Search Terms: health information privacy, House or Senate or Joint
Document 42 of 45.
Copyright 1999
Federal News Service,
Inc.
Federal News Service
APRIL
27, 1999, TUESDAY
SECTION:
IN THE NEWS
LENGTH:
4025 words
HEADLINE:
PREPARED STATEMENT OF
THE AMERICAN ASSOCIATION OF HEALTH PLANS - AAHP
BEFORE THE
SENATE
HEALTH, EDUCATION, LABOR AND PENSIONS COMMITTEE
MEDICAL RECORDS CONFIDENTIALITY
BODY:
Introduction
The American Association of Health Plans (AAHP) is the largest national organization of health plans representing more than 1,000 HMOs, PPOs, and similar network-based plans. Together, AAHP member plans provide quality health services for approximately 140 million Americans. We applaud the leadership efforts of Senators Jeffords and other members of the Committee, as well as Senator Bennett, to advance the passage of legislation that will protect patient confidentiality while allowing the appropriate information sharing needed by health plans to facilitate high quality care for consumers.
Structuring authorization, preemption and law enforcement provisions in federal confidentiality legislation are some of the most important issues facing federal health policy makers today. Not only is there great potential for harm if patient information is misused, but patient trust is an essential ingredient to quality health care. At the same time, our evolving health care delivery system is one that increasingly relies on a team approach to delivering care. This team approach, which goes beyond the days when care was fragmented and health insurers merely paid the bills, depends on the responsible sharing of information to improve quality.
The first part of this testimony addresses how health plans use patient information to improve the quality of patient care, and the second part of this testimony discusses the authorization provisions in three of the Senate bills and the importance of a properly structured authorization provision that recognizes how health plans use information to improve quality.
I. Health Plans Use Patient-Identifiable Health Information to Enhance Quality
Health plans use health information in a variety of activities that improve the quality of health care. Some of the quality-enhancing activities health plans undertake can be done using non-identifiable health information -- information that has been aggregated, anonymized, coded, or encrypted in such a way that the information no longer directly reveals the identity of particular individuals. However, a significant portion of the fundamental, quality-enhancing activities undertaken by health plans does require the use of identifiable health information. These activities, which focus on both the processes of delivering care as well as on the outcomes of care, include health promotion and disease prevention, disease management, fraud detection activities, provider profiling, outcomes research, utilization management, and other quality assurance and improvement activities. In recognition of the importance of these activities, some of the federal bills have established the term "health care operations" to encompass them. Health plans' ability to enhance quality through these activities could be seriously jeopardized unless authorization processes in federal confidentiality legislation are properly structured. Below are brief descriptions of some of the activities encompassed in "health care operations."
Health Promotion and Disease Management
Health promotion and disease management activities improve quality by enabling plans and providers to identify members at risk for certain illnesses and/or who have been diagnosed with certain chronic diseases. Plans and providers can then reach out to those members to provide information to them, coordinate and monitor their care, and generally encourage them to seek out services when they can benefit most. Patient-identifiable health information is essential to determining who is eligible for these programs. Health plans add much value in this area because they have access to claims data and can help busy physicians accurately identify patients at risk of certain illnesses or who are eligible for certain services -- even among patients the physician may not have seen in some time. Once the plans have identified these members, they may contact them or the members' physicians. Many plans encourage their physicians to follow up with the identified members to schedule the necessary appointments. For example, nearly all plans use postcard or phone-call mammography reminder systems. Patient-identifiable information is needed to identify female enrollees of a certain age who have not had a recent mammogram. The plans then send reminder notices to these women and oftentimes to their physicians so that the physicians can follow up with their patients directly.
Similarly, asthma and diabetes disease management initiatives require the use of patientidentifiable health information. Plans use patient information to identify members with asthma or diabetes and involve them in their disease management programs. Plans are then able to reduce hospitalizations and emergency room visits, in the case of asthma, and increase retinal exams to avoid preventable blindness, in the case of diabetes. TheCenters for Disease Control (CDC) estimates that diabetes accounts for 12,000 to 24,000 new cases of blindness each year, but early detection through screening and timely intervention can reduce the incidence of severe vision loss 50% to 90%.1
Outcomes Research
Outcomes research enables health plans and providers to identify the most effective course of therapy for individuals with a given condition. For example, using patientidentifiable health information of members who had been treated for diabetes, one plan studied whether patients who matched a certain clinical profile and were treated with the drug Metformin experienced better outcomes than patients who did not have the same profile but who also were treated with Metformin. The outcomes analysis indicated that, in fact, outcomes were better in the patients who matched the profile than in those who did not match the profile. This study provided the plan's physicians with the clinical evidence needed to select the most effective course of therapy for their diabetic patients. The study would have been impossible to do if they had to get patient authorization prior to identifying such individuals without asking all enrollees for their permission, as they could not even have identified the appropriate patients to ask for an authorization without looking at the patient record.
Utilization Management
Utilization management, which involves evaluating the medical necessity and appropriateness of health care services both for the purposes of payment as well as for quality improvement, enables plans to respond to inappropriate patterns of care. For example, evidence suggests that hysterectomies and caesarian section deliveries are overperformed in the U.S. Hysterectomies are the second most common procedure - performed on 1 in 3 American women by the age of 60. Similarly, the CDC estimated that physicians performed 349,000 unnecessary caesarian section deliveries (approximately 1 out of every 12 deliveries) in 1991 - unnecessarily placing women at risk of infection and unnecessarily exposing them to the complications and trauma associated with major abdominal surgery. Health plans' utilization management programs require patient-identifiable information to ensure that patients received necessary, high-quality care, appropriate for each individual, in a cost-effective manner.
For example, one plan conducted a study of caesarian section rates on its women enrollees.
At the time of the study over 25% of deliveries by plan enrollees were done by c-section. Only through the plan's ability to conduct an analysis of that data and to provide feedback directly tO the plan' s hospitals and physicians were they able to work to lower the rate to 17 percent.
These activities, as well as other activities commonly deemed "health care operations" would be seriously undermined if the authorization procedures established in federal confidentiality law prohibited the use of patient information for these activities without separate authorizations. Imagine the Catch-22 plans wishing to send mammography reminder notices to women over a certain age would be in - to have to ask their permission, without knowing who they are. The plan would have to ask the permission of the entire female membership, as it would not have identified ahead of time those it needed to target. Members would quickly tire of being asked, and authorizations would be nearly impossible to get, simply because response rates to these types of individual requests would be so low. One plan's experience bears this out. The plan sent its members separate authorization requests for treatment to see what the response rate would be. Only 20% of the members responded.
Many "Health Care Operations" Required by Law or Accrediting Agencies
It's important to point out that not only are these health care operations activities fundamental to improving patient care, but many are also required of health plans under a variety of state and federal programs and regulations, as well as under voluntary privatesector reporting and accreditation standards. For example:
- Activities to monitor, detect, and respond to over- and under- utilization are required by state HMO and utilization review laws, federal laws, and private accreditation standards; - Ongoing quality assurance programs that (1) emphasize health outcomes and provide for the collection, analysis, and reporting of data; (2) monitor and evaluate high-volume and high-risk services and the care of acute and chronic conditions; and (3) after identifying areas for improvement, take action to improve quality, are required of Medicare+Choice plans under Medicare; - Procedures to ensure health care delivery under reasonable quality standards, consistent with recognized medical practice standards, and ongoing, focused activities to evaluate health care services, are required by the National Association of Insurance Commissioners (NAIC) Model HMO Act, which approximately 30 states have adopted; - Quality management programs that "monitor, evaluate, and work to improve the quality of care and quality of services provided...utilizing a variety of quality management studies, reviews, and evaluations such as...medical records reviews" are required of plans seeking URAC/AAHCC accreditation; and - Health management systems that identify members with chronic conditions and offer appropriate services and programs to assist in managing their conditions are required of plans seeking NCQA accreditation.
Compromising plans' abilities to improve patient care by imposing excessive authorization requirements that could leave plans with inadequate or partial information would result in reduced quality of care. This would present an obvious quandary for plans legally and contractually required to conduct quality-enhancementivities, yet at the same time compromised in their ability to use the information necessary to fulfill these obligations. It is critically important, therefore, that federal confidentiality law enable health plans and caregivers to use identifiable patient information for these health care operation activities even as it protects individuals from misuse of their health information.
II. Different Approaches to the Authorization Process
Federal legislation, for the most part, has attempted to address individuals' interests in confidentiality as well as their interest in quality care. In federal confidentiality legislation proposed to date, there are three basic approaches to authorizing use of identifiable health information: statutory authorization; multiple authorization; and consolidated authorization.
Statutory Authorization- Optimal to Preserving Quality of Care
A statutory authorization would authorize in law all of the widely accepted positive uses of patient-identifiable health information, including facilitating treatment, securing payment, and conducting the "health care operations" activities already discussed. Both the Administration's proposal and the NAIC
Health Information Privacy
Model Act propose a statutory authorization approach. A statutory authorization would achieve thegoal of providing plans and providers with access to identifiable health information to improve quality of care and, working in tandem with strong penalties for the misuse of identifiable health information, would also assure consumers that plans and providers will respect the confidentiality of their identifiable health information.
Multiple Authorization Process- Unduly Restricting Quality
The multiple authorization process embodied in some of the current federal confidentiality proposals including, to some extent, the Leahy-Kennedy bill, would permit plans to get a single authorization at the time of enrollment for treatment and payment, but require plans to get separate authorizations for many "health care operations" activities, including quality assurance activities. This approach would require health plans and providers to obtain patient authorization each and every time they used identifiable health information for activities such as quality assurance and improvement, unduly restricting health plan use of information and threatening quality of care. Having to contact a plan enrollee each time a health plan needed to use his or her information - whether to identify instances of under-treatment, to check an immunization record, or even to pursue a fraud allegation - would be impractical, costly, and a considerable burden for patients as well as plans. Moreover, as is noted earlier, many of these plan activities are seeking to identify individuals at risk - it would be impossible to obtain consent from individuals who had not yet been identified. As a result, health plans would be required to either send authorization requests to their entire enrolled population each time they wanted to screen their members for certain conditions, or send the mammography reminder notices or information on asthma management programs to theentire plan membership because they would be unable to target those individuals in need of these services. Again, the response rate would likely be extremely low, making the reminder systems infeasible.
A second problem created by a multiple authorization approach is that patients would be given the opportunity to limit their authorizations and essentially "opt-out" of participating in "health care operations" activities. Such authorization "opt-out" provisions would diminish the capacity of current health plan quality assurance programs and be counterproductive to improving the quality of patient care. Even losing three or four percent of a patient sample can be problematic, as those who withhold their data may be the very patients getting the most intensive care, or may belong to key demographic groups. In fact, withholding some patients' information within a health plan setting could make engaging in these quality-enhancing activities so impractical that plans and providers would forgo these activities for all patients - again raising the potential conflict between plan obligations to improve quality and legal restrictions on the use of the information needed to fulfill these obligations. On a more global level, our national goal of identifying the most effective ways to deliver health care - to make sure that patients get the best care for their health dollar - would be severely compromised.
A third problem with the multiple authorization is that it could harm patients. A multiple authorization would allow individuals to limit access to certain information, in effect segregating parts of their medical record. Some bills, including the Jeffords-Dodd bill, explicitly promote segmentation of certain types of information, such as mental health information through their preemption provisions. The implication for patient care goes directly to the ability of plans and health care providers to effectively manage care. For example, if information that a certain patient has been treated for narcotic abuse is kept separate from the rest of the medical record, a provider who prescribes an opiate painkiller may inadvertently jeopardize that patient's care simply because he or she did not have access to all of the relevant information on the patient.
Consolidated Authorizations- A More Workable Approach
A third approach, proposed by the Bennett bill and the Jeffords-Dodd bill, is the consolidated authorization. The consolidated authorization contained in both proposals is designed to permit the use and disclosure of patient health information for purposes of treatment, payment, and health care operations, while requiring a separate authorization for use and disclosure of patient information for most other purposes.
Both proposals:
- require individuals, as a condition of enrollment in a health plan, to authorize the use of their identifiable information for treatment, payment and health care operations; - require physicians and other health care providers to secure an authorization from uninsured individuals before providing care; - include procedures for the revocation of an authorization; - require records of authorizations, revocations and disclosures to be kept for seven years;
- allow the use and disclosure of identifiable information for the purpose of converting the information into non-identifiable information; - require the Secretary, in consultation with the National Committee on Vital and Health Statistics (NCVHS), to develop model authorization forms; and - allow disclosure of identifiable information without an individual's authorization in certain circumstances, such as emergencies, next of kin and directory information, and public health purposes.
Key Differences in Consolidated Authorization Proposals
Despite similarities between the Bennett bill and the Jeffords-Dodd bill there are several key differences which impact the underlying effectiveness and cohesiveness of the bills. Below are four examples-
First, the Jeffords-Dodd bill would give states 18 months in which to enact confidentiality legislation more restrictive than the federal requirements. Such a provision would allow states to implement more restrictive authorization requirements leading to inconsistent protections and perpetuating the patchwork of differing state confidentiality laws. Given the complex and interstate nature of the way information flows in today's health care system, consistent rules governing use and disclosure of identifiable health information are critical to assuring uniform treatment of confidential information. Federal confidentiality legislation with strong preemption of state laws is necessary to achieve consistent protection of confidential information.
Second, as mentioned earlier, the Jeffords-Dodd bill allows states to enact stricter confidentiality laws even after the 18 month window in certain areas. This provision allows for separate state laws for certain types of information, such as mental health information, in essence promoting segmentation of the medical record and different standards for different types of health care information. By promoting different authorization processes for different types of information, the bill will ultimately create a multiple authorization process, carrying with it the same problems discussed earlier inthis testimony, including authorization opt-outs and the infeasible task of getting an authorization from someone who has yet to be identified.
Third, the Jeffords-Dodd bill inadvertently undermines the value of the one-time consolidated authorization by requiring providers to obtain a separate authorization unless they can confirm existence of appropriate authorization prior to rendering services. Thus the administrative and functional value of the consolidated authorization becomes insignificant as providers would be required to perform an equally burdensome task in confirming authorization status. Most would simply require additional authorizations of every patient they saw.
Lastly, but integral to the entire bill, while the Jeffords-Dodd bill claims to permit health plan use of nonidentifiable information, the term "nonidentifiable information" is defined such that virtually no patient health data would qualify as "nonidentifiable." By failing to provide a clear definition of"nonidentifiable," many activities which rely on the use of such nonidentifiable information would be subject to unworkable requirements relating to patient authorization.
III. AAHP Initiatives
AAHP's member plans have demonstrated their commitment to confidentiality by addressing this issue as part of AAHP's ongoing Code of Conduct initiative. Under AAHP's Code of Conduct, member plans must safeguard the confidentiality of patient-identifiable health information through policies and procedures that, consistent withfederal and state law, (a) address safeguards to protect the confidentiality of patientidentifiable health information; (b) provide for appropriate training of plan staff with access to patient- identifiable information; and (c) identify mechanisms, including a clear disciplinary policy, to address the improper use of patient- identifiable health information. The policy reinforces that health plans should not disclose patient-identifiable health information without the patient's consent, except when necessary to provide care, perform essential plan functions such as quality assurance, conduct bona fide research, comply with law or a court order, or for public health purposes.
As part of this commitment, AAHP's Board of Directors also issued a statement of confidentiality principles last year that we believe should underpin any confidentiality legislation. The statement highlights many of the issues discussed in this testimony -- the need for uniform, consistent confidentiality protections, equal protections for all types of identifiable health information, the importance of conducting quality improvement activities and research, and the value of strong confidentiality safeguards. This statement of principles is attached for your reference.
Conclusion
AAHP wholeheartedly supports the goal of assuring consumers that health plans and health care providers will respect the confidentiality of their identifiable health information. We recognize that appropriate confidentiality safeguards for patientidentifiable information are essential to ensuring that health plan members feel comfortable communicating honestly and openly with their physicians and otherproviders. Without open communication between patients and their providers, treatment decisions are based on incomplete or inaccurate information and quality of patient care suffers.
At the same time, AAHP believes that consumers should benefit from the qualityenhancing activities health plans undertake - many of which, as have already been discussed, are required by public regulators and private sector oversight entities. In order to craft federal confidentiality legislation that achieves these two goals, it is essential to have a firm understanding of how our current health care system works, how information flows within the system to make it work, and how health plans use information to improve the quality of health care.
We commend the leadership of the Chairman and other members of the Committee, as well as Senator Bennett and Senator Leahy on the issue of confidentiality. Legislation introduced by all involved have advanced the discussion of very important issues involving protecting the confidentiality of patient information, while at the same time continuing to provide high quality care to consumers. It is our view, for the reasons outlined in this statement, the Bennett bill's authorization provisions would lead to more cohesive confidentiality protections and build on plans' ability to facilitate quality care through health care operations activities.
We look forward to working with the Committee in its continued work on federal confidentiality legislation.
FOOTNOTE:
1 Centers for Disease Control (CDC), Department of Health and Human Services, An Ounce of Prevention.' What Are the Returns, Second Edition, 1996, p. 10.
END
LOAD-DATE:
April 28, 1999
Document 42 of 45.
Search Terms: health information privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase:
Copyright © 2002, LEXIS-NEXIS®, a division of Reed Elsevier Inc. All Rights Reserved.