA plans.
As far as self-funded ERISA plans, ERISA plans that self-insure, this does not address that.
MS. FYFFE: Okay. Just from a really high level macro point of view, let's say there are, for the sake of argument, 180 million people in this country covered by some sort of health plans, employer-sponsored plan, approximately what proportion of that is ERISA versus non-ERISA, can you say?
MS. COOK: I think that it is the majority of them. Most insurance is through ERISA plans, whether they are self-funded or fully insured.
MS. FYFFE: So, that this model act and the state laws would not have jurisdiction over that.
MS. COOK: It regulates the insurance companies.
MS. FYFFE: Okay, that might have the administrative ASO or business to administer, let's say -- let's take a big Fortune 500 company, would not want to process the claims because that is not their business. They would contract with an insurance company to do that. Okay? Would that contract be covered by this or we don't know?
MS. COOK: I am not sure.
MS. FYFFE: You are not sure. Okay. That is all right.
MR. BLAIR: Were you talking about what I have heard referred to as third party administrators?
MS. COOK: Actually they do. This model -- the way the model is drafted does not apply to third party administrators but that I believe there is a foot note or a drafting note stating that states may wish to include either separately or in a definition third party administrators.
DR. MC DONALD: I have a question about the permission for patient care. It is an accepted use, which I actually think is not bad but it seems like it is highly restricted to that carrier's physicians, which means then there is an inhibition for patients changing carriers because -- or what could be interpreted that way because that doesn't seem to give any permission for the patient's primary care doctor, who may not be a carrier -- I mean, not be paid by the carrier anymore because they changed plans. I just wonder if that could be reviewed a little bit to see if -- I mean, so that it doesn't look as self-serving, so that the insurance company can hang on to the patients by making it hard to get the back information.
I may not have read -- I mean, I read it fairly fast, so I may have interpreted it.
MS. FYFFE: Do you all recall or can you say who some of the different constituencies were that you heard from in developing this bill? Because I know there were a number of different groups, not only insurers, but there were also consumer groups and employer groups, I would imagine.
MS. COOK: Right.
MS. FYFFE: Can you comment on that, please?
MS. COOK: I am trying to remember. I wish I brought -- we did a project history and I had a list, a huge list of insurers and insurance trade associations, the AFL-CIO, Women's Health Care Coalition, Council for Responsible Genetics, Planned Parenthood, American Council of Life Insurers --
MS. FYFFE: Were there any specific groups from consumers.
MS. COOK: Yes, I mentioned those, the Council for Responsible Genetics, the Women's Health Care Coalition, the Planned Parenthood --
MR. GELMAN: Did any of those groups have a vote on the final bill?
MS. COOK: No. Our membership, the insurance commissioners, the 50 states, D.C. and the four territories vote on the model. They were heavily involved in the process, submitted draft language.
MR. SCANLON: Do any states have an existing law that is comparable in large measure --
MS. COOK: To our Health Information Privacy Model Act? I have been asked that question a lot. I don't -- it was just passed and most state legislative legislatures are not in session right now. I don't really have any indication of how many are looking at this model.
MR. SCANLON: Then it wasn't based on a model that was working particularly well in one state or another.
MS. COOK: No. I didn't start in staffing this model right from the very beginning but from look at the history, I do believe that we did have maybe from bills in certain states we took pieces.
MS. FYFFE: I think Vermont might have been one of them, as I recall.
MS. COOK: It was.
MR. BLAIR: Let me verify another assumption that I tend to have is that when I hear that information would be passed on to public or clinical research organizations, I have in the back of my mind the assumption that you would split off any patient identifiable information before you would give that to any research firm.
Is that expressly indicated that that is, in fact, the case?
MS. COOK: That is specifically addressed. Quite honestly, I am not as familiar with this section as I am with the other sections. A regulator from Vermont worked on -- it does specifically describe --
DR. MC DONALD: As I read it, it does allow giving away personal identifiers when it is justified by the research protocol. But I don't think it has IRB -- it didn't sound like it was specifying IRB approval. It sounded -- and that might be a good thing to add because that is a good thing to have.
MR. BLAIR: If it does allow for personally identifiable health care information to be given to research organizations that identify them as research organizations, does it have a list of those organizations that, in fact, we know are exclusively involved with clinical and public health research and have ethic codes of their own to protect the information because it is very easy to have organizations that have the title, "Health Care Research." They could be marketing. They could be for a number of other purposes.
MS. COOK: No, it doesn't contain a specific list, although I do think it -- the language attempts to describe the requirements for a legitimate research organization.
MR. BLAIR: I am a little surprised. Is it common? Is it standard practice today for personal identifiable health care information to be given to these clinical research organizations without patients knowing about it or being asked if this is okay?
DR. MC DONALD: I can maybe speak to that a little bit and I don't know of specific cases, but if you are going to do a survey of the health care given in 20 states and look at a hundred thousand patients, which at least some studies have done, I don't think it is feasible to try to track the patients, find out where they are living, go to their house and do this, ask their permission.
I think there are a number of IRB approved projects, which have -- I am just guessing -- I think of the RAND studies, which are huge, cost gazillion of dollars, but it would cost, you know, the gazillions if you had to find the person, get the signature, explain the study. And where they are just really looking at distributions at the end, but you have to link them across different caps so as to figure out who is getting what and then you can do the distributions. They only report distributions.
So, I think if you really are going to have progress in health service research and policy issues, I think you have to have that ability in some context. But the protections you described, I think, are really very important. I mean, the idea of I declare myself to be, you know, Acme Research Organization and I get everything I want and do whatever I want with it, pretty heinous sort of ideas come to mind.
Typically, these things have all been, you know, historically, university-based or some other research organizations and most of these things have this IRB approval and I think the IRB has some constraints on who can do it, which -- it is a nice -- I mean, I think if you push the harshly -- strongly pushed IRB approval process until I think you exclude the whacko companies. I am not sure about that.
I mean, I don't mean all companies are whacko, but the example I just gave, that I am, you know, a secret private investigator research association.
PARTICIPANT: It is the Acme Research and Junk Mail Company.
MR. BLAIR: The thing that makes me feel uncomfortable about what I have just heard is I would react differently if it is patient identifiable health care information that is used for research and it is solicited directly from providers for clinical research and the patient winds up saying, yes, there is a study being done on oncology. You know, would you allow Johns Hopkins to wind up using this data or the National Institutes of Health and the patient winds up, you know, agreeing to that.
If, however, you are sanctioning yourself, you are allowing yourself to be a conduit to any organization that claims to be a research organization without the provider's knowledge, it appears to me to be a great loophole that could violate the privacy of health care information for an individual.
DR. FITZMAURICE: Jeff, this is Mike.
I would just jump in to say that probably no provider would want to get a couple of thousand letters saying this person might have been once a patient of yours. Would you give us permission to get into their records? I do think that an IRB oversight of how you are collecting information, is it needed for the research, how are you going to protect that information when it is in your hands and then how are you going to get rid of it is pretty stringent.
Often you have to go searching through -- let's say people are dying of some cause. You identify the cause. You might go backwards in time to find out what contributed to their deaths or to their adverse outcomes, which means you are going back into time. Maybe some of them are dead. You don't know which ones are dead. So, you have to pass a list of people who had a particular condition or outcome through a death index.
That way, there is about a two year lag. You can find out who died. You still make have to go back into records. So, to burden physicians with answering an awful lot of mail, it could be 30 minutes to an hour a day.
DR. MC DONALD: They wouldn't do it is what has happened. So, the research couldn't get done.
MR. BLAIR: And is this a role for insurance companies?
DR. MC DONALD: The truth is Medicare provides data that is used in research and is sometimes identifiable and has had some very good effects or very good -- has reflected patterns and realities that we wouldn't have known otherwise, including such things as the differences in utilization in different parts of the country.
Almost all the cost economic things at some time you have to do some crossover because every -- one database doesn't have it all, such as the death tapes is one good example. So, I think this is really sort of a -- I mean, the current state of affairs is with IRB approval and some pretty strict censoring about justification why you really have to have it and why you couldn't do it without the identifiers, you are taking and looking at, say, a hundred million patients in a $2 million study, you can't do that. I mean, it becomes a hundred million dollar study and 40 percent drop out just because they don't answer junk mail. So, you don't even know what you have got in terms of your probabilities when you get done.
MR. BLAIR: IRB is the insurance review board?
DR. MC DONALD: No, no, no. This is an academic -- it is principally a university type of thing. And I don't know -- there are, I think, other kinds of research organizations you can set them up, but it is highly -- it is very formal. There are strict rules and there are strict specifications of how you do it. Well, who has to be on the committee, the kind of review processes and you get sanctions, such as no funding for the rest of eternity from any federal agencies, which is pretty scary, and I don't know if jail is in there or not, but there are a lot of things that are taken pretty seriously.
It is a process that is tied to a given institution and you cannot do federal research without an IRB review.
MR. GELMAN: If it helps, Jeff, among privacy advocates, some of them say, you know, want to have individual consent but there are some privacy advocates who think that the use of institutional review boards or equivalent institutions to provide essentially consent by proxy on behalf of everybody is a reasonable way of doing it.
MR. SCANLON: I think there is a provision here that if -- well, there are a couple of distinctions made here. If the request on the part of the researchers is to use existing records, then IRB is not involved, but there are some other conditions. If recontact with the subject is envisioned, then it does require an IRB kind of a review. And that is deemed to be -- to meet these other consequences. An IRB can waive informed consent if it believes there is minimal risk. But, in general, the IRB is at least presumed to offer you some level of protection.
MS. FYFFE: What are the mechanics of the NAIC when it comes to amendments to the model act? Is that possible and, if so, how is that done? And it really leads into my -- my other question is if this committee spends some time really analyzing this model and we have some concerns, if we wanted to, perhaps, write a letter, who would we write it to? I mean, what would the mechanics of all that be?
MS. COOK: I am not sure that there is a process for reopening a discussion of the model act that has been adopted. Of course, I could check on that. Although I do think your comments or opinions would be quite relevant. I guess I would have to look and see if there is a process for amending a model act. I don't believe there is.
This is a model that is going to go to the states.
MS. FYFFE: Okay. And the states can adopt the model as it is or they can tinker with it. They can pretty much, you know, add provisions, delete provisions, change wording.
MS. COOK: Exactly.
MS. FYFFE: Okay.
One other thing -- again, this is the Health Information Privacy Model Act. If you look at insurance companies, not only health insurance, life insurance, property and casualty insurance, meaning automobile, medical, maybe some other type of insurance that insures your house, if you have a neighbor who falls and there is bodily injury and a recovery there, and then also health insurance.
Now, have I missed any other lines? It is pretty broad.
MS. COOK: No, but -- yes. That is it.
MR. GELMAN: Can you tell everybody what the Medical Information Bureau is and what it does?
MS. COOK: Can I personally?
MR. GELMAN: Yes.
MS. COOK: I was recently asked a question about that and I was going to look back in the minutes of the working group to sort of go into more detail about the discussions that the working group had about the workings of the MIB and to better be able to convey the discussions and sort of where the model came out.
MR. GELMAN: How about if I answer the question and you tell me if I am wrong? The Medical Information Bureau is a group run by the insurance industry principally for the purpose of detecting fraud in insurance applications and it operates by generally getting information with consent from people who have applied for life insurance policies that are individually underwritten and that require medical examinations and information about that medical -- medical examination goes to the MIB so that if you go to one insurance company and you apply for coverage and they turn you down or rate you on a medical -- for a medical reason and then you go to a second company, the second company will get the information that the first company had because it was passed through the MIB.
Does that sound fair?
MS. COOK: That does sound fair. That was my understanding.
MR. GELMAN: I want to call your attention to Section 11(a)3 of the bill -- I am on page 16 -- I think it is the same version --
MR. BLAIR: Of the bill?
MR. GELMAN: Of the model law.
And it says -- it authorizes the non-consensual disclosure of protected health information to or from an insurance support organization provided that the information is used to perform the insurance functions of claims settlement, detection and prevention of fraud. What this bill says is that every single health claim that is filed under -- that would be subject to this bill can be disclosed to the medical information bureau without the consent of the patient. I think that is pretty outrageous, for whatever that is worth.
This is one of the employer -- there is another one, where this bill has incredibly broad loopholes that do not provide any realistic protection in these contexts for patients. Information goes to employers. There is no provision right now for health claim information to go to the medical information bureau. This would vastly the ability of MIB to track information on people who have never applied for underwritten life insurance or health insurance for that matter.
The information in the hands of the MIB, on MIB, would not be subject to this bill because they are not a carrier. So, the information would pass out of whatever protection this bill offers.
MS. COOK: But the insurance support organization has to have in place the policy standards and procedures to ensure compliance with this act.
MR. GELMAN: That is what A1 says, but, of course, you can't subject yourself to a law that doesn't apply to you. So, the sanctions, the criminal penalties, you cannot voluntarily be subject to that. I mean, it is not clear what this means.
I could simply say that I am complying with the requirements of this act as they apply to me, which is none. I mean, it is not clear. You can read this another way but you can also read it the way I have suggested.
I want to ask you a different kind of question.
MS. COOK: One that you will want to answer yourself?
MR. GELMAN: No, I don't know the answer to this.
You said that this thing passed 37 to 13. What was the nature of the dissent? I am going to guess that the fact that there was that much dissent is relatively unusual for something like this from the NAIC. Is that their judgment?
MS. COOK: Yes, I think that would be a fair statement.
MR. GELMAN: What was the nature of the dissent?
MS. COOK: The nature of the dissent was the property and casualty committee, the committee members that -- the property and casualty insurers were particularly concerned that this model would inhibit the way that they use health information. It would inhibit their ability to do business. Some of the members of the -- some of the insurance commissioners, who are on the property and casualty committee at the NAIC wanted to hold this model into the property and casualty committee and spend more time going through it and assessing its potential impact on that segment of the industry.
Our working group -- this was developed in a working group of the Accident and Health B Committee. We developed a technical subgroup made up of property and casualty experts to address the concerns of the property and casualty industry and make sure that we didn't -- there weren't any unintended consequences.
So, in the end, some of the commissioners, who hadn't -- you know, not everybody can be involved in the day-to-day workings of our working group to know what we discussed and know how, you know, ad nauseam, we went over everything. So, they voted against the model for that reason.
MR. GELMAN: Thank you.
MS. FYFFE: Other questions?
MR. SCANLON: I am trying to figure out what the impact would be, not so much on the commercial insurers but on the health plans. They would be affected as well if they are not ERISA plans. Is that right? So, a Kaiser -- well, let's take the Washington area or Maryland, for example. Kaiser Permanente or Blue Cross-Blue Shield of the National Capital Area or any one of a dozen other large plans here would be subject in this area?
MS. COOK: Yes.
MR. SCANLON: They would be subject to these, assuming that the law -- that Maryland or D.C. or Virginia passed this law.
MS. COOK: Right.
MR. SCANLON: That means that every individual who was insured subsequently would have to -- the whole process begins with some sort of an authorization that the enrollee presumably reads and is told about all these uses. And is there an opt out or an opt in?
MS. COOK: Well, how do you mean an opt out or an opt in?
MR. SCANLON: Well, if the person says I don't agree with the disclosure to employers and doesn't want to sign this authorization at the beginning, what exactly happens?
MS. COOK: Well, this model does not obligate an insurer to insure anybody that they don't have necessary information about --
MR. SCANLON: It is not that. It is just the subsequent sharing with an employer that the person might object to or anyone.
MS. FYFFE: The down stream disclosure.
MR. SCANLON: Yes. It is not the initial financing or treatment, I think, that people would necessarily object to, but it is the subsequent disclosures and there I wonder if there is an --
MS. COOK: I don't believe that it has a --
MR. SCANLON: -- as an opt out or --
MS. COOK: Aside from the sensitive information in the case of battered women or sensitive services in Section 15, I don't believe that it provides an opportunity to opt out --
MR. GELMAN: There is a marketing opt out.
MS. COOK: Oh, in the marketing opt out.
MR. SCANLON: What does that mean?
MS. COOK: But you need a specific authorization to -- they need to affirmatively ask you if you want to -- if they can use your information for marketing purposes and you can say "no," without any negative consequences. But as far as -- I guess, you are right. It depends on what it is that you object to, I would suppose.
MR. SCANLON: What if you said I appreciate research, but I don't want my information shared with any research organization?
MS. COOK: You don't have to provide your information for research.
MS. HORLICK: Would the federal law protect the substance abuse information?
MS. PELLOW: The federal?
MS. HORLICK: Yes, the federal laws protecting -- oh, I don't know. I think it is 42 CFR or something that is very -- you know, more stringent protections for substance abuse information, would that -- that couldn't be shared. Am I correct?
MS. PELLOW: I guess that would depend on how that was drafted, you know, if that section says this preempts any state law.
MR. GELMAN: These things don't match up. The federal law in alcohol and drug abuse applies to providers who are receiving federal funds. This is not a provider. So, I am not sure the law applies to them at all. This is an insurance claim and that may be a separate thing. I am not a hundred percent sure about that. I know it tracks the receipt of federal funds and there may not be any federal funds here.
MS. FYFFE: Other questions or comments -- any comments or questions from the folks in the audience?
Yes. Please come to the microphone and let us know your name. Actually back here if you don't mind. Thank you.
MR. HANDLER: Aaron Handler with the Indian Health Service. I am not representing my agency, but I know of an individual case where there seems to be a problem if this law were to be administered.
A good friend of mine had a son who was involved in an automobile accident. He was comatose for two months and then he had to undergo a lot of therapy. The insurance company was paying the bills; the insurance company where this person was working was paying the bills. And the father of the person who was in the injury was a very good salesman. It was a very small company. The insurance company informed the manager of the company that because of these very high bills, everybody's premium was going to go up that worked for that company.
The salesman was fired, but it was all done behind the scenes where the person never knew there was a contact, but that was the only reason why he could have been fired because he was a high producing salesman. He found a job somewhere else and he is doing very well. But I just wanted people to be aware of this. The diagnosis was very obvious. The son was in an auto accident and there were high bills and because of the increased expense to all of the employers, the person was fired.
I don't know if this is considered by this or not or --
MS. FYFFE: It is not an underwriting issue.
MR. SCANLON: The bill doesn't protect underwriting. That is the way we do health insurance in the United States. This doesn't forbid underwriting practices.
MR. BLAIR: Of course, with the MIB, they had salesmen, who then went to another employer. If he tried to get coverage again, probably that information would be transmitted to the MIB and it would prevent that salesman from insuring his family again.
MR. SCANLON: Again, that is an underwriting issue. That is primarily an underwriting issue and it is not illegal in the United States.
MR. STONE: But who is to assume the cost of implementing these provisions? Has any thought been given to that? Because sometimes the dissemination and collection use of information gets to be very costly.
MS. COOK: I don't believe it was considered that this model would create a huge cost -- implementing cost for anybody. So, it doesn't consider --
MS. PELLOW: I think that something the state would have to think about, like when they, you know, went to draft their own legislation using this as a model, that may be something they would want to factor in, where the cost --
MR. STONE: Because if you are talking about the carriers or the insurance companies actually providing this information to a database and, you know, researchers and other people are able to get that information, you know, we find out that there is a tremendous cost and dollar cost involved with this.
This would be upon the individual states to implement.
MS. COOK: I don't think this model contemplates, though, any new requirements for caution, use or disclosure of information.
MR. STONE: Okay.
MS. FYFFE: Other comments or questions?
Okay. Well, I thank you very much.
Do we have any other business here?
MR. SCANLON: I think you might want to talk a little bit about upcoming meeting workshop planning for February, I guess. There was some discussion of having perhaps a panel at the next meeting of this subcommittee, perhaps a panel dealing with employer uses of health information and, secondly, what was it, pharmacy -- Gail, do you remember?
MS. HORLICK: Pharmacy benefit --
MS. FYFFE: So, we are trying to get input from as many different constituencies as possible on the overall issue of privacy and confidentiality of health information and you are saying that two of the groups, employer groups, as well as the pharmacy industry --
MS. HORLICK: This was just discussed at the executive subcommittee, but I don't know that anyone has been contacted. That was the agenda was the morning on one and the afternoon on the employer.
MS. FYFFE: And as I recall the next scheduled meetings of the National Committee are February 2, 3 and possibly 4 and this Subcommittee on Privacy and Confidentiality would have a session presumably on one of those days -- the second day.
MS. HORLICK: Well, was it tentative or firm? I mean, we talked about this.
MR. SCANLON: It might have been the extra day.
MS. FYFFE: It might have been on the fourth.
MR. SCANLON: The fourth probably. Was that right?
MS. HORLICK: Well, we discussed doing it actually on the second, but I don't know that that was final.
MS. FYFFE: Well, I think that after the other subcommittees and work groups meet during this national committee meeting, the they will have to fine tune the agendas for the next set of meetings.
MR. SCANLON: That would be something the subcommittee would want to pursue. It would be -- let's say it is in connection with the February meeting, there could be a panel, a similar panel that gets different perspectives on employer use of identifiable health information and perhaps even in the afternoon, a similar panel that would be looking at what exactly is the flow of personal health information in the pharmacy area, just different perspectives on that.
MS. FYFFE: Okay.
No other business --
MR. SCANLON: Does the subcommittee have any thoughts about the European directive or the safe harbor principle approach or -- of course, Europe would have to agree to all this.
MS. FYFFE: Comments about the EU directive?
DR. MC DONALD: Maybe it is a question. Is this
-- I mean, they are their own country. So, is this being presented as something that influence us? There is one way it might. As I understood it, there was some -- some thought that pharmaceutical data couldn't be shared between different branches of international pharmaceutical manufacturers.
Is that why -- does anyone know if that has held up and if that is why --
MR. SCANLON: Bob has probably looked at some of this.
MR. GELMAN: There has been some discussion of that. I think for the most part there are -- I did some work for the EU recently that touched on some of these things and we were very hard-pressed to find any significant evidence of international flows out of Europe, because that is what the directive would regulate, of identifiable health data. It happens sometimes in connection with treatment, in which you usually have consent. It happens occasionally for most pharmaceutical studies, what I was able to learn, is that the information that is disclosed isn't overtly identified.
It may be covertly identified or identifiable if you are willing to put some effort into it and the extent to which the directive actually covers that isn't entirely clear. The EU really hasn't said anything on it that I have seen.
There are some areas in which the flow of data from Europe might involve identifiers. One of the areas is adverse drug reactions and there are several provisions in the directive that would seem to cover that kind of disclosure without consent, but it is not clear.
There hasn't been an authoritative statement. So, I think there has been a lot more panic about this than is warranted, but there are some questions and some things that aren't clear.
MS. FYFFE: Other issues, other business?
Okay. The Subcommittee on Privacy and Confidentiality working session is now adjourned. Thank you very much.
[Whereupon, at 12:20 p.m., the meeting was concluded.]