PORTABILITY LAW TO SET RULES FOR PRIVACY OF BENEFIT RECORDS

An employer, seeking to monitor abuses of habit-forming drugs by workers, uses computers to assemble lists of employees and the prescriptions they have received.

An HMO employee who is opposed to abortion jots down the names of workers who have received insurance payments for the procedure and submits them to the right-to-life movement for inclusion on mailing lists.

A corporate human resources department assistant, technically authorized to read benefits files, spends idle time leafing through medical files without a business purpose.

All of these hypothetical situations eventually could be barred by new federal guidelines regulating the use of medical records in the workplace and by health networks. Secretary of Health and Human Services Donna E. Shalala is expected to submit to Congress in August recommendations on medical confidentiality issues that long have been the province exclusively of states.

For benefit managers, new regulations from Washington eventually could require a sweeping evaluation of security standards for both paper and electronic files.

Until now, health care confidentiality law has been dominated by state statutes, a hodgepodge of varying and sometimes conflicting rules ranging from provider credentialing and utilization review measures to substance review and mental health rights law.

That changed last August, when Congress passed the Health Insurance Portability and Accountability Act, commonly known as the Kassebaum-Kennedy Act.

Although the law is best known for curbing the use of pre-existing condition exclusions in health care plans, HIPAA also contains little-noticed amendments that create a timetable for implementing final rules for privacy and electronic standards for medical record-keeping and penalties for infractions.

Although it is likely that many of the new rules will not be put out in final form for another two years, employers should anticipate that their impact could be "huge and exponential," and that the rules will be "something which can be violated very easily," said Linn M. Visscher, an employee benefits attorney with Gardner, Carton & Douglas in Chicago.

The timetable for the implementation of the rules is complex and potentially lengthy. The recommendations on confidentiality, to be studied by congressional committees beginning this summer, will include such matters as the administrative, technical and physical security of health plan data and safeguards against unauthorized use. Congress will have until August 1999 to enact legislation to codify the rules and, if it fails to act, the Secretary of Health and Human Services has an additional year to write and enact them.

In addition, by February 1998, HHS is to adopt security standards for the electronic transmission of health insurance claims data. This includes information such as enrollment, eligibility, premium payments and referrals. For large health plans, these standards must be online and in compliance by February 2000. "Small" plans, still to be defined by HHS, will have an extra year.

For the first time, health plans or employers with lax security will be liable for federal civil penalties: $100 per violation up to a maximum of $25,000 for multiple violations of the same standard. Employers that break the law repeatedly, if fined, could incur great expense.

"You can rack up 50 violations a day and it can last a month," said Devin Cuyler, who specializes in health information technology at Gardner, Carton & Douglas. "That's where it gets onerous. You could get killed."

The privacy rules that eventually emerge could constrain what employers and health plans can do with their cost-efficiency studies, quality evaluations, wellness programs, coordination of benefits and use of confidential information in decisions relating to the Americans with Disabilities Act, said Kathy Bakich, an attorney with William M. Mercer Inc. in Washington.

Although the schedule may not seem to demand much of benefit mangers immediately, legal experts say it isn't too soon to begin a general review of data security and privacy procedures.

"Now is the time to look at what you've got and ask yourself, 'Does what we've got protect confidentiality?'*" said Ms. Visscher. Companies should study who has control over benefit records and what kind of control they have, and be sure that online information systems, if in use, have audit trails that management can use to trace which benefits records were accessed and by whom.

But another attorney said it might be premature for plan sponsors to be concerned with complying with the HIPAA's data processing requirements and that any funds spent now could be wasted.

"It seems to me generally it would be premature to spend money now to anticipate what these standards will consist of," said Michael Langan, a principal with Towers Perrin in Valhalla, N.Y. "Employers certainly shouldn't start in the interim. I don't think people should be acting indiscriminately now only to have to go back and redo it when the specs take shape."

HIPAA provides that knowingly using, obtaining or disclosing someone's personal health identity number is a federal crime punishable by fines of up to $250,000 and a jail term of up to 10 years, but it merely sets up a timetable for defining what kinds of "health identifier" the industry is going to use.

"It would seem to me to be hard to violate the rules before they come to life," Mr. Langan said. "Obviously, responsible employers don't release this kind of information willy-nilly, anyway."

The adoption of common standards, in addition to enhancing security, will bring cost efficiencies, once the early costs are met, according to Terry Humo, senior technical consultant at Sedgwick Noble Lowndes in Memphis, Tenn.

"In the long-term, it should save employers money, and I'm talking about administrative simplification, generally-standardized claim forms, standardized codes, so everyone is working off the same sheet of music," he said. "But to get the people trained and get the electronic systems in place, for smaller employers these are going to be initial upfront costs-and it's going to be costly."

Even though HIPAA contains the new, evolving privacy safeguards, some say that the act will undermine medical confidentiality regardless of the specific rules that emerge. Privacy and patients' rights groups worked to defeat HIPAA near the final hours of its passage, as confidentiality sections were added. They perceive them as adding to the erosion of privacy, the inevitable result of instant availability of online records and the use of universal identifiers.

"In our view, this doesn't really do a thing to protect privacy," said Don Haines, the national American Civil Liberties Union's legislative counsel on privacy and cyberspace in Washington. "We are waging a multifront war against the invasion of privacy caused by administrative simplification."

The ACLU is working, through a fax campaign, to persuade HHS officials to write strict privacy rule recommendations to Con-gress, Mr. Haines said.

In addition, it is contacting state legislators to persuade them to exempt health plans in their state from the planned electronic claim processing standards. Under HIPAA, states are permitted to grant exemptions from such standards when health identifiers are involved.

As employees become more familiar with privacy issues, "privacy may even become a competitive edge" that affects where they seek employment, Mr. Haines said.

"There is a growing sense of resentment about information the public thinks is, or ought to be, confidential," he said.

But employers are generally supportive of the privacy safeguards of HIPAA, at least as they are anticipated, according to Nora Super Jones, manager of public policy at Washington Business Group on Health, a coalition of 150 large employers.

"We support national standards for protection of confidentiality, but we do distinguish between privacy and confidentiality," she said.

Most employers would agree that medical information should be kept confidential from other employees, but the health system should be as interconnected as possible, she said. Workers should not have the power to demand absolute privacy and decide which providers should have access to their files, she said