Though millions of Americans sign forms in their doctors’ offices which claim their personal health information is protected under the Health Insurance Portability and Accountability Act (HIPAA), a new ObamaCare rule requires federal and local agencies and health insurers to trade the personal health data of any person interested in signing up for the new state exchanges.
The Washington Examiner reports that under the 253-page rule, issued by the Department of Health and Human Services (HHS) late Friday, protected health information (PHI) may be traded among agencies in order to confirm that applicants to the ObamaCare exchanges are receiving all the “essential benefits” in their health insurance coverage.
According to the rule:
The Exchange would submit specific identifying information to HHS and HHS would verify applicant information with information from the Federal and State agencies or programs that provide eligibility and enrollment information regarding minimum essential coverage. Such agencies or programs may include but are not limited to Veterans Health Administration, TRICARE, and Medicare. HHS will work with the appropriate Federal and State agencies to complete the appropriate computer matching agreements, data use agreements, and information exchange CMS-9957-P 73 agreements which will comply with all appropriate Federal privacy and security laws and regulations. The information obtained from Federal and State agencies will be used and redisclosed by HHS as part of the eligibility determination and information verification process set forth in subpart D of part 155…
Finally, we propose to add paragraph (b)(2) to provide that consistent with 45 CFR 164.512(k)(6)(i) and 45 CFR 155.270, a health plan that is a government program providing public benefits, is expressly authorized to disclose PHI, as that term is defined at 45 CFR 160.103, that relates to eligibility for or enrollment in the health plan to HHS for verification of applicant eligibility for minimum essential coverage as part of the eligibility determination process for advance payments of the premium tax credit or cost-sharing reductions. We intend for this provision to enable any health plan that is a government program within the scope of 45 CFR 164.512(k)(6)(i) to disclose the protected health information necessary for HHS to be able to verify of minimum essential coverage as required to conduct eligibility determinations for insurance affordability programs.
The rule states that HHS already has the power to exchange PHI without consent for a “government program providing public benefits,” and it implies that “government knows best” when personal information should be used to make sure individuals obtain the best insurance coverage for them.
According to the Examiner, one top congressional aide said, “This sounds as if HHS will have access to protected health info to me.”
Similarly, Americans for Tax Reform expressed concern that the IRS, which assumes significant responsibility in ObamaCare enforcement, and HHS will be sharing individuals’ PHI, which includes medical history, test and laboratory results, and other data.
The new rule is curious because in January, HHS released a statement about another new rule that reflected “enhanced standards” that claimed to “improve privacy protections and security safeguards for consumer health data.”
The omnibus rule was touted as one that would strengthen the government’s ability to enforce HIPAA.
“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”
According to the rule issued in January:
The changes in the final rulemaking provide the public with increased protection and control of personal health information. The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.
Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
Nevertheless, it appears from the rule issued on Friday that the government may access individuals’ PHI and freely exchange it among agencies, since the ObamaCare exchanges are all government programs.