You're reading riskVue.

THE WEBZINE FOR RISK MANAGEMENT PROFESSIONALS


Enter your e-mail address to get our free monthly e-newsletter
LEARN MORE


Search riskVue's hundreds of risk management articles
TOPICAL INDEX   ISSUE-BY-ISSUE INDEX

RISKVUE ARCHIVE | RISK BITES

Health Insurers’ Relationship With The Medical Information Bureau: The Impact Of HIPAA Privacy Regulations

By Brian T. Casey, Partner
Lord, Bissell & Brook

The impact of the HIPAA privacy regulations on the relationship between a health insurance company and the Medical Information Bureau (“MIB”) is important for health insurance professionals to understand. The HIPAA privacy regulations’ effect on this relationship turns on whether MIB is an entity that is, directly or indirectly, subject to the HIPAA privacy regulations, and if so, whether MIB is a “covered entity” or “business associate.” In turn, MIB’s classification under the HIPAA privacy regulations determines, in part, the number of HIPAA authorizations a health insurance company must obtain in connection with its procurement and disclosure of protected health information (“PHI”) concerning applicants for health insurance policies and individuals who make claims for benefits thereunder. MIB originally took the position that it was not a business associate of its health insurer members, but appears to have reconsidered the nature of its relationship with them under the HIPAA privacy regulations.

MIB’s Data Collection and Sharing Business

MIB is a nonprofit business entity owned by its members, which are life and health insurance companies. The purpose of MIB is to provide a vehicle for each of its members to (1) contribute health and medical information obtained in connection with the underwriting of, and payment of claims made under, life and health insurance policies, and (2) receive this same type of information contributed to MIB by other members. The primary use of this information by MIB’s members is the detection and prevention of fraud and misrepresentation relating to the submission of insurance applications and claims made under insurance policies. Perhaps even more important than MIB’s business model is the fact that MIB is a consumer reporting agency (“CRA”) under the Fair Credit Reporting Act (“FCRA”), similar to more commonly recognized CRAs that aggregate and make reports on consumer financial data and experiences such as Choicepoint, Equifax, Experion and Trans Union.

MIB’s Certificate of Incorporation essentially provides that MIB will collect information, some of which is undoubtedly PHI, and provide its members with access to this information to aid in their underwriting decisions and to help prevent the perpetration of fraud against them, and states the following:

THIRD: The purposes of the corporation shall be:

1. To provide for the exchange on a non-profit basis among the Corporation’s Member life insurance companies of underwriting information with respect to proposed insureds and insurance claimants in such manner as may best protect the accuracy and confidential nature of the information so exchanged and the interests with respect thereto of such proposed insureds, claimants and insurers concerned;

2. to aid its Members in their consideration, assessment and assignment of prospective insurance risks by making available information which is essential to careful underwriting practices and procedures;

3. to help prevent perpetration of fraud upon its Members and their policyholders by proposed insureds and claimants who may omit or seek to conceal facts essential to accurate, proper and reasonable determination of insurance risks;

4. to assist in mortality, morbidity and related studies of value to life insurers and of benefit to the medical professional and general public; and

5. to engage in any lawful act or activity for which corporations may be organized under the General Corporation of Law of Delaware, subject to the restrictions contained in other Articles of this Certificate of Incorporation and the Corporation’s Bylaws, and provided, however, that the Corporation is not organized for profit and no part of the net earnings of the Corporation shall inure to the benefit of any Member or individual.1

MIB’s Rules and Regulations for its member insurance companies contain two (2) provisions relevant to authorizations, consents, and notices, which MIB’s members must obtain from, or give to, consumers. First, insurers are required to obtain from insurance applicants the following authorization in connection with collecting health or medical information for a health or life insurance application:

I hereby authorize any licensed physician, medical practitioner, hospital, clinic or other medical or medically-related facility, insurance company, the Medical Information Bureau or other organization, institution or person, that has any records or knowledge of me or my health, to give the XYZ Life Insurance Company, or its reinsurers, any such information.

A photographic copy of this authorization shall be as valid as the original.2

Second, MIB’s member insurers must provide the so-called MIB “pre-notice”:

Information regarding your insurability will be treated as confidential. XYZ Company, or its reinsurers may, however, make a brief report thereon to the Medical Information Bureau, a non-profit membership organization of life insurance companies which operates an information exchange on behalf of its Members. If you apply to another bureau member company for life or health insurance coverage, or a claim for benefits is submitted to such a company, the Bureau, upon request, will supply such company with the information in its file.

Upon receipt of a request from you, the Bureau will arrange disclosure of any information it may have in your file. If you question the accuracy of information in the Bureau’s file, you may contact the Bureau and seek a correction in accordance with the procedures set forth in the Federal Fair Credit Reporting Act. The address in the Bureau’s information office is Post Office, Box 105, Essex Station, Boston, Massachusetts 02112, telephone number (617) 426-3660.3

MIB’s Shifting Positions under the HIPAA Privacy Regulations

Prior to April 14, 2003, the effective compliance date for the HIPAA privacy regulations, MIB’s stated position as to its classification under the HIPAA privacy regulations was that MIB was neither a covered entity nor a business associate of its member insurance companies.4 Thus, at that time MIB believed it was not directly or indirectly subject to the HIPAA privacy regulations. It is clear that MIB is not a covered entity as MIB is not a health care provider, health care clearing house or a health plan as those terms are defined in the HIPAA privacy regulations. However, whether MIB is a business associate of its member health insurance companies is not so obvious, but is critical to the continued viability of MIB’s core business and understanding the compliance obligations under the HIPAA privacy regulations of health insurance companies in their capacity as MIB members.

A business associate is a person that creates, collects, uses or discloses PHI for, or on behalf of, an entity covered by the HIPAA privacy regulations.5 A business associate includes a person that provides, other than in the capacity of a member of the workforce of a covered entity, “data aggregation” services to or for the covered entity, where the provision of the service involves the disclosure of PHI from the covered entity to such person. The HIPAA privacy regulations define “data aggregation” as follows:

Data aggregation means, with respect to protected health information created or received by a business associate in its capacity as the business associate of a covered entity, the combining of such protected health information by the business associate with the protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities. 6

A covered entity may disclose PHI to its business associate and allow the business associate to create or receive PHI on behalf of the covered entity, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the PHI.7 Such assurance must be documented through a written contract between the covered entity and the business associate, under which the business associate must agree to adhere to certain of the HIPAA privacy regulations imposed upon the covered entity.8 A business associate may collect, use or disclose PHI only as permitted or required by law or in its written contract with a covered entity.9

The clear benefit to MIB’s member health insurers of characterizing MIB as a business associate is that these insurers would be able to disclose the PHI they collect from health care providers to MIB without obtaining additional authorizations from the individuals who are the subject of the PHI specifically allowing such disclosure to MIB. As discussed above, covered entities may share PHI with their business associates. The seemingly obvious detriment to MIB in being treated as a business associate of each of its member health insurers is that MIB may not be able to share PHI contributed to MIB by one health insurer with another insurer, the primary purpose of MIB, without first receiving HIPAA authorizations from each individual whose is the subject of the PHI to permit such sharing of PHI. As a business associate, it is questionable whether MIB can share PHI in this manner without these authorizations under the limitations imposed under the business associate agreement required by the HIPAA privacy regulations.

Prior to the date of publication, but after the original draft of this article, MIB seemed to have clarified its position regarding the question of whether it is a business associate of its member insurers that are covered entities. Just a few days prior to April 14, 2003, MIB advised its members that they may enter into the MIB prepared form of a business associate agreement (note that it is the covered entity’s obligation to require its business associates to enter into these agreements, not the business associate’s duty), a clear indication that MIB had reevaluated its former position.

Basic Rules for HIPAA Authorizations

To understand how a health insurer’s relationship with MIB affects the authorizations for use and disclosure of PHI which health insurers must obtain from insurance applicants or insureds, it is necessary to examine in some detail how HIPAA authorizations are regulated. Generally, a covered entity may not use or disclose PHI without a valid authorization prescribed by the HIPAA privacy regulations.10 When a covered entity obtains or receives a HIPAA authorization for its use or disclosure of PHI, the covered entity’s use or disclosure of the PHI must be consistent with the authorization.11

Exceptions for Uses and Disclosures of PHI for Payment, Treatment and Health Care Operations

A covered entity may use or disclose PHI without a HIPAA authorization in certain circumstances for treatment,12 payment 13 or health care operations,14 other than uses and disclosures of psychotherapy notes and uses and disclosures for marketing purposes for which a HIPAA authorization must be obtained.15 First, a covered entity may use or disclose PHI for its own treatment, payment or health care operations.16 Second, a covered entity may disclose PHI for treatment activities of a health care provider.17 Third, a covered entity may disclose PHI to another covered entity for the payment activities of the covered entity that receives the PHI.18 Fourth, a covered entity may disclose PHI to another covered entity for the health care operations of the covered entity that receives the PHI, if (i) both covered entities have or had a relationship with the individual who is the subject of the requested PHI, (ii) the requested PHI pertains to such relationship, and (iii) the disclosure is for the purpose of either (x) certain quality assessment and improvement or competence or qualification review activities for health care professionals, or (y) health care fraud and abuse detection or compliance.19 Fifth, a covered entity that participates in an organized health care arrangement20 may disclose PHI to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.21

Special Rule for Psychotherapy Notes

The HIPAA privacy rules provide for special treatment of psychotherapy notes given their highly sensitive nature. “Psychotherapy notes” are notes recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of an individual’s conversation during a private counseling session or a group, joint or family counseling session that are separated from the rest of the individual’s medical record.22 However, psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests and any summary of diagnosis, functional status, treatment plan, symptoms, prognosis and progress to date.23 Notwithstanding any of the exceptions to the general rule requiring a HIPAA authorization for a covered entity’s use and disclosure of PHI, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, subject to certain exceptions.

Restrictions on Compound Authorizations

A HIPAA authorization may not be combined with any other document to create a compound authorization except in three situations.24 First, a HIPAA authorization for the use and disclosure of PHI for a research study may be combined with any other type of written permission for the same research study.25 Second, a HIPAA authorization for the use and disclosure of psychotherapy notes may only be combined with another HIPAA authorization for a use or disclosure of psychotherapy notes.26 Third, a HIPAA authorization, other than a HIPAA authorization for the use or disclosure of psychotherapy notes, may be combined with any other HIPAA authorization except when a covered entity has conditioned the provision of treatment, payment, enrollment in a health plan or eligibility for benefits on the provision of one of the authorizations.27

MIB’s Impact on HIPAA Authorizations

The real question for MIB’s member health insurers is whether and, if so, how can they continue to share health and medical information with MIB and, in return, receive health and medical information from MIB. Conversely, for MIB, the critical concern is how it can continue to share PHI obtained from multiple sources among its members. Under the HIPAA privacy regulations, a covered entity can disclose PHI to its business associates without an authorization from the individual about whom the PHI pertains so long as the covered entity has in place an appropriate HIPAA-required business associate agreement. Under MIB’s former position that it was not a business associate of its member health insurers, these members would have had to obtain a HIPAA authorization by which individuals who apply for health insurance authorize the insurer to disclose their PHI to MIB. If MIB’s health insurer members enter into business associate agreements with MIB, they should be allowed to share PHI with MIB without additional customer authorizations.

Nevertheless, MIB’s status as a business associate does not provide a clear basis for MIB to disclose to one member insurer the PHI that another covered entity member has contributed to MIB. Such status only allows a covered entity member of MIB to disclose PHI to MIB without a HIPAA authorization. If MIB is a business associate of each of its covered entity members and MIB discloses PHI provided to MIB by one covered entity member to the other MIB members, such disclosures by MIB could be inconsistent with the business associate agreements between MIB and its covered entity members, exposing these members to potential violations of the HIPAA privacy regulations.

Conclusion

MIB’s recent acknowledgment that it is a business associate of its covered entity members has eliminated the need of its covered entity members to obtain separate HIPAA authorizations from customers specifically allowing such members to disclose PHI about their customers to MIB. However, MIB’s ability to continue its historical data sharing practices with its members involving data that is PHI, without the members obtaining HIPAA authorizations from the individuals who are the subject of the PHI which allow such sharing, is unclear and a matter that should be carefully assessed by covered entity members of MIB. 

Notes
1 Certificate of Incorporation of MIB Group, Inc., filed September 9, 1999.
2 Amended General Rules of MIB Group, Inc., filed May 13, 2000. Copy on file with author.
3 Id.
4 Heidi K. Abegg, MIB White Paper Health Insurance Portability and Accountability Act (HIPAA) Compliance (Sept. 2002) (article on file with author).
5 45 C.F.R. §160.103.
6 45 C.F.R. §164.501 (emphasis added).
7 45 C.F.R. §164.502 (e)(1).
8 45 C.F.R. §164.502 (e)(2) and 45 C.F.R. §164.504 (e).
9 45 C.F.R. §164.504 (e)(2)(ii)(A).
10 45 C.F.R. §164.508 (a)(1).
11 Id.
12 Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another. 45 C.F.R. §164.501.
13 Payment means activities of (1) a health plan to obtain premiums or to determine or fulfill its obligation for coverage and benefits under the health plan or (2) a health care provider or health plan to obtain or provide reimbursement for health care services. These activities include (a) eligibility or coverage determinations and adjudication or subrogation of health benefit claims; (b) risk adjusting amounts based on enrollee health status and demographic characteristics; (c) billing, claims management, collection and obtaining payment under a reinsurance contract and related health care data processing; (d) review of health care services as to medical necessity, coverage under a health plan, appropriateness of care or justification of charges; (e) utilization review; and (f) disclosure of certain types of PHI to a consumer reporting agency relating to premium collection or reimbursement. 45 C.F.R. §164.501.
14 Health care operations means (1) conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines; population-based activities related to improving health, reducing health care costs, protocol development, case management and care coordination, contacting healthcare providers and patients with information about treatment alternatives; (2) reviewing competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training program for students, trainees or practitioners in health care; training of non-health care professionals, accreditation, certification, licensing or credentialing activities; (3) underwriting, premium rating and other activities relating to creation, renewal or replacement of a contract for health insurance or health benefits and ceding or placing a reinsurance contract for health care claims; (4) conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse detection and compliance programs, (5) business planning and development, such as cost-management and planning related to managing and operating the entity and (6) business management and general administrative activities of the entity, such as management activities related to implementation of and compliance with the HIPAA Regulations, customer service, resolution of internal grievances and the sale, transfer, merger or consolidation of all or part of a covered entity with another covered entity. 45 C.F.R. §164.501.
15 45 C.F.R. §164.506(a).
16 45 C.F.R. §164.506(c)(1).
17 45 C.F.R. §164.506(c)(2)
18 45 C.F.R. §164.506(c)(3).
19 45 C.F.R. §164.506(c)(4).
20 An organized health care arrangement is (1) a clinically integrated care setting in which individuals receive health care from more than one health care provider in which the participating health care providers hold themselves out as a joint arrangement and participate in at least one of the specifically enumerated activities under the applicable Section of the HIPAA Regulations; (2) an organized system of health care in which more than one covered entity participates; (3) a group health plan and a health insurance issuer or health maintenance organization for such group health plan with respect to PHI that is created or received by such health insurance issuer or health maintenance organization that relates to individuals who are or have been participants or beneficiaries thereunder; (4) a group health plan and one or more other group health plans each of which are maintained by the same sponsor and the health insurance issuers or health maintenance organizations for such group health plans with respect to PHI that is created or received by such health insurance issuer or health maintenance organization that relates to individuals who are or have been participants or beneficiaries thereunder. 45 CFR §164.501.
21 45 C.F.R. §164.506(c)(5).
22 45 C.F.R. §164.501.
23 Id.
24 45 C.F.R. §164.508(b)(3).
25 45 C.F.R. §164.508 (b)(3)(i).
26 45 C.F.R. §164.508 (b)(3)(ii).
27 45 C.F.R. §164.508 (b)(3)(iii).

ABOUT THE AUTHOR

Brian T. Casey is a partner in the Atlanta office of the international law firm of Lord, Bissell & Brook and is co-chair of the firm’s insurance, financial services, and healthcare e-commerce practice. He is a frequent speaker on corporate, regulatory, privacy, e-commerce, technology, and tax matters in the insurance industry.

riskVue | The webzine for risk management professionals
July 2003

Browse This Month's Articles

Useful Web Tools

ISSUE ARCHIVE

Issue-by-Issue Article Index

Topical Index

MORE RESOURCES

Industry Event Calendar

Risk Manager’s Guide to All 50 States

FREE OFFERS

Get riskVue's free monthly e-mail

Download our White Paper, "How To Choose and Use a Risk Management Consultant"

ABOUT RISKVUE

Learn more about riskVue

Call for Authors

Advertise

Get riskVue Banners

Privacy Policy Legal Notices Site Map


Copyright ©1999–2008 by Warren, McVeigh & Griffin, Inc.
ISSN 1553-8826

Warren, McVeigh & Griffin, Inc.
Risk Management Consultants
1420 Bristol Street North, Suite 220
Newport Beach, CA 92660
949-752-1058 Telephone
949-955-1929 Fax
www.riskvue.com
www.griffincom.com

Comments? Questions? Suggestions? We’d like to hear from you. Address your e-mail to the riskVue Editor.

Privacy Policy | Legal Notices

Warren, McVeigh & Griffin, Inc., one of the oldest and most respected independent risk management consulting firms, is ready to work with you. Call us today at 949-752-1058 for a free initial consultation, or visit our Web site for more information.