Why Aren’t Health Insurance Exchanges (HIX) Bound By HIPAA Rules?

Health Insurance Exchanges come in two flavors—Federally Funded Exchanges (FFE) and State Exchanges. And regardless of the flavor, they need an image and technical makeovers have given their catastrophic public debut. Thank goodness for the good old paper forms that have come to the rescue of the consumers looking to enroll and the officials responsible for making the enrollment systems work. Given all the initial technical missteps in the rollout of these exchanges, I hesitate to pile on but it’s hard to resist - especially when it comes to the privacy and security safeguards, or lack thereof. The government’s own memo confirmed that not enough testing of privacy and security safeguards were done before rolling out the HealthCare.gov. So for those of us who are privacy and compliance nerds, it begs the question about the applicable governing privacy and security rules and who is in charge of enforcement?

Yes, it is understandable that a HIX would not meet HIPAA’s definition of a covered entity (CE) and therefore HIPAA Privacy Rule would not generally apply. But I wonder why these exchanges did not get designated as Business Associates (BA) under HIPAA since they all provide a clear service (data analysis and eligibility) to participating Health Plans and these plans are all covered entities under HIPAA?

So in the spirit of keeping it simple, I think extending the definition of a BA (45 CFR 160.103) to a third party entity that assists a health plan with data analysis and enrollment eligibility determination would do the trick—a HIX could then qualify as a Business Associate and be governed by the HIPAA Privacy Rule provisions 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e) which in turn would also apply the Administrative Safeguards under 45 CFR 164.308. This would make the rules and compliance obligations far more consistent for the HIXs and participating Health Plans. Instead, what we have is 45 CFR 155.260 – Privacy and security of personally identifiable information for HIX. It basically addresses the creation, collection, use and disclosure of PII (not PHI). I am still trying to clarify which agency is in charge of enforcing HIX privacy and security obligations. Does the flavor of HIX matter as to who is in charge? A BA designation for HIX would’ve made this pretty clear with HHS/OCR as the enforcement agency to make sure that the HIX meets its obligations under HIPAA privacy and security safeguards. A since we finally got clarification on the role and responsibilities of Subcontractors under the HIPAA Final Rule, the same could have been applied to non-Exchange entities associated with FFEs and State Exchanges.

In a recent interview with Jeffrey D. Zients, President Obama’s troubleshooter for correcting problems with the HealthCare.gov Web site, where he said lack of incident management process was one of the key deficiencies that were found through a root cause analysis of HealthCare.gov debacle. Again, this is a clear requirement under HIPAA security rule (CFR 164.308(a)) along with the HIPAA Breach Notification Rule. Healthcare entities have just figured out these rules so why not stick with the same standards as much as possible to reduce confusion and improve compliance?

To make matters even more complicated, HHS has proposed separate data breach reporting rules for FFEs, State Exchanges and non-Exchanges associated with federal and state exchanges. Apparently HHS is deeming the scope of data incidents in the Exchange environments to be broader than HIPAA because instead of using HIPAA’s definition of incidents and newly finalized risk assessment factors, it uses the OMB Memorandum M-06-19, Memorandum M-07-16 and the NIST publication 800-61 to define incidents and breaches. No wonder the job of privacy, compliance and security officers are getting tougher by the day. In §155.280(c)(3) HHS and CMS proposed that FFEs, non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach. This looks like a very lofty goal given the reality and the complexity of incident assessment and decision making within the industry. Laws are supposed to shape positive behavior—not induce despair and confusion among those who are obligated to comply.

I started with a simple question whether Exchanges were bound by the HIPAA rules and quickly found myself going down a complex maze of old and new rules that unintentionally do more to confuse these stewards of consumers’ PII and PHI. The complexity of these rules also contributes to the poor state of compliance and ultimately lowers consumer protection. The proliferation of new data privacy and security rules isn’t too helpful when existing rules can help us achieve the same end game.