State privacy laws leave RMs in the dark

Risk & Insurance, April 1, 2002 by Joseph F. Mangan

New statutes and regulations in the states that aim to ensure privacy could threaten to limit the ability of insurance companies to share information on workers' compensation and third-party liability claims with their policyholders.

A wave of new state and federal privacy rules has been creeping across the country since July 2000. But risk managers do not appear to be paying a lot of attention. The consensus seems to be that the new rules have little or no bearing on risk management except in the health care and financial services industries. Risk managers in other industries may be in for a dose of culture shock.

Congress set the carousel in motion when it passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The law requires the Department of Health and Human Services (HHS) to regulate how health care providers protect the confidentiality of their patients' medical information. The Gramm-Leach-Bliley Financial Services Modernization Act (GLB) adopted in November 1999 requires state and federal regulators to adopt regulations governing the way financial institutions share customers' financial information with unaffiliated third parties.

In their own separate ways, these two laws and the regulations they have spawned are working to make the risk manager's task more difficult and less certain. Unless HHS makes significant changes, the regulations implementing the privacy provisions of HIPAA stand a good chance of reducing the amount of information that insurers and third-party administrators can obtain on medical, third-party liability, and workers' compensation claims. New statutes and regulations that states are promulgating in response to GLB threaten to limit the ability of insurance companies to share information on workers' compensation and third-party liability claims with their policyholders. The end result may be a regime that protects consumer privacy but encourages fraudulent claims and leaves risk managers in the dark.

HIPAA addresses health insurance and the confidentiality of patients' medical records. HHS first published regulations to implement the privacy protections in HIPAA on December 28, 2000, but failed to submit the final rule to Congress as required by the Congressional Review Act. As a result, the regulation did not become effective until April 14, 2001, two months after Secretary of Health and Human Services Tommy G. Thompson submitted it to Congress for review. Although trade associations representing employers and insurers lobbied for changes, Thompson allowed the rules to go into effect exactly as they were drafted by the Clinton Administration.

Because insurers are not covered entities within the privacy regulations HHS adopted, they are not subject to the rules. This means that the HHS regulations do not restrict the ability of insurance companies to share information with policyholders. What has raised concern for risk managers and their insurers is the presence of two provisions that may impair the ability of claims adjusters to gather information they need to evaluate a claim and detect fraud: the minimum necessary rule and the agreement not to disclose.

The minimum necessary rule restricts the medical information health care providers may release to unaffiliated third parties. Despite provisions in the rule designed to give property and casualty insurers access to information they need for legitimate business purposes and guidance and HHS's decision to reinforce those provisions, there is genuine concern that health care providers will decline to provide information that claims professionals consider essential to adjusting losses fairly and efficiently. The result may be that health care providers will supply insurers and third-party administrators with information from the date of the injury that is the subject of the claim forward. This will leave insurers and their policyholders in the dark about treatment prior to an occurrence for a condition the claimant alleges is the result of that occurrence.

Issues with HIPAA

The first concern over application of exemptions to the minimum necessary rule is that they do not match conditions in the real world. The minimum necessary rule does not apply, for example, to medical information the health care provider is required to release under a state workers' Compensation law.

Nancy Schroeder, assistant vice president, workers' comp at the National Association of Independent Insurers (NAII), points out that most state workers compensation statutes do not specifically require release of medical information about a claimant. They rely instead on custom, common sense and precedent. That may not be enough to trigger the exemptions in the HIPAA regulation. This is less of a concern for third-party liability claims because they customarily require a release from the claimant, but it may mean higher costs because attorneys will become involved in claims more often and do more work on the average claim.

"It appears at this point that the minimum necessary requirement does apply to comp," Schroeder explained. "We hope that HHS will look at this further and provide some further guidance and hopefully reverse that for workers' comp."