Similar But Not the Same: Data Privacy and Security Policies for Health Insurance Exchange Entities as Compared to HIPAA

For most health care institutions the federal Health Insurance Portability and Accountability Act (“HIPAA”) is their guiding light when it comes to regulating data privacy and security. However, for entities operating on the newly formed health insurance exchanges (“HIX entities”) compliance with HIPAA may or may not be required but, because HIX entities do, at a minimum, handle personally identifiable information (“PII”), they must comply with privacy and security regulations specific to health insurance exchange activities. These regulations are required by the Affordable Care Act and are articulated at 45 C.F.R. §155.260. Health care entities that are “Covered Entities” under HIPAA that also act as HIX entities must harmonize these two different regulatory regimes and understand when to apply which requirements.

A physician group maintaining electronic health records is a classic example of a covered entity subject to HIPAA, but would not be considered an HIX entity. HIX entities, on the other hand, include insurance companies and organizations that help enroll individuals in health insurance plans offered through the health insurance exchanges (“HIXs” or “Exchanges”).

Insurance agents and brokers must follow HIX data privacy and security regulations but are generally not affected by HIPAA. HIXs themselves will not be subject to HIPAA unless they expand beyond their initial functions of connecting individuals with health plans. The third category, consisting of entities that are subject to HIX privacy and security standards for some activities but HIPAA regulations for other activities, presents the most difficult compliance challenges.

For example, health plans offering products through the HIXs will need to comply both with HIPAA (when handling electronic health records) and the HIX privacy and security standards (when enrolling individuals in their plans through the HIXs). Additionally, providers, such as hospitals, may choose to participate in HIX enrollment assistance programs, such as the Navigators and Certified Application Counselors programs.

Participation in these programs will mean that these health care providers will be required to satisfy the HIX privacy and security standards for data generated by enrollment activities and comply with HIPAA for data generated from their health care activities. Compliance will be the greatest challenge for those entities required to comply with two regulatory regimes, resulting in additional policies and procedures, staff education and potential segregation of data in order to satisfy each applicable regulatory regime.

This article will explore the discrepancies and conflicts between the HIX privacy and security standards and HIPAA. It will first draw upon the history of the HIX privacy and security standards to illustrate why the Department of Health and Human Services does not find HIPAA applicable to HIX data. The article will then examine several key distinctions between the two regulatory regimes, touching on issues of scope, data use authorization, responses to data breaches and contracting with associates. Special consideration will be given to the compliance needs of hybrid entities—or entities that fall under HIPAA for some activities and HIX privacy and security standards for others.

Evolution of HIX Data Privacy and Security Standards

Originally, the Department of Health and Human Services (“HHS”) proposed that the security standards of HIXs be consistent with the HIPAA Security Rule. 76 Fed. Reg. 41866, 41879 (July 15, 2011). HHS proposed that HIX entities follow HIPAA because it “believe[s] that HIPAA provides certain universally appropriate security standards … [and] these rules provide tested and familiar guidelines that should ensure the proper handling of applicant and enrollee information.” 76 Fed. Reg. at 41880. Because HIPAA has regulated the privacy and security of protected health information (“PHI”) since 1996, this proposal would have allowed health care entities to apply already existing and thoroughly vetted policies and procedures to HIX activities.

However, HHS ultimately declined to follow this approach in its final rule on privacy and security of HIX PII for two reasons. First, HHS found that a “patchwork” approach to HIX privacy and security standards would be more appropriate, given the various federal and state agencies operating HIXs across the country. HHS noted that the states have a “breadth of options for designing and implementing Exchange functions and operations.” 77 Fed. Reg. 18310, 18325 (March 27, 2012).

Because of the patchwork nature of the HIX system, HHS declined to tie the HIX data privacy and security requirements of the Exchanges to HIPAA and refused to adopt a uniform standard across all HIXs, state or federally run. Instead, each state is allowed to articulate the security framework for its own state-run HIX. HHS will do the same for federally facilitated HIXs. This decision means that HIX entities, such as health plans, operating in multiple states must comply with multiple state laws with different data privacy and security standards.

Although HHS noted that the privacy and security standards articulated in the final rule parallel HIPAA in key respects, with similar but not identical standards and restrictions. 77 Fed. Reg. at 18340. It also rejected a uniform standard based on HIPAA on the grounds that HIPAA was not properly tailored to cover HIX activities.

HHS stated that it felt that “HIPAA is not broad enough to adequately protect the various types of PII that will be created, collected, used, and disclosed by Exchanges and individuals or entities who have access to information created, collected, used, and disclosed by Exchanges.” Id. As a result the Exchanges are caught in the cross-hairs of HHS’s decision not to adopt privacy and security standards to allow for a single comprehensive compliance program consistent with HIPAA.

The Scope of HIX Data Privacy and Security Regulations Are Broader than HIPAA

As noted above, HIPAA and HIX privacy and security standards regulate different types of data. HIPAA regulates only PHI. Therefore, HIPAA policies and procedures as written do not cover the full range of data that HIX privacy and security standards require HIX entities to protect. Because of the difference in focus, a standard HIPAA policy will likely be too narrow without modifications to cover the needs of an HIX entity.¹HIPAA governs the use or disclosure of PHI or “individual identifiable health information.” PHI relates to: (1) an individual’s past, present or future physical or mental health or condition; (2) the provision of health care to the individual; (3) the past, present or future payment for the provision of health care to the individual; and (4) the individual’s identity or for which there is a reasonable basis to believe it can be used to identify an individual. 45 C.F.R. §160.103. Essentially, PHI will affirmatively answer the question “using this information, can I identify a particular individual’s health status, including conditions and treatments?” PII, on the other hand, is a much broader term. PII, as used for HIX activities, was defined in a 2007 Office of Management and Budget (“OMB”) Memorandum and is used broadly by all federal agencies, not just ones that oversee health care treatment or insurance. PII refers to “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” OMB Memorandum M-07-16. The health status of an individual is irrelevant for meeting the definition of PII—it need only be information that can distinguish a particular individual from others. Additionally, because of the specific breach requirements of HIPAA as discussed below, entities dealing with both PHI and PII cannot simply apply HIX data privacy and security policies to PHI. Instead, these hybrid entities will likely need to have two sets of breach policies and procedures in place, one for each data set.

Because PII is a much more comprehensive term—in fact, PHI can be partially defined as the health-related subset of PII—any policies drafted for HIX data privacy and security must be broader in scope as HIPAA policies will not sufficiently cover the use and disclosure of PII. As long as the information is generated through HIX activities and could be used to identify particular individuals, HIX data privacy and security restrictions will apply. Similarly, because HIPAA requires different authorizations and security responses than HIX data privacy and security standards, HIX data privacy and security policies and procedures do not satisfy all HIPAA requirements.

Authorizations Under One Regulatory Regime Do Not Carry Over to the Other

HIX entities should be aware that a HIPAA authorization will not necessarily cover disclosure of PII. This is in large part due to the fact that HIPAA and HIX data privacy and security regulations focus on distinct permissible uses and disclosures of information that do not overlap. PII gathered through HIX activities can only be used for a narrow subset of activities. Section 1411 of the Affordable Care Act states that “an applicant for insurance coverage or for a premium tax credit or cost-sharing reduction shall be required to provide only the information strictly necessary to authenticate identity, determine eligibility, and determine the amount of the credit or reduction.”

In fact, to participate on the Exchanges, HIX entities such as Navigators, agents and brokers, must sign agreements with their relevant HIX agencies. 45 C.F.R. §155.260(b). These agreements must include the purposes for which HIX entities may use PII as well as the entity’s duties to protect and maintain the privacy and security of PII for such functions. 78 Fed. Reg. 54070, 54080 (August 30, 2013). These agreements also vary from state to state and agency to agency, so HIX entities should be aware of the scope of the agreement they sign. By contrast, HIPAA allows for PHI to be used for treatment, payment and health care operations, as well as a few ancillary purposes, without written authorization from the individual. 45 C.F.R. §164.504.

Accordingly, PII cannot be used for anything other than the purposes discussed above without a written authorization, even if HIPAA would otherwise allow the use of the same data for the same purposes. This means that entities operating under both sets of regulations may need to request two separate and distinct written authorizations, even if the PHI and PII are being used for the same purpose. Entities that fall under HIPAA for some activities and the HIX privacy and security standards for others, such as a hospital that also acts as a Navigator to assist individuals in enrolling in plans offered through an HIX, need to clearly delineate the information used for HIX purposes and that would require an authorization to be used for HIPAA related purposes.

In the example at hand, the hospital should obtain prior written authorizations from its HIX clients before it uses the information gathered in the enrollment process to bill clients for medical services provided. These authorizations should not be HIPAA forms but instead should be specifically drafted to reflect the requirements of the HIX privacy and security standards. Likewise, the hospital should be careful to avoid “auto-populating” its HIX enrollment forms with PHI unless it receives prior written authorization from its patients to do so.

Breach Response Procedures and Timeframes Are Markedly Different

HIX entities should be aware that the breach standards for PII are broader than for HIPAA, do not require an analysis before reporting a breach and typically have a shorter time frame. HIX entities that are also covered entities should generate separate PII breach protocols to reflect the challenges of complying with these breach standards. Each HIX entity should devote time to planning its breach response procedures because of the extremely short notification requirement.

HHS has made its intentions to enforce HIX privacy and security standards, even in jurisdictions with state-run exchanges, clear. 78 Fed. Reg. at 54082. HHS also explicitly rejected adoption of HIPAA’s security standards for HIX breaches as “HIPAA does not provide comprehensive safeguards because the privacy, security, and breach notification rules issued under HIPAA will not apply to all actors who are subject to §§155.260 and 155.280, or to all information that will be protected under those provisions.” Id. Consequently, HHS chose to drawn upon OMB Memoranda M-06-19 and M-07-16 as well as the National Institute of Standards and Technology Special Publication 800-61 to define key terms such as “breach” or “incident.” The adoption of new definitions of breach and incident means that HIX entities with HIPAA backgrounds must re-educate themselves as to what qualifies as a breach in the HIX world.

The definition of breach is much broader under the HIX standards. For HIX activities, breach is defined as “the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.” 45 C.F.R. §155.280(c)(ii); Id. HIPAA, on the other hand, defines breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.” 45 C.F.R. §164.402.

Additionally, HIPAA provides several exceptions to its definition of breach that are not included in the definition for HIX activities, such as disclosure by a covered entity to an unauthorized person when the covered entity has a good faith belief that the unauthorized person would not reasonably have been able to retain such information. Id. The next steps to be taken after discovery of a breach are also different under the two regulatory regimes. Consequently, entities that would normally attempt an analysis to determine whether they should report a PHI breach should skip the analysis required under HIPAA and report all PII breaches, regardless of risk of harm or size.

HIX entities should also keep in mind the breach reporting windows for PII incidents are typically much shorter than those allowed for PHI breaches. HHS originally proposed a breach reporting window of one hour, as the agency “expect[ed] that this will take an individual one hour to gather the relevant documentation and enter the missing information online or contact the call center to provide the necessary information.” 78 Fed. Reg. at 37049.

This time frame predictably created a strong response from interested stakeholders. In response, HHS softened the time frame requirement, deleting it from the applicable regulation at 45 C.F.R. §155.280(c)(3). 78 Fed. Reg. at 54084. However, it noted that the one hour requirement was included in computer matching, information exchange and other data sharing agreements and legal agreements executed between CMS and HIX entities, such as Navigators. Id. Consequently, for the majority of HIX entities, the one hour reporting rule will still stand although its basis will be contractual rather than regulatory.

Compliance with this short time frame will make it difficult for HIX entities to obtain meaningful legal counsel before disclosing a breach. Therefore, clear procedures and protocols, articulated well before any situation occurs and specifically tailored to the HIX privacy and security standards, will make a crucial difference in responding appropriately in situations of PII breaches.

Business Associate Agreements Cover Only PHI Sharing Arrangements, Not PII Sharing Arrangements

Under HIPAA covered entities who have signed business associate agreements should not assume that these agreements will allow them to share PII. Business associate agreements are designed to address HIPAA requirements and do not reflect the unique obligations of HIX entities. For example, business associates agreements will reflect the breach reporting timelines required by HIPAA and not the short turn around necessitated for PII breaches.

Hybrid entities and HIX entities sharing PII should consider drafting and entering into “data sharing agreements” with their associates, including vendors and contractors. These agreements are necessary because the terms and conditions placed on HIX entities often require them to impose the same privacy and security standards under which they operate on all of their vendors and contractors with access to PII.

For example, the federal Navigator grants require that all grant recipients impose the HIX privacy and security standards on their “Workforce” members working with the recipient on the grant. “Workforce” is defined by the grant as an entity’s “employees, agents, contractors, subcontractors, officers, directors, agents, representatives, volunteers and any other individual who may create, collect, disclose, access, maintain, store or use PII in the performance of his or her duties.”

This broad definition overlaps with HIPAA’s definition but it also includes others who would not be considered a business associate under HIPAA, such as officers or volunteers.

The best way to ensure that Workforce members comply with the HIX privacy and security standards is to enter into agreements tailored specifically to the requirements of the HIX privacy and security standards. These agreements should include obligations to:

• (1) follow the HIX entity’s privacy and security policies;
• (2) follow 45 C.F.R. §155.260 and any other regulatory guidance;
• (3) follow the shortened breach reporting window; and
• (4) train staff on differences between PII and PHI.

Conclusion

It would be temptingly easy for HIX entities, especially those that are also covered entities under HIPAA, to assume that HIPAA compliance would cover their data privacy and security obligations for their HIX activities. However, to do so would be to ignore HHS’s deliberate choice to reject HIPAA for this purpose. The HIX privacy and security standards are broader and perhaps more demanding than the ones covered entities are subject to under HIPAA.

In sum, HIX entities also subject to HIPPA should be mindful of the difference between PII and PHI, the different purposes for which the information can be used and the broader definitions of breach and security incident.