Your data belongs to you, not to your claims administrator

At some point you have probably requested data from a claims administrator, like the fraction of your health care spending that is going toward mental health codes like depression, anxiety, or post-traumatic stress disorder, or a quality indicator for a certain hospital or health care system. It’s highly likely that the person or organization you communicated with told you they couldn’t  provide the data because doing so would have been a “HIPAA violation.” Huh?

The 1996 Health Insurance Portability and Accountability Act, colloquially known as “HIPAA” (hip-uh), was passed with two goals in mind: protection of “personal health information,” or PHI, and the ability to easily switch insurance policies from carrier to carrier to get better coverage, a better price, or additional services. HIPAA accomplished protection of PHI, but it did not, ironically, dramatically increase the portability of insurance coverage.

But that shortcoming of the law is a distraction. Here’s all you need to know about a claims administrator’s assertion that HIPAA prevents you from getting aggregate data on your employee population: It’s not true. If we didn’t already know this, KBGH Book Club attendees have recently learned it from Dave Chase’s The CEO’s Guide to Restoring the American Dream. In this week’s Section, II, “How and Why Employers are Getting Fleeced,” Dave says, “Sometimes [claims administrators] use HIPAA privacy as a smokescreen [to] prevent you from having your data analyzed by an outside party, an issue HIPAA effectively accommodates.” Since the law clearly allows you to access this data, if you’ve been blocked it was more likely that your claims administrator inserted a clause into your contract stating that claims data is proprietary and owned by them, the carrier, and not by your company, the purchaser. But HIPAA itself clearly allows this kind of data analysis: “HIPAA specifically allows transmission of aggregate data in order to promote high quality health care, and the HIPAA privacy rule specifically addresses aggregate data use for purposes of research, public health, or health care operations.”

But the good news for you, the purchaser, doesn’t stop there. The Consolidated Appropriations Act, signed on December 27, 2020, prohibits gag clauses on price and quality information and forbids plans and issuers from signing contracts that restrict the disclosure of provider-specific cost or quality information. And that’s not all! The Act also forbids plans and issuers from restricting access to deidentified claims or encounter information to HIPAA business associates like your company, including financial information, provider information, service codes, and “any other data element.”

This isn’t a full-throated defense of HIPAA. The KBGH book club is leading us down some interesting, unusual policy paths, and this law is probably worth a second look in the future. Whenever restrictions on regulations are lifted, as restrictions on telemedicine were in the early days of the COVID-19 pandemic and as HIPAA restrictions are being lifted in Texas now, owing to widespread power outages, it is natural to wonder why the restrictions were ever in place to begin with. If the practice can be jettisoned for now, why was it so important before? Can we still protect privacy, as HIPAA does, without the rule being so burdensome? That’s a topic for future discussion.

As the Medical Director of the Kansas Business Group on Health I’m sometimes asked to weigh in on hot topics that might affect employers or employees. This is a reprint of a blog post from KBGH.