Confidentiality in a paperless system

By Edward F. Shay, Esq.

The managed care revolution has often been dismissed by critics as little more than managed costs through attrition, rationing and blunt financial incentives. This argument is bolstered by the contention that little, if any, good clinical data supports the undeniable savings achieved by aggressive utilization controls. The truth of this latter assertion is difficult to prove or disprove because until recently, most health care information has been contained in paper records protected by legal rights to privacy and confidentiality. Like the rest of the health care economy, the world of health care information is beginning to change dramatically. Computers are replacing paper as the storage medium of choice for medical and other records. Claims submission and clinical information are being shared electronically among providers and payors. Connectivity is beginning to replace capitation as the vogue sound bite of health care policy, and connectivity suggests an on-line world of health care information which is transferred with instantaneous ease from user to user. Connectivity can facilitate paperless claims submission; it can support centralized medical records and retrieval; and, it can provide limitless data to advance research into a broad array of health care issues ranging from provider profiles to alternative interventions in chronic care.

Scenarios for savings from paperless claims are intriguing. Providers will submit paperless claims to payors. Companies which specialize in electronic screening, sorting and transmission of electronic information will speed claims on their way to the responsible payor who will electronically credit the bank account of the provider. Advocates of the paperless claims system believe that it will be quicker, cheaper and more accurate than the paper claims system.

Not everyone is uniformly enthusiastic about an electronically interconnected health care system. Privacy advocates look at the rush to administrative simplification and ask what will prevent reams of sensitive clinical information from being electronically culled from claims data and sold to advertisers, vendors, life insurers and the full array of enterprises interested in the health of an individual. Estimated savings from a paperless claims system begin at $75 billion and increase considerably from there. Large vendors of health information are reported to be spending hundreds of millions of dollars to upgrade their computers and telecommunications systems to move health information at light speed. Providers and managed care organizations are accessing and otherwise acquiring health information to improve the management of care and patients. The tension between dollars and privacy is shaping up as the make or break issue in the electronic transfer of health care information.

Notwithstanding the current and expanding technical capabilities of vendors and users to access and use health care information, serious legal considerations must be addressed to insure that the confidentiality of individually identified health information is maintained and public confidence in new information systems is justified.

The laws with respect to the confidential treatment of medical and related health information have not changed with the development of sophisticated information systems. Certain practitioners have traditionally owed to their patients a duty of confidentiality. Physicians continue to owe to their patients the traditional duty of confidentiality based upon ethical standards and the law. The State Board of Osteopathic Medicine requires physicians to keep confidential their medical records subject to specific exceptions involving such activities as claims submission and payment, defense of malpractice suits and as needed in treatment of the patient.

In Pennsylvania, federal and state laws protect specific types of medical information. For example, federally funded substance abuse programs must meet strict federal confidentiality requirements for drug and alcohol programs. Pennsylvania law also imposes strict confidentiality requirements upon medical records containing information about an individual with HIV.

Finally, the Commonwealth protects clinical information through the exercise of its licensing authority over health care facilities. Health care facilities must have medical records systems with confidentiality protections. Hospitals, for example, are required to insure that a patient’s records will be confidential except to the extent otherwise required by law or third party contractual obligations. Clinical laboratories must treat as confidential records and reports of examinations. Similar requirements apply to nursing facilities, home health agencies and ambulatory surgery centers.

In addition to the foregoing statutory and regulatory standards of confidentiality, the courts in Pennsylvania have recognized an individual’s privacy interests in medical information. Unauthorized disclosure of medical information may be actionable as an invasion of privacy or a breach of fiduciary duty.

Notwithstanding the considerable body of law to protect medical information, the great safeguard of the confidentiality of medical records to date has been a general observance of an ethical duty of confidentiality by most health care professional and the sheer physical inaccessibility of paper records. However, over the past few years, computerization of health care information has begun to erode the protection of medical records. The prospect of huge economies in the administrative expense of claims processing have accelerated the computerization trend.

Beginning in the early 1990’s, the federal government began to push for administrative simplification and reform of the claims payment process. The Bush Administration established the Workgroup on Electronic Data Interchange (WEDI) which first looked closely at the potential cost savings which might emerge from a standardized and simplified claims submission system for all payors. Following WEDI, electronic exchange of health information again received attention as part of President’s Health Security Act. With the failure of the Health Security Act, a more modest approach was crafted as part of the recently enacted Health Insurance Portability and Accountability Act (HIPAA).

HIPAA Developments

Despite the failure of Clinton health reform, certain legislative initiatives were required to enable market based health reforms to continue to move forward, and a limited number of areas of legislative consensus did emerge from the health reform debate. Enhanced enforcement of fraud and abuse laws has remained an area of consensus in all recent health care legislation. Similarly, administrative standardization of submission and management of electronic health information has enjoyed broad based support. However, central to every discussion of health care electronic data exchange has been concerns about confidentiality and whether state or federal protections should apply. Each of the fifty states has its own standards relating to health care information, or none at all. The legal environment is further complicated by the absence of any consensus among plans and insurers on claims submission formats and related information elements.

This lack of uniformity on the administrative side of health care made plan management unnecessarily complex. HIPAA included several provisions which were gathered together into an Administrative Simplification section. The administrative simplification sections of HIPAA are intended to accomplish several steps to advance the state of electronic exchange of health care information. To begin, HIPAA requires the Secretary of Health and Human Services to propose to Congress uniform standards for financial and administrative transactions. The standards will address the data elements needed for transactions involving claims processing, enrollment and disenrollment, eligibility determinations, remittance advice, premium payments and referral certification and authorization. HIPAA also provides for the development of unique identifiers for individuals, employers, health plans and health providers.

Congress recognized that requiring standardization of health information and packaging it with unique identifiers posed obvious security risks. Accordingly, HIPAA also requires the Secretary of Health and Human Services to develop security measures which must take into account industry capabilities and compliance cost. Finally, Congress added in HIPAA a federal penalty for improper disclosure of individually identified health information. Persons who violate the disclosure prohibition are subject to a fine of $50,000 dollars and up to five years imprisonment. An improper disclosure must be made knowingly. It may involve use of a unique identifier, obtaining individually identified health information in violation of HIPAA permitted uses, or disclosure to another of individually identified health information.

Characteristic of most legislation, HIPAA paints with a broad brush. To fill in many of the details of this emerging national policy debate on health care information, Congress has asked the Secretary of Health and Human Services to develop standards. Congress has also reconstituted and authorized an heretofore obscure government committee, the National Committee on Vital and Health Statistics, to provide technical assistance to the Secretary on health information issues including privacy concerns.

Since September, 1996, the National Committee on Vital and Health Statistics has been meeting as a whole and through subcommittees to develop reports to the Secretary of Health and Human Services on data and standards and on privacy an confidentiality. The Subcommittee on Privacy and Confidentiality has since met almost on a monthly basis to elicit a range of views from privacy advocate and industry sources including health plans, clearinghouses, insurers and employers. The issues discussed have varied widely. Witnesses have stressed the need to protect individual information in practical ways including encryption and other forms of computer security. Witnesses for the clearinghouse industry have pressed the importance of privacy feasibility. These witnesses agree that privacy must be maintained and that health information cannot be commercialized. Conversely, they object to a proposal to impose special fiduciary status on them which would make them data trustees rather than processors. They believe that the burden for consent to disclosure and related uses belongs with the originating provider. Insurers have taken similar positions. In a blurring of traditional roles, witnesses for the managed care industry have stated that they are responsible for the health outcomes of their members. Accordingly, they argue that integrated health plans need special exemptions to share data throughout their networks and to use individually identified health data to research and develop disease management programs.

Sometime in August, 1997, the Secretary of Health and Human Services will report to Congress on how to protect the transfer of electronic medical information. There are currently pending in Congress bills in the House and Senate which reflect the past two years of debate of medical information privacy. By the end of the year, it is quite possible that Congress will enact a law which creates a uniform national safety net to protect the confidentiality of medical information while further advancing the computerization of health care information.

Edward F. Shay, Esq. is a member of Saul, Ewing, Remick & Saul’s Health Law Department in Philadelphia.