Privacy Initiatives

At Issue

Today in the Internet age, where people can access information concerning just about anything with just a click of a button or mouse, naturally many people are worried about maintaining their privacy. The confidentiality of medical and financial information is of concern to many people, including both state and federal policy makers.

Federal privacy regulations created as a result of theHealth Insurance Portability and Accountability Act of 1996 (HIPAA) and the privacy requirements included in the Financial Services Modernization Act of 1999 or the Gramm-Leach-Bliley Act(GLBA), are examples of federal measures that delve into privacy issues as they relate to insurance coverage.

HIPAA Privacy Regulation

The federal privacy regulation was created by the Department of Health and Human Services in response to a requirement that it do so if Congress failed to enact its own health privacy measure that was contained in HIPAA.

To help our members and their clients comply with the regulation, NAHU developed the HIPAA Privacy Compliance Guide, which provides a complete overview of the new requirements, sample notices and more.

Highlights of the HIPAA privacy regulation include:

Marketing -- The final Rule requires a covered entity to obtain an individual's prior written authorization to use his or her protected health information for marketing purposes except for a face-to-face encounter or a communication involving a promotional gift of nominal value. The Department defines marketing to distinguish between the types of communications that are and are not marketing, and makes clear that a covered entity is prohibited from selling lists of patients and enrollees to third parties or from disclosing protected health information to a third party for the marketing activities of the third party, without the individual's authorization. The Rule clarifies that doctors and other covered entities communicating with patients about treatment options or the covered entity's own health-related products and services are not considered marketing. For example, health care plans can inform patients of additional health plan coverage and value-added items and services, such as discounts for prescription drugs or eyeglasses.

Consent and Notice -- The Department makes changes to protect privacy while eliminating barriers to treatment by strengthening the notice requirement and making consent for routine health care delivery purposes (known as treatment, payment, and health care operations) optional. The Rule requires covered entities to provide patients with notice of the patient's privacy rights and the privacy practices of the covered entity. The strengthened notice requires direct treatment providers to make a good faith effort to obtain patient's written acknowledgement of the notice of privacy rights and practices. The final Rule promotes access to care by removing mandatory consent requirements that would inhibit patient access to health care while providing covered entities with the option of developing a consent process that works for that entity. The Rule also allows consent requirements already in place to continue.

Uses and Disclosures Regarding FDA-Regulated Products and Activities -- The final Rule permits covered entities to disclose protected health information, without authorization, to a person subject to the jurisdiction of the FDA for public health purposes related to the quality, safety or effectiveness of FDA-regulated products or activities such as collecting or reporting adverse events, dangerous products, and defects or problems with FDA-regulated products. This assures that information will continue to be available to protect public health and safety, as it is today.

Incidental Use and Disclosure -- The final Rule acknowledges that uses or disclosures that are incidental to an otherwise permitted use or disclosure may occur. Such incidental uses or disclosures are not considered a violation of the Rule provided that the covered entity has met the reasonable safeguards and minimum necessary requirements. For example, if these requirements are met, doctors' offices may use waiting room sign-in sheets, hospitals may keep patient charts at bedside, doctors can talk to patients in semi-private rooms, and doctors can confer at nurse's stations without fear of violating the rule if overheard by a passerby.

Authorization -- The final Rule clarifies the authorization requirements to the Privacy Rule to, among other things, eliminate separate authorization requirements for covered entities. Patients will have to grant permission in advance for each type of non-routine use or disclosure, but providers will not have to use different types of forms. These modifications also consolidate and streamline core elements and notification requirements.

Minimum Necessary -- The final Rule exempts from the minimum necessary standards any uses or disclosures for which the covered entity has received an authorization. The Rule previously exempted only certain types of authorizations from the minimum necessary requirement, but since the rule will only have one type of authorization, the exemption is now applied to all authorizations. Minimum necessary requirements are still in effect to ensure an individual's privacy for most other uses and disclosures. The Department clarifies in the preamble that the minimum necessary standard is not intended to impede disclosures necessary for workers' compensation programs. The Department will actively monitor to ensure that worker's compensation programs are not unduly affected by the Rule.

Parents and Minors -- The final Rule clarifies that state law, or other applicable law, governs in the area of parents and minors. Generally, the Privacy Rule provides parents with new rights to control the health information about their minor children, with limited exceptions that are based on state or other applicable law and professional practice. For example, where a state has explicitly addressed disclosure of a minor's health information to a parent, or access to a child's medical record by a parent, the final Rule clarifies that state law governs. In addition, the final Rule clarifies that, in the special cases in which the minor controls his or her own health information under such law and that law does not define the parents' ability to access the child's health information a licensed health care provider continues to be able to exercise discretion to grant or deny such access as long as that decision is consistent with the state or other applicable law.

Business Associates -- The final Rule gives covered entities (except small health plans) up to an additional year to change existing written contracts to come into compliance with the business associate requirements. The additional time will ease the burden of covered entities renegotiating contracts all at once. The Department has also provided sample business associate contract provisions.

Gramm-Leach-Bliley Act (GLBA) -- Title V of GLBA, which was signed by President Clinton on November 12, 1999, establishes requirements designed to protect the privacy of consumers' nonpublic personal financial information. These requirements apply to all licensed individuals and entities that are part of the financial services industry, which includes the business of insurance and licensed insurance agents and brokers.
The law charges the different regulatory authorities for the various aspects of the financial services industry with enforcing these rules, and establishes that the GLBA requirements are only a "federal floor" and the enforcement entities are authorized to establish more stringent protections. In the case of the insurance industry, the individual state governments are the regulatory authority and while efforts were made to keep the state-level measures uniform, individual states developed compliance measures that are all over the map.

To help our members comply with the state-level financial privacy requirements, the NAHU Education Foundation developed the Financial Privacy Requirements Compliance Guide, which is available free to NAHU members and may be purchased by non-members. This guide is the only compliance book out there that was written specifically for health insurance producers, and it's also the only producer guide that offers state-specific compliance advice.

NAHU's View

Even though the days when a person's medical and financial records were only stored in locked filing cabinets in the offices of their doctors and banks have long passed, NAHU strongly believes that individuals should still be able to maintain a reasonable expectation of confidentiality when it comes to their personally identifiable financial and medical information. Our position statement on confidentiality provides an explicit outline of our views on access to medical records.

As for recent state and federal privacy initiatives, NAHU had concerns about the idea that federal standards should serve as a "floor" and that states should be free to adopt more stringent standards.

NAHU is also concerned about the impact implementing privacy requirements will have on agents and brokers, so we have advocated that agents be considered exempt from privacy measures if they are working on behalf of a compliant insurance carrier.

Finally, NAHU feels that state and federal measures are needed to protect the privacy of consumers' nonpublic personal medical information, personal financial information and information disclosed during online transactions. However, we feel very strongly that legislative and regulatory initiatives designed to protect these three distinct types of information should also be distinct and cover only one type of consumer information at a time. Otherwise, conflicts will ensue, making the protections even more confusing to consumers and even more costly to implement.

• NAHU's Comment Letter to HHS on the Final Regulation Concerning the Privacy of Individually Identifiable Health Information
• NAHU's Letter to NCOIL on Medical Privacy
• NAHU's Letter to NCOIL Concerning the Cost-Impact of State-Level Financial Privacy Measures

NAHU's Actions

NAHU has been actively following the progress of state and federal level initiatives to protect the privacy of individually identifiable medical and financial information.

To help our members comply with federal and state privacy requirements, NAHU has developed two compliance guides for our members.

HIPAA Privacy Compliance Guide - Presented by the NAHU Education Foundation, this is the only guide written specifically for health insurance producers. The guide provides a complete overview of the new requirements, sample notices and more.

Financial Privacy Requirements Compliance Guide - Presented by the NAHU Education Foundation, it is available free to NAHU members and may be purchased by non-members. This guide is the only compliance book available that was written specifically for health insurance producers, and it's also the only producer guide that offers state-specific compliance advice.

Other materials developed by NAHU include:

• Confidentiality Talking Points
• Comparison of the Final DHHS Privacy Rule and the NAIC and NCOIL Model State-Level Privacy Measures
• Comparison of the NAIC and NCOIL Models to Address State-Level Compliance with the GLBA Financial Privacy Requirements
• Fact Sheet on State-Level Initiatives to Comply with the GLBA Financial Privacy Requirements
• Comments on the Proposed Rule for Standards for Privacy of Individually Identifiable Health Information

Additional Resources

Medical Privacy Regulation - Questions Remain About Implementing the New Consent Requirement. Report to the Chairman, Committee on Health, Education, Labor, and Pensions, U.S. Senate.

Office for Civil Rights - Privacy Guidelines

Healthcare Leadership Council's Privacy Page

NAIC Model Law on the Privacy of Consumer Health and Financial Information

NCOIL Financial Information Privacy Protection Act

Content copyright © 1998-2010 National Association of Health Underwriters. All rights reserved.
National Association of Health Underwriters · 2000 North 14th Street, Suite 450 · Arlington, VA 22201
703.276.0220 · fax 703.841.7797 · info@nahu.org