Electronic Health Data for Insurance & Consent Management
December 11, 2019
For insurance carriers, access to medical records is a critical component in the risk selection process. In obtaining these records, insurers must consider the Health Insurance Portability and Accountability Act (HIPAA) when interacting with HIPAA- covered entities such as hospitals, health information exchanges and clinician offices. As many of us know, the intent of HIPAA is to provide consumers with rights and privacy protections related to their health information, including how and when their medical records are used and disclosed.
For healthcare, compliance with HIPAA is complex, causing carriers and vendors to encounter a few bumps in the road related to consent.
1. There are common misconceptions as to what health data is available for the life and disability insurance use case.
Traditionally, the exchange of electronic health data has been designed for treatment, payment and operations (TPO) and did not cover use cases like underwriting and claims management. Interoperability regulations continue to reinforce the move towards allowing providers to share data for non-treatment purposes.
Of the major interoperability initiatives, eHealth Exchange paved the way in 2016 by adding “authorized released of health information for life insurance” to its list of approved use cases. Their main participation agreement (the DURSA) specifically calls out the Permitted Purpose to support the patient’s “right to direct with whom their information can be shared or where their information should be sent”. While healthcare providers or HIE’s are not compelled to participate in non-treatment data exchange, this language provides both an endorsement of the idea and a framework under which data exchange can be handled from an operational perspective. While many HIE’s and healthcare providers do not yet participate in the use case, many are in the process of evaluating it now and the trend towards increased participation is increasing.
There is now strong support from the Office of the National Coordinator (ONC) to ensure that the patient is in control of their medical records, which will further support the non-treatment use case. The Trusted Exchange Framework and Common Agreement (TEFCA), which was released by ONC in 2018, will establish a standardized process for healthcare stakeholders- including life insurers- to connect and participate in the sharing of electronic health data.
In support of this, the Department of Health and Human Services (HHS) has proposed a new rule that puts a strong focus on enabling patients to electronically access their health data and implements the information blocking provisions of the 21st Century Cures Act. When a patient signs a HIPAA authorization for an insurance carrier, they are directing that information to be released. Under the proposed ruling, if an organization can provide the data electronically, they must comply or will be assessed a financial penalty.
2. How does it work when an organization agrees to participate in the insurance use case?
All healthcare organizations are requiring a valid, signed HIPAA authorization establishing patient consent in order to release data. Most organizations will accept the standard insurance company HIPAA authorization, but because this is new for healthcare providers, some are being more cautious and request facility-specific authorizations in addition to the traditional HIPAA consent. This requires the underwriter/agent to go back to the client to sign another form, often delaying the process and resulting in frustration for all parties involved.
There are different approaches carriers can take to reduce the friction of special authorizations in their new electronic health record workflow. A more labor- intensive approach would be to understand which facilities will require the special auth upfront and incorporate that into the application process. This is tough, as it requires knowing not only the applicant’s provider, but the facility where they seek treatment. A carrier could eliminate querying to any organization that requires the special auth, but that reduces the amount of data available.
A major advantage of working with HIE’s is their willingness to work with standard HIPAA authorizations. Apart from New York, all of the HIEs Clareto is working with are able to leverage the existing data governance and standards that are in place for traditional health information data sharing, allowing the carrier to obtain EMR-agnostic medical data without the need for special consent.
3. How do organizations review and approve authorizations?
Keeping in mind the non-treatment use case is new to healthcare, some organizations and providers are requiring a manual review of authorizations once submitted by the carriers. This is not something that the EMR vendor can control and without automation, this process can delay the time in which records are released.
In small ambulatory practices there is rarely a dedicated individual managing the release of information. The authorizations are routed to a queue/inbox for review, and the release might take up to 10 days. Even in larger healthcare organizations the requests go to the Health Information Management (HIM) department where a clerk or analyst must manually review each request in queue. These same resources may also have other responsibilities which could include fulfilling patient requests, filing birth/ death certificates, coding, billing, or duplicate record matching. It is easy to speculate that an insurance carrier request could be lower priority.
4. What does the future hold?
There are good things happening here. HIEs such as Utah, Missouri and Kansas City have implemented automated connectivity models to help handle the influx of volume from insurance carriers. Epic has established a number of large providers who are automating the process for carriers and Veradigm’s Trusted Partner Network eliminates the need for manual review or special authorizations.
Clareto is committed to working with HIEs, EMR vendors (such as Epic and Veradigm) and providers to promote the non-treatment use case and provide carriers more access to data. Part of this work includes educating the healthcare community on patient (applicant) rights to dictate where this data is shared and the completeness of carrier authorizations to reduce the need for special consents. Clareto also works with organizations to help them understand the benefits of automating the release of information and provides technical benchmarking and expertise. Making a concerted effort to engage more organizations, accept traditional authorizations and automate the process will benefit the applicant, carrier and healthcare provider.
Confused about the National Networks?
Clareto explains what they are and exactly what they mean for insurance carriers.
November 4, 2019
For anyone who doesn’t work in healthcare IT, it can be overwhelming to understand the industry initiatives aimed at improving interoperability. Even more confusing, is understanding how they impact data availability for insurers given that they were designed for treatment purpose and different rules apply to non-treatment use cases (including insurance). As carriers try to gain an understanding of how EMRs, HIEs and patient portal data can be used for underwriting and claims, it will be increasingly important to understand how interoperability initiatives and national networks networks fit in to the big picture.
Let’s start with The Sequoia Project. The Sequoia Project was founded back in 2012, when it assumed stewardship of the nationwide health information network exchange from the Office of the National Coordinator (ONC). It is a non-profit, collaborative organization focused on advancing the secure, national sharing of health care data. It is important to note that the Sequoia Project itself is not a network, meaning members of the Sequoia project are not guaranteed access to data. The collaborative is meant to be a thought-leader and convener for interoperability, bringing together industry and government to solve challenges in health care. There are several working groups within the Sequoia Project, focused on various initiatives or challenges such as radiology image sharing or Patient Unified Lookup System for Emergencies (PULSE). One successful past initiative of the Sequoia Project was eHealth Exchange.
If you think of Sequoia as the over-arching organization, eHealth Exchange was its first interoperability initiative. eHealth Exchange is a nationwide public-private, health information network that connects the private sector providers and state/regional HIEs to each other and federal entities (SSA, DoD, etc.). It currently supports over 120 million patients and several interoperability use cases. One common participation agreement, the DURSA, establishes trust among participants who wish to exchange data.
Clareto operates MedVirginia, which is a founding and anchor member of eHealth Exchange. MedVirginia aided in the development of the network in 2008 and in 2009 via eHealth Exchange, was the first HIE in the country to connect with the Social Security Administration’s Health IT Program and later to the Department of Veteran Affairs and Department of Defense.
From a technical perspective, connecting to eHealth Exchange requires that you are a certified member and have completed on board testing and validation. Being a member of eHealth Exchange reduces the complexity around security and standardizes how data is sent, but each certified member will then need to work with their participants to set up access to exchange data.
eHealth Exchange was initially established to exchange data for TREATMENT purposes as the primary use case. This is a critical distinction for carriers to understand, as the life and disability purpose of use are considered NON-TREATMENT. While the technical capabilities may be in place for non-treatment data exchange, the participating HIEs each need to approve the use case on an individual basis. This usually requires HIE stakeholder or board approval. Additionally, Clareto works with HIE stakeholders to provide education around the non-treatment use case and the value to help with prioritization against grant funded projects such as prescription drug monitoring programs (PDMP).
Following the success of eHealth Exchange, questions persisted around how providers who connect through different networks (such as vendor, payer, lab, etc.) enable data sharing with each other? Sequoia gives the example: imagine not being able to call someone because they have a different cell phone carrier. That is what providers historically faced when joining a data sharing network.
The answer was found in Carequality, another successful initiative spearheaded by The Sequoia Project. Carequality is a network-to-network trust framework, that connects existing and future networks to each other. When providers adopt this framework, they can then share data with those outside of their network without additional effort.
eHealth has recently implemented a HUB-model to enable the routing of requests among its participants and to accommodate the Carequality Framework. While initially scheduled to go live this year, it will likely be fully in place by early 2020.
The Sequoia Project was also recently announced as the Recognized Cooperative Entity (RCE) responsible for developing, updating, implementing, and maintaining the Common Agreement component of the Trusted Exchange Framework and Common Agreement (TEFCA). As part of ONC’s 21st Century Cures Act, the Sequoia Project will be responsible for creating both the legal and technical requirements for networks to share electronic health information.
Commonwell is another national network, but unlike the others, is not related to the Sequoia Project. Backed by the large EHR vendor, Cerner, it too is focused on health data interoperability and leverages existing standards. Commonwell also provides record locator services, patient identification and matching and consent management to its participants. Like eHealth exchange, Commonwell was also established for treatment purposes. Each participant in the network would need to individually approve the non-treatment use case to share health data with insurance carriers.
The Strategic Health Information Collaborative (SHIEC) is a collaborative group for HIEs and strategic business members to share best practices and identify joint solutions. It provides education and influence on legislation, as well as thought-leadership across the industry. Membership does not equal access to data. Clareto recently announced its acceptance in SHIEC’s group purchasing program, which provides group benefits and preferred purchasing terms.
SHIEC’s first initiative, the Patient Centered Data Home, launched in 2018. This nationwide network has a goal of exchanging data across HIEs and notifying providers when a care event has occurred outside of the patient’s regional HIE. This enables providers to access real-time information across state and regional lines. For example, if an individual resides in Missouri and takes a vacation to Hawaii, their “home” HIE might be the Missouri Health Connection (MHC). If they become injured or sick while away, the Hawaii Health Information Exchange (HHIE) will be able to notify MHC of your incident, and they can access records from your primary care providers/health facilities. Like other networks, PCDH exchanges data for treatment purposes.
So how can we sum this up? First, there are a lot of networks, organizations, and collaboratives focused on improving health data sharing which benefits all healthcare stakeholders, including carriers. Secondly and more importantly, however, is that carriers should be cautious of data partners who claim to be a member of any of these networks. Many vendors do not yet fully understand the data standards, frameworks, use cases, and certification testing required to participate in the NON-TREATMENT exchange of data.
At Clareto, we continue to utilize our participation in these networks, as well as our deep healthcare expertise, to expand our access to data for insurance carriers. Clareto is already leveraging its eHealth Exchange connections and when the Carequality Framework becomes available, there will be no additional technical work for us to connect to other networks exchanging data. A visual overview of these networks is provided here.
For carriers interested in learning more about how Clareto works, or our roles on industry workgroups, please contact us at: http://clareto.com/contact/