Committee discussions as to how to integrate the proposed Health-Care Information Act with similar law applied to insurers have noted that the NAIC has now proposed a new model act, the Health Information Privacy Model Act ("Model Act"), to regulate insurer responsibilities. Thus one Committee option is to recommend that any proposed Health-Care Information Act be passed in concert with the proposed NAIC model, rather than, for example, relying on the existing Insurance Information and Privacy Protection Act to govern insurer behavior. This memorandum is intended to assist in understanding the implications of such a proposal by summarizing the Model Act provisions and, in parentheses, noting similar or related provisions in the Health-Care Information Act. As with my earlier analysis of the Insurance Information and Privacy Protection Act, this memorandum is not comprehensive but is intended to provide a framework for analysis.

Scope of the Model Act

Unlike the insurers' Privacy Protection Act, the Model Act is exclusively concerned with the management of health-care information. As noted in my earlier memo, the Privacy Protection Act governs "personal information" of which "medical-record information" is a subset. Unlike that Act, the Model Act has a scope, and focus, much like that of the Health-Care Information Act. However, the Model Act is drafted specifically for application to insurers and other risk bearing entities that are primarily under the regulatory authority of the Insurance Commissioner. As such the draft includes language specific to insurers and some provisions that, without substantive changes, would not apply well to the wider scope that we are considering under the Health-Care Information Act.

Sections 10 and 11. Disclosure with and without authorization

The core Model Act provisions governing disclosure are set out in sections 10 and 11. Similar to the provisions of the Health-Care Information Act and other models, the basic rule, set out in section 10 is that the governed entity, "a carrier", may not "collect, use or disclose protected health information without a valid authorization from the subject of the protected health information, except as permitted by section 11…or as permitted or required by law or court order." (See section 2-101 of the Health-Care Information Act.)

Subsection 10 C sets out the requirements for a valid authorization which must be in writing (section 2-101(a) of the Health-Care Information Act) and contain:

(1) The identity of the individual who is the subject of the protected health information (only in section 2-102 by inference and by virtue of the requirement that the subject individual sign the authorization);

(2) A description of the types of protected health information to be collected, used or disclosed, with specific requirements concerning tests for underwriting purposes (section 2-102 requires identification of "the nature of the information to be disclosed");

(3) A general description of the sources from which the protected health information will be collected (no such explicit Health-Care Information Act provision);

(4) The name and address of the person to whom the protected information is to be disclosed subject to an exception for "insurance functions" (section 2-102(c)(3) requires identification of "the person to whom the information is to be disclosed");

(5) The purpose of the authorization, including the reason for the collection, the intended use, and the scope of the disclosures (The November 5 "Working Draft of a health-care information act" would require "a statement of the purposes for which the information may be used");

(6) The signature of the individual who is the subject of the protected health information or the individual who is legally empowered to grant authority and the date signed (see section 2-101(c)(1) and 6-101);

(7) A statement that the individual who is the subject of the protected health information may revoke the authorization at any time - except with respect to a party that has relied on the authorization (The "Working Draft" would also require a notice of the right to revoke - see 2-102(c)(6));

Section 10 D requires that the authorization specify the length of time for which it is valid, which may not be longer than 12 months, except an authorization to support insurance functions may remain valid for the term of the policy, an authorization to support an application concerning a life insurance policy (including a reinstatement or change in benefits) remains valid up to thirty months, and there is no limit on an authorization to support or facilitate ongoing management of a chronic condition. (Under the Health-Care Information Act, section 2-102(g), an authorization is good for up to thirty months, but is good for only six months if no expiration is specified.)

Subsections 10 E and F require that a separate authorization be required for certain disclosures to employers (Subsection 10 E) and for disclosures used for "the marketing of services or goods, or for other commercial gain" (Subsection 10 F). Authorizations used for marketing also must meet additional criteria concerning notice of the purpose and notice of a right to refuse without prejudice to any policy. (There is no analogous provision in the Health-Care Information Act. However, given our similar concerns with marketing, if we permit marketing at all we should review this provision for possible adoption.)

Section 10 G concerns the right to revoke. (Section 2-103 is similar but does not similarly require that notice of the revocation be given to any person to whom the information has been disclosed.)

Section 10 H contains a general authorization for the insurer to use any information collected pursuant to an authorization for certain "insurance functions" without further notice. Those functions include "claims administration, claims adjustment and management, fraud investigation, underwriting, loss control, rate-making functions, reinsurance, risk management, case management, disease management, quality assessment, quality improvement, provider credentialing verification, utilization review, peer review activities, grievance procedures, and internal administration of compliance, managerial, information systems, and policyholder service functions."

Under section 10 I, an authorization does not waive other rights. (See 2-102(d).)

Section 11 sets out the exceptions where disclosure is permitted without authorization. It includes the following exceptions:

A.(1) Disclosure is allowed between insurers to investigate, evaluate, adjust or settle a claim involving the individual, or where liability with respect to the individual is relevant to a merger, acquisition or other assumption of liability; (see 2-104(a)(2))

A.(2) Disclosure is allowed "to the extent necessary to investigate, evaluate, subrogate or settle third party claims, provided that the claimant is the subject of the protected health information"; (see 2-104(a)(2))

A.(3) Collection, use or disclosure is allowed with respect to an insurance support organization provided that the organization has policies to ensure compliance with the act, and the disclosure is for certain "insurance functions"; (see 2-104(a)(2))

A.(4) If necessary to provide ongoing health care treatment and if not prohibited by the subject, collection or disclosure is allowed from or to a health care provider employed by the carrier or under contract with the carrier or who is a referring, treating provider; (see 2-104(a)(1), (3), and (4))

A.(5) Disclosure is allowed to "a person engaged in the assessment, evaluation or investigation of the quality of health care furnished by a provider pursuant to statutory or regulatory standards or pursuant to the requirements of a private or public program authorized to provide for the payment of health care"; (see 2-104(a)(2) and 2-104(a)(8))

A.(6) Disclosure is allowed, subject to section 14A exceptions regarding limitations by the subject and prohibitions on disclosure of "protected health information concerning health services related to reproductive health, sexually transmitted diseases, substance abuse and behavioral health", to reveal a covered person's presence in a facility owned by the carrier and the covered person's general health condition, provided that the disclosure is limited to directory information; (see 2-104(b)(1). The Health-Care Information Act does not have a provision excluding disclosure of sensitive information. The "Working Draft" would add language restricting disclosure to inpatients and where otherwise prohibited by law. The more specific references to sensitive information should be considered for adding to the draft.)

A.(7) Collection, use and disclosure is allowed when the protected health information is necessary to the performance of the carrier's obligations under any workers' compensation law or contract; (The Health-Care Information Act does not have any specific provision concerning workers' compensation.)

A.(8) Collection and disclosure is allowed with respect to a reinsurer, stop loss or excess loss carrier for the purpose of underwriting, claims adjudication and conducting claim file audits; (See 2-104(a)(2))

A.(9) Information may be collected from the individual who is the subject of the information; (No such specific provision is in the Health-Care Information Act. Do we, perhaps, want to require a written record of the authorization?) and

A.(10) Information may be collected, used or disclosed "when the protected health information is obtained from public sources such as newspapers, public agency reports, and law enforcement or public safety reports". (No such specific provision is in the Health-Care Information Act.)

Subsection C then provides for mandatory disclosure in the following circumstances:

C.(1) "To federal, state or local government authorities to the extent the carrier… is required by law to report… or for fraud reporting purposes"; (See 2-104(b)(2) and (3))

C.(2) To identify a deceased individual, to determine the cause of death, or to provide necessary information about a deceased donor of an anatomical gift; (No such specific provision is in the Health-Care Information Act.)

C.(3) "To a state department of insurance that is performing an examination, investigation, or audit of the carrier"; (See 2-104(a)(2) - No explicit provision for an agency audit.)

C.(4) Pursuant to a court order issued after the court's determination that the public interest in disclosure outweighs the individual's privacy interest and that the protected health information is not reasonably available by other means; (See 2-105 which allows other specific grounds for disclosure without a court balancing of the privacy interests, but includes that ground also)

Subsection D states that a disclosure under subsection C does not act as a waiver of other rights. (Section 2-102(d) contains a similar provision concerning the effect of an authorization, but no provision concerning the effect of an unauthorized disclosure. It is not clear, however, why an unauthorized disclosure, standing alone, would act to waive rights.)

Section 12. Disclosure for research

The Model Act includes a specific stand-alone section governing unauthorized disclosure for research. The Model Act requires adherence to more detailed protocols that those included in Section 2-104(a)(7) although there is no specific provision requiring approval by an institutional review board. The Model Act requires that the research organization agree not to disclose to a third person, that the disclosure be the minimum necessary, that a written policy be implemented to assure the security and privacy of the information, including training and discipline, safeguards to insure that protected information does not appear in the report, a method for removing identifying information, that a research plan be prepared explaining the research, and that the carrier and the research organization execute a written agreement governing the confidentiality of the research. If the research involves contact with the individual whose information is to be disclosed, the Model Act also requires that informed consent be obtained in accordance with statutory requirements.

If the research is conducted under approval by an institutional review board subject to the Federal Policy for the Protection of Human Subjects, compliance with the federal process is deemed compliance with the Model Act.

Subsection G. further governs disclosure between the carrier and a research organization of encrypted information which is generally not covered by the Model Act. If disclosed for research, the carrier and the research organization must execute a written agreement restricting re-release or efforts to link encrypted information to the underlying subject.

 Other Related Model Act Criteria

In addition to these rules governing disclosure, the Model Act also parallels the Uniform Health-Care Information Act on a variety of other grounds. Specifically:

Notice of Information Practices: Section 6 sets a requirement for notice of information practices which must meet standards for review by the Insurance Commissioner. The standards are slightly more detailed than those set by section 5-101 of the Health-Care Information Act.

Access to Information. Section 7 sets out rules concerning the right of an individual to examine or receive a copy of health information. The basic rule provides a right of access, with a required response within 20 days. However the carrier may deny the request on the following grounds:

(generally, see 3-102)

(a) disclosure would identify a confidential source in an investigation; (3-102(a)(2))

(b) the information was compiled for litigation, fraud investigation or quality assurance or peer review; (3-102(a)(4))

(c) the information is the original work product of the carrier; (No comparable Health-Care Information Act provision)

(d) the requester is a party to a legal proceeding involving the carrier where the health condition of the requester is at issue; (No such explicit provision in Health-Care Information Act)

(e) disclosure is otherwise protected by law. (3-102(a)(5))

The Model Act does not appear to have a provision allow non-disclosure in the interest of protecting the patient's or another person's health or safety. See 3-102(a)(1) and (3).

Amendment of Health Information

Section 8 specifies a right of the subject to amend to correct inaccuracies. See generally sections 4-101, 4-102, and 4-103 of the Health-Care Information Act. The section 8 requirements are similar to those of the Health-Care Information Act.

Right to Limit Disclosures

Section 14 sets out provisions not in the Health-Care Information Act explicitly authorizing the subject to limit disclosures of information that could jeopardize the safety of the individual.

Subsection B of that section also explicitly limits disclosure of protected health information "concerning health services related to reproductive health, sexually transmitted diseases, substance abuse and behavioral health".

Subsection C addresses recognition of certain rights of minors to confidentiality.

The Health-Care Information Act does not address these issues.

Penalties and Remedies.

The Model Act provides for civil sanctions by the Commissioner, up to $250,000 for a general business practice, and criminal sanctions for knowing violations, including a maximum fine of $500,000 and 10 years imprisonment. The Act does not provide a private right of action, which a drafting note suggests be considered. The Health-Care Information Act provides for criminal penalties, up to $10,000 and one year imprisonment, and a private right of action with awards up to $5,000 and attorneys fees.