Medical Device Link.

Originally Published MX September/October 2003

Governmental & Legal Affairs

The iron law of unintended consequences strikes again.

Mark E. Lutes 

It has happened many times before in Washington, DC—legislation intended to produce one result spawns numerous unanticipated consequences. Nonetheless, this recent story of unintended consequences arising from the regulation of the confidentiality of healthcare data is a fascinating one. It also carries serious implications and lessons for medical device manufacturers.

The legislation is the now well-publicized administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).¹ Through administrative simplification of healthcare transactions and code sets, Congress intended to reduce the cost of processing healthcare claims submissions, claims payments, and similar transmissions.
While promoting and standardizing electronic claims administration, Congress thought that it should also mandate safeguards for its privacy and security.^2,3 In doing so, it set into motion agency rule making and hospital industry interpretation that together pose special challenges for the medical device manufacturer.

This article discusses four unintended consequences of the privacy regulation provisions of HIPAA.

• Privacy and security concerns can be used as a pretext to terminate commercial deals.
• Health plans become device manufacturers’ preferred partners for marketing campaigns.
• Failure to identify the core disclosure “evils” actually reduces the consent obtained and threatens the goal of administrative simplification.
• Detailed rules as to disclosures of personal health information to employers lead some medical device manufacturers to jump deeper into plan administration and others to attempt to depart.

The first two affect device manufacturers in their capacity as business associates. The next two challenge them as employer health plan administrators.

The Threat toCommercial Agreements

The HIPAA privacy rule uses the “business associate” concept to control the use of health information by entities other than those to whom the HIPAA statute applied.⁴ The statute encompasses the use and disclosure of individually identifiable health information (IIHI) by providers such as hospitals and physicians, by health plans, and by healthcare clearinghouses. But as device manufacturers have learned, the regulation reaches beyond the covered entities by requiring them to obtain privacy covenants from persons who use IIHI to perform services for the covered entities.

These covenant-granting persons are called business associates. Covered hospitals, nursing homes, physician groups, and other entities have been in a mad scramble to identify their HIPAA business associates and amend their contracts in the manner required by the regulation.

Device manufacturers may not believe that their classification as HIPAA business associates is proper, arguing that they do not perform services on the purchaser’s behalf. Nevertheless, many have executed or will execute such covenants. They may have done so because of a device-servicing arrangement or some other explainable business relationship, or perhaps simply because they have been worn down by a customer’s insistence that such a covenant must be provided.

The main concern of medtech executives is not necessarily that their firm might be coerced into providing business associate covenants, as unsatisfactory as that might be. A much larger concern should be that, in signing such a covenant, the company might fail to tailor its language to avoid giving the covered entity new commercial leverage.

Many people think that the U.S. Department of Health and Human Services (HHS) has mandated the form of these covenants, but that is not the case. What the department has mandated is that certain subjects be covered in the covenants; it has provided some potential language for doing so.^{5, 6} However, the contents of the covenants can—and should—be negotiated.

For instance, many covered entities proffer draft business associate covenants to device manufacturers that make the underlying purchase agreement terminable by the provider—without an opportunity for cure by the manufacturer—if a single privacy breach is alleged. Thus, millions of dollars of business can be held hostage to allegations of a privacy or security breach.

Such provisions should be negotiated so as to confine the termination right to the particular aspect of the relationship that involves manipulation of client data on the client’s behalf. They also can be negotiated to include cure periods, or to substitute remedies such as reporting the business associate’s privacy breach to HHS. Through such detailed negotiation and the education of customers regarding their range of options, device manufacturers can avoid unintended but potentially severe commercial consequences of the HIPAA privacy rule.

Health Plans as Marketing Agents

One of the biggest bogeymen in the healthcare privacy debate has been the alleged widespread use of personal health information (PHI) for marketing purposes. The specter of patients being solicited by marketers was something that galvanized the regulation’s authors. Among the fears expressed has been a concern that other people, in associating marketing materials with a particular recipient, would draw conclusions about the nature of that person’s health or illness. The privacy rule also reflects a fundamental revulsion against the exploitation of health data for commercial purposes.

The rule’s solution to this worrisome problem eschews simple opt-out systems. Rather, it is a mandate that PHI not be used for marketing purposes without an express and instance-specific authorization being obtained from the individual. Among other things, that authorization must establish the particular parties or types of persons to whom a disclosure would be made, its purpose, and an end date or event terminating the authorization. The authorization must also include information about any remuneration being received by the covered entity for making the disclosure.

Of course, once that tube had been squeezed, a need to allow certain customary interactions between providers and patients and between health plans and enrollees without prior authorization became evident. HHS thus carved away from the definition of marketing a large swath of provider activity, including the description of health-related products or services in the context of treatment, as well as face-to-face marketing activities.

Likewise, an exception was created for health plans and providers to use PHI for communications that encourage recipients to purchase or use a product or service, as long as the communication is issued in the context of care coordination or case management, or involves the recommendation of alternative treatments, providers, or settings of care. HHS has simply deemed such recommendations not to be marketing. This means that these types of recommendations are permitted without regard to whether the provider or plan is paid for making them.

There is still another category of health plan communication that encourages the purchase of a product or service and that is exempt from the privacy rule’s authorization requirement. Plans can use their enrollees’ PHI to make recommendations about products or services so long as the recommended product or service is included in the plan of benefits or is available only to health plan enrollees. The fact that a manufacturer or other supplier of the product or service paid the plan to make such a recommendation is of no consequence.

The history of how the exception came to extend to any health-related product available only to health plan enrollees is complicated. The interesting point, however, is this rather surprising consequence: medical device manufacturers can look to health plans in designing a campaign to promote their products. So long as the product or service recommended by the plan is either covered in part by the plan of benefits or is a special deal for health plan members, that recommendation will not be considered marketing under HIPAA rules.

As they contemplate their options for targeted marketing, device manufacturers should work with counsel to apprehend the breadth of these exceptions.

Employee Consent Confounded

The privacy rule’s drafters did not prohibit any particular use or disclosure of IIHI. Perhaps the necessary political consensus was lacking. Instead, they adopted a two-pronged approach to controlling disclosure of such information. First, they made use and disclosure of IIHI for treatment, payment, and healthcare operations (TPO) and governmental purposes permissible without express authorization. And second, they required detailed authorization for other uses and disclosures.⁷

Because such authorization requirements are so onerous to meet, however, health providers and plans feel compelled to find a TPO justification for any high-volume use or disclosure of identifiable health information. The consent required for such TPO uses is merely a one-time acknowledgment of receipt of a notice of privacy practices.

In theory, the publication of such a notice-and-acknowledgment process might stimulate competition among health insurers based on the consumer-friendliness of their information practices. But in reality, where the employer’s health plan is self-funded, the employee has no choice but to accede to the plan’s proposed uses and disclosures of PHI. The employee likewise has little choice if the employer’s plan is insured. Provision of such a choice would presuppose that the insurer’s privacy notice would be made available prior to open enrollment, and also that an alternative coverage option offering a different set of PHI use and disclosure policies would be available.

Similarly, the notion of choice among the use and disclosure practices of healthcare providers is illusory. First, it will be a rare consumer who is prepared to recognize the subtle differences among the notices proffered by various providers. Rarer still will be the consumer who sets aside the prior relationship or the original basis of selection—for example, plan participation, the provider’s reputation, or its convenient location—and walks out of the waiting room because of what the notice of privacy practices says.

Another unplanned consequence—perhaps having some value—is greater awareness of the issue on the part of everyone involved. Unfortunately, without the clarity a proscription of certain conduct would have provided, this awareness takes the form of a general apprehension that impedes the flow of information in support of care and that, even more frequently, complicates the healthcare administration meant to be simplified by the statute.

PHI as a Third Rail

The HIPAA privacy rule has much to say about the exposure of device manufacturers as employers to the PHI of their employees.⁸ The group health plan section of the rule does not proscribe such exposure, but it requires that it be disclosed to employees and purports to limit the use that can be made of PHI by employers. The reaction to the rule by employers has gone in two directions—perhaps neither a consequence intended by the drafters.

On the one hand, some device manufacturers have looked at the new disclosure and certification requirements and concluded that they would like to distance themselves from any obligation to make such disclosures. They would gladly participate less in plan administration in order to achieve this. For example, a manufacturer might abandon the traditional employer role of advocating plan interpretations favorable to its employees and their dependents out of concern that such advocacy would place the company in a no-win situation.

Such a no-win situation can arise when the employer assists in plan administration as allowed under the privacy rule. To act thus, the employer must firewall plan-related information from other parts of the company and certify that it will not be used for any other purpose.

In most companies, however, the benefits personnel who assist employees with their health claims also have other duties in human resources administration. The implication that information learned in a beneficiary advocacy context may have been considered in making personnel decisions consequently could be difficult to avoid. Moreover, the employer may not relish having to disclose these dual roles in health plan documents, as required by the rule.

As a result, some employers will opt to play a smaller part than before in administering their health plan. The HIPAA privacy rule was not intended to take employers out of plan administration. However, its sunshine requirements and its arousal of apprehension over the potential for unfair-discharge legal cases can lead to that consequence, however unintentional.
On the other hand, human nature being what it is, some employers have reacted oppositely to the first group—although their response, too, was probably not an intended consequence of the rule. Its group health plan section (164.504[f]) details the circumstances under which, from a federal perspective, employers can receive PHI when acting in a plan-administration capacity whether the plan is insured or self-funded. (Some state laws lead to a different result.)

Traditionally, insured employers have received only summary-level PHI. Some now see Section 504(f) requirements not as limiting but as enabling—establishing a pathway for employers to receive PHI in other than summary form in the context of plan oversight and administration. These companies are willing to make the required disclosures, establish the firewall, and issue the certification that the PHI will not be used for non-plan-related purposes, in return for greater involvement in the oversight of their insured health plan.

Conclusion 

It seems to be an iron rule: every piece of legislation and regulation generates as many unintended consequences as intended results. The privacy regulation portion of the HIPAA administrative simplification provisions has quickly proven to be no exception.

Therefore, in planning their marketing activities, managing their employee benefit departments, and contracting with their customers, medical device manufacturers ought to be as cognizant of these unintended effects as they are of the conventionally understood direct purposes of this privacy rule.

References

1. “Administrative Simplification,” Health Insurance Portability and Accountability Act of 1996, Public Law 191, 104th Cong., 2nd sess. (21 August 1996).
2. “Individually Identifiable Health Information; Privacy Standards,” Health Insurance Portability and Accountability Act of 1996, Public Law 191, 104th Cong., 2nd sess. (21 August 1996).
3. U.S. Department of Health and Human Services, “Standards for Privacy of Individually Identifiable Health Information,” Federal Register, 65 FR:82461–82829 (December 28, 2000). 
4. Code of Federal Regulations, 45 CFR 160.103.
5. Code of Federal Regulations, 45 CFR 164.504(e).
6. U.S. Department of Health and Human Services, “Standards for Privacy of Individually Identifiable Health Information, Final Rule: Appendix to the Preamble—Sample Business Associate Contract Provisions,” Federal Register, 67 FR:53264–53266 (August 14, 2002). 
7. Code of Federal Regulations, 45 CFR 164.506.
8. Code of Federal Regulations, 45 CFR 160.504(f).

Mark E. Lutes is a partner in the national health law practice of Epstein Becker & Green (Washington, DC). 

Copyright ©2003 MX