For insurance carriers, access to medical records is a critical component in the risk selection process. In obtaining these records, insurers must consider the Health Insurance Portability and Accountability Act (HIPAA) when interacting with covered entities such as hospitals, health information exchanges and clinician offices. As many of us know, the intent of HIPAA is to provide consumers with rights and privacy protections related to their health information, including how and when their medical records are used and disclosed.
For healthcare, compliance with HIPAA is complex, causing carriers and vendors to encounter a few bumps in the road related to consent.
1. There are common misconceptions as to what health data is available for the life and disability insurance use case.
Traditionally, the exchange of electronic health data has been designed for treatment, payment and operations (TPO) and did not cover use cases like underwriting and claims management. Interoperability regulations continue to reinforce the move towards allowing providers to share data for non-treatment purposes.
Of the major interoperability initiatives, eHealth Exchange paved the way in 2016 by adding “authorized released of health information for life insurance” to its list of approved use cases. Their main participation agreement (the DURSA) specifically calls out the Permitted Purpose to support the patient’s “right to direct with whom their information can be shared or where their information should be sent“. While healthcare providers or HIEs are not compelled to participate in non-treatment data exchange, this language provides both an endorsement of the idea and a framework under which data exchange can be handled from an operational perspective.
While many HIEs and healthcare providers do not yet participate in the use case, many are in the process of evaluating it now and the trend towards increased participation is increasing.
There is now strong support from the Office of the National Coordinator (ONC) to ensure that the patient is in control of their medical records, which will further support the non-treatment use case. The Trusted Exchange Framework and Common Agreement (TEFCA), which was released by ONC in 2018, will establish a standardized process for healthcare stakeholders- including life insurers- to connect and participate in the sharing of electronic health data.
In support of this, the Department of Health and Human Services (HHS) has proposed a new rule that puts a strong focus on enabling patients to electronically access their health data and implements the information blocking provisions of the 21st Century Cures Act. When a patient signs a HIPAA authorization for an insurance carrier, they are directing that information to be released. Under the proposed ruling, if an organization can provide the data electronically, they must comply or will be assessed a financial penalty.
2. How does it work when an organization agrees to participate in the insurance use case?
All healthcare organizations are requiring a valid HIPAA authorization establishing patient consent in order to release data. Most organizations will accept the standard insurance company HIPAA authorization, but because this is new for healthcare providers, some are being more cautious and request facility-specific authorizations in addition to the traditional HIPAA consent. This requires the underwriter/agent to go back to the client to sign another form, often delaying the process and resulting in frustration for all parties involved.
There are different approaches carriers can take to reduce the friction of special authorizations in their new electronic health record workflow. A more labor- intensive approach would be to understand which facilities will require the special auth upfront and incorporate that into the application process. This is tough, as it requires knowing not only the applicant’s provider, but the facility where they seek treatment. A carrier could eliminate querying to any organization that requires the special auth, but that reduces the amount of data available.
A major advantage of working with HIEs is their willingness to work with standard HIPAA authorizations. Apart from New York, all of the HIEs Clareto is working with are able to leverage the existing data governance and standards that are in place for traditional health information data sharing, allowing the carrier to obtain EMR-agnostic medical data without the need for special consent.
3. How do organizations review and approve authorizations?
Keeping in mind that the non-treatment use case is new to healthcare, some organizations and providers are requiring a manual review of authorizations once submitted by the carriers. This is not something that the EMR vendor can control and without automation, this process can delay the time in which records are released.
In small ambulatory practices there is rarely a dedicated individual managing the release of information. The authorizations are routed to a queue/inbox for review, and the release might take up to 10 days. Even in larger healthcare organizations, the requests go to the Health Information Management (HIM) department where a clerk or analyst must manually review each request in queue. These same resources may also have other responsibilities which could include fulfilling patient requests, filing birth/ death certificates, coding, billing, or duplicate record matching. It is easy to speculate that an insurance carrier request could be lower priority.
4. What does the future hold?
There are good things happening here. HIEs such as Utah, Missouri and Kansas City have implemented automated connectivity models to help handle the influx of volume from insurance carriers. Epic has established a number of large providers who are automating the process for carriers and Veradigm’s Trusted Partner Network eliminates the need for manual review or special authorizations.
Clareto is committed to working with HIEs, EMR vendors (such as Epic and Veradigm) and providers to promote the non-treatment use case and provide carriers more access to data. Part of this work includes educating the healthcare community on patient (applicant) rights to dictate where this data is shared and the completeness of carrier authorizations to reduce the need for special consents. Clareto also works with organizations to help them understand the benefits of automating the release of information and provides technical benchmarking and expertise. Making a concerted effort to engage more organizations, accept traditional authorizations and automate the process will benefit the applicant, carrier and healthcare provider.