Chapter 6: Laws Versus
Regulations: the American Administrative Leviathan’s Outsized Impact.
I teach a graduate level class
at The University of Texas at Dallas to students seeking their Masters of
Healthcare Leadership and Administration, entitled Healthcare Law, Policy and
Regulation. I’ve always thought it
should be “Regulation” first, since there’s a hell of a lot more regulation in
health law than law. One of my exam
questions is, what’s the most legitimate complaint about the administrative
state: that it lacks technical legitimacy, democratic legitimacy, or constitutional
legitimacy? Presumably, the agencies are
full of people with technical expertise.
And they are headed by a democratically-elected president. But the Constitution never envisioned the
vast federal bureaucracy. But here we
are.
For decades, Congress has
virtually failed to legislate. While
Twain’s aphorism (“Nobody’s life, liberty or property is safe while Congress is
in session”) still rings true, when things do need fixing (at least on a
national level), it may require Congress to fix them. Legislating is hard: it’s usually an attempt
to fix a problem, often an intractable one.
And even if the true causes are known and there’s political will to
actually address them, all actions have collateral, often unexpected or at
least unintentional, effects. So in
recent years, Congress has been content to highlight the problem, perhaps even
point in a general direction for a fix, and task the administrative agencies to
actually do the true legislating with regulations that are given the effective
force of law. The result is that the
Executive Branch does the job the Legislative Branch is tasked with in the
Constitution. HIPAA is a prime example
of that.
As I noted above, the original
1996 HIPAA statute gave Congress 2 years to come up with the Privacy Rule;
obviously, that didn’t happen, so the heavy lifting of HIPAA was done by HHS:
the Privacy Rule, as well as the Security Rule.
Despite gripes by Senators Clinton and Kennedy, Congress never did
anything to revise HIPAA from 1996, until the HITECH Act in 2009. As a result, HIPAA isn’t nearly so much a
matter of law, but a matter or regulation.
HITECH itself was a part of the
American Recovery and Reinvestment Act (known colloquially as the Stimulus
Bill, and derisively as the Porkulus Bill), intended to help the US economy
“recover” from the 2008 recession. It
was, in fact, a horrific example of how not to pass legislation. Drunk on the success of the Obama election
and majorities in the House and Senate (including a filibuster-proof 60 Senate
seats), Democrats were determined to push through highly partisan bills stuffed
to the gills with any and all wish-list items, the worst of which were HITECH
and the even-worse Obamacare. HITECH was
largely drafted by lobbyists, ran thousands of pages long, and was passed
despite the fact that no lawmaker had read it.
In fact, while it was being debated in the Senate, the copy under debate
was amended by pen to fix a calculation error that hadn’t been discovered
before the debate copy was printed. I
guess that’s the government we deserve . . .
(although the gods of the copybook headings would ask, “who won the next
election?”).
HIPAA wasn’t the main focus of
HITECH, but HITECH was the first statutory amendment to HIPAA. Did it wrap up needed changes? Of course not; additional regulations were
needed in the form of the Omnibus Rule, finalized in January 2013. But HITECH did address a few specific fixes:
Business Associates: as
noted above, business associates weren’t covered by HIPAA initially, and HHS had
to invent the concept in the Privacy Rule and make them “contractually”
obligated to follow HIPAA. HITECH made
Business Associates directly liable for certain obligations under HIPAA, but it
didn’t actually define what a Business Associate is; rather, it adopted the
regulatory definition of HHS. It’s just
not right that a Congressional statute depends for its defined terms on the
regulatory agency. What if the agency
changes the definition to something Congress didn’t intend? By definition (heh), this is a delegation of
legislative authority.
Breach Notification: This
probably deserves its own entry (number 21?
22?). HITECH added the breach
notification requirement as well. As
more fully discussed in Chapter 3 above, after California began the series of
state data breach notification laws, HITECH added in a similar requirement with
respect to HIPAA breaches. It must be a
breach of unsecured PHI to be reportable, and while the definition of what
constitutes a breach is pretty broad, there are several exceptions for common,
low-harm occurrences. You’ll note that
this approach is similar to the Privacy Rule’s basic “Rule” (see Chapter 9):
state a general principle, but allow exceptions for common or anticipated
events that aren’t problematic under the general principle. The first of the breach notification
regulations did provide a very generous reportability exception for breaches
that had a “low risk of financial, reputational, or other harm, ” which those
of us who follow HIPAA for a living considered an Easter Egg, but it didn’t
last; when the Omnibus Rule was passed, the “low risk of harm” standard was
replaced with a “low risk of compromise” threshold, with 4 factors considered
in determining the risk level: the identifiability or the PHI (but not the
sensitivity; PHI is PHI whether it’s your perfectly normal blood pressure
readings or your bizarre sexually-transmitted diseases), the entity receiving
the PHI, whether the PHI was actually viewed, and whether the incident could be
mitigated. Low risk of compromise is
still a wild card, but it’s not nearly as broadly encompassing as low risk of
harm.
The ”Hide” Rule: This is
clearly the stupidest part of the HITECH Act, and was most clearly written by activists
without a clue as to how healthcare information is normally used. The rule doesn’t really have a name, but I’ve
deemed it the “hide” rule because its sole purpose is to allow a patient to
hide information from his insurer. You
know, I don’t like insurers either, but this is ridiculous. The language of the statute is sloppy and
imprecise: it says if the individual “pays in full, out of pocket” for a
medical service, and asks the provider to not provide information about the
service to the patient’s insurer, the provider must comply. What if the patient is wearing an outfit
without pockets? What if she takes her
wallet out of her purse; is that a payment “out of pocket”? That’s not the type of language that should
end up in a statute; it’s stupid, and shows what a clown show the entire HITECH
process was. Laws should be specific and
accurate; there’s no purpose for a “c’mon, you know what I meant” component of
a law: it the law does not clearly and unambiguously state the requirements for
compliance, it should not even be enforceable.
But they felt good about it: “let’s stick it to the man!” But when it’s activists writing the
legislation, what you’ll get is emotion, not logic.
Not only is the hide rule
poorly composed, it doesn’t make any sense.
If the patient pays for the first procedure “out of pocket” but wants
the second one charged to insurance, or if the procedure results in the need
for further care or prescription drugs, the insurer will rightfully decline to
pay: there’s no medical necessity for the second procedure if there wasn’t a
first procedure. Even HHS, when drafting
the hide rule regulations, threw up their hands and told providers to just do
their best. Like I said, ridiculous.
Potpourri: There were a
handful of other components in HITECH and the Omnibus Rule, such as stricter
limitations on sales of PHI, revisions to marketing requirements, genetic
information issues. These were more
incremental, as might be expected of an administrative agency fine-tuning
existing rules.
There will be more regulations,
certainly. In fact, some components of
HITECH are still in limbo, awaiting new regulations. HITECH required covered entities using an EMR
to provide an accounting of all treatment, payment, and healthcare operations
disclosures, which were originally exempted from the disclosure
requirement. The geniuses who wrote
HITECH thought that if you used an EMR, you’d be able to track all disclosures,
so that accounting for TPO disclosures would be easy. But that’s not true for most EMRs, and for
those where it’s possible, it’s often logistically difficult. HHS proposed rules to address this, and to
require accountings not just of disclosures,
but of all access to a medical
record; those proposed regulations were met with such objection from the
industry that HHS quickly surrendered and pulled the regulations, promising to
revise and republish them. It’s been
almost 10 years, but there’s been no more action on an expansion of the
accounting rule (trust me, that’s actually a good thing).
HITECH also set up a structure
for victims of harm cause by a HIPAA violation to receive a portion of the fine
levied by OCR. As you may know, there’s
no private cause of action for a HIPAA breach, so while OCR can levy a
multi-million dollar fine, the individual injured by the HIPAA violation gets
nothing. However, OCR does get to keep
the fines and they go towards OCR’s general budget. Congress tried to fix that, not by giving the
patient (and the plaintiff’s bar) a private cause of action, but by allocating
some of the fine to a type of restitution to the victim. However, HHS hasn’t drafted regulations yet
to explain how that might work. Hmm, I
wonder why not?
There are also some non-HITECH
changes that should be expected (revisions to the Notice of Privacy Practice
standards were actually published by the Trump administration, but have been
pulled back off the table by the Biden administration). Certainly, there will be more to come from
HIPAA. But statutory changes are not
likely. Any revisions will almost
certainly be from the administrative branch.