NOTE: As provided in LFC policy, this report is intended for use by the standing finance committees of the
legislature. The Legislative Finance Committee does not assume responsibility for the accuracy of the information
in this report when used in any other situation.
Only the most recent FIR version, excluding attachments, is available on the Intranet. Previously issued FIRs and
attachments may be obtained from the LFC office in Suite 101 of the State Capitol Building North.
F I S C A L I M P A C T R E P O R T
| SPONSOR: |
Leavell |
DATE TYPED: |
03/04/01 |
HB |
|
| SHORT TITLE: |
Promulgate Privacy Rules |
SB |
352/aSPAC |
|
ANALYST: |
Wilson |
APPROPRIATION
| Appropriation Contained
|
Estimated Additional Impact
|
Recurring
or Non-Rec |
Fund
Affected |
| FY01 |
FY02 |
FY01 |
FY02 |
|
NFI |
|
|
|
|
(Parenthesis ( ) Indicate Expenditure Decreases)
SOURCES OF INFORMATION
Health Policy Commission (HPC)
Public Regulation Commission (PRC)
Retiree Health Care Authority (RHCA)
SUMMARY
Synopsis of SPAC Amendment
The SPAC amendment has changed the requirement that rules promulgated by the Superintendent
of Insurance under this bill must be at least as restrictive as the federal requirements. The rules
must "meet" the applicable federal requirements.
Synopsis of Original Bill
The bill authorizes and directs the Superintendent of Insurance to promulgate rules to protect the
privacy of insurance consumers' "nonpublic personal information," including personal health and
financial information.
Significant Issues
The bill is prompted by the passage of the federal Gramm, Leach, Bliley Act, Public Law 106-102, which repealed the Glass-Steagal Act and permitted the combination of the banking,
securities, and insurance industries under common ownership. Title V of Gramm, Leach, Bliley
Act requires states to adopt insurance rules to "insure the security and confidentiality of customer
records and information" and to "protect against unauthorized access to or use of such records or
information which could result in substantial harm or inconvenience to any customer."
Current state law authorizes privacy rules for managed care organizations such as HMOs, but
does not extend to other health insurers and other types of insurers that might possess nonpublic
personal information of its customers.
SB 352 extends the authority of the PRC to promulgate regulations beyond the federal legislation
by establishing the Gramm, Leach, Bliley Act as the floor-not the ceiling.
ADMINISTRATIVE IMPLICATIONS
No new FTE required. Some oversight and enforcement will be required, but the PRC does not
think that the burden will be significant.
OTHER SUBSTANTIVE ISSUES
The HPC has provided the following:
- Privacy of personal health and financial information is a great concern of New Mexico's
citizens due to the lack of regulatory protections regarding privacy and the potential for
abuse of this information. However, the federal government, through its rulemaking
capacity has already introduced legislation, The Health Insurance Portability and Accountability Act of 1996 (HIPPA). The section referred to as Administrative Simplification
includes extensive provisions for privacy. The privacy rules that were recently published
in the Federal Register consist of some 1500 pages of detailed rules. In addition, over
40,000 pages of comments were received by the federal Department of Health and Human
Services (HHS) prior to their publication of the final rules. Insurance companies, their
associated health plans, providers and business associates meet the definition of "covered
entities" under the HIPAA privacy rules and are already required to comply with the
federal regulations. A state legislative initiative may be redundant.
- The federal privacy rules further state that they apply to all individually identifiable health
information that is transmitted or maintained in any form. This means that any information that is created or received by a health care provider, health plan, employer, or health
care clearinghouse that relates to the provision or payment for health care, or physical or
mental health and identifies or could reasonably identify the individual is covered by the
rule. Health information is broadly defined as any information that relates to provision or
payment of health care or physical, mental or behavioral health. Health care is defined as
care, counseling, service or procedure related to physical, mental or behavioral condition
or functional status; sale/dispensing of prescription items; or procurement/banking of
blood, organs, genetic material, etc. The federal rule applies not only to personal health
information, but is also protective of financial information as well.
- Covered entities may use or disclose protected information only as permitted or required
by the rule. This means that insurance companies and their associated trading partners
could disclose the protected information with consent, for treatment, payment or health
care operations; without consent, if not required, for treatment, payment or health care
operations, except for psychotherapy notes; pursuant to an authorization; pursuant to an
agreement, to the individual; or as otherwise permitted by the rule. Only the minimum
amount of information that is necessary to accomplish the intended purpose may be
disclosed. For example, if the patient presents at an emergency room with a suspected leg
fracture, his/her psychiatric records are not relevant to the intended purpose and may not
be disclosed. Covered entities must make reasonable efforts to limit access by members of
their workforce to the amount of information necessary to carry out their duties, and must
implement policies and procedures for limiting disclosures.
- Consent must be obtained prior to using or disclosing protected information for purposes
of treatment, payment or health care operations. The rule contains specific requirements
for the consent to be valid.
- Authorization must be obtained for use or disclosure of protected information, except as
otherwise permitted or required by the rule.
- Individuals have a right to inspect and obtain a copy of their protected information for as
long as the information is maintained by the covered entity, except for psychotherapy
notes, information compiled for litigation, or information exempted under certain federal
laws.
- Individuals also have a right to have a covered entity amend their protected information
for as long as the entity maintains their information.
- The rule also provides procedures for accepting or denying amendments; timelines for
responding to request for amendments (60 days); procedures for the individual to file a
statement of disagreement, and the entity to file a rebuttal statement, if the amendment is
denied; and procedures for providing notification of certain past and future recipients of
the protected information.
- Individuals have a right to receive an accounting of the disclosures of their protected
health information made by a covered entity in the past six years, except for disclosures
for treatment, payment or health care operations; disclosures made to the individual;
disclosures made for directory or family notification purposes; disclosures for national
security purposes or made to correctional or law enforcement officials or disclosures that
occurred prior to the compliance date for the rule.
- There are specific exemptions to the privacy rule that do not require individual permission. These include when disclosure is required by law, for public health purposes, for
health oversight activities required by law, for judicial and administrative proceedings in
response to a court order, a subpoena, discovery request, or other legal process if the
individual has been notified and had an opportunity to object to the disclosure. Other
exemptions include for law enforcement use, for health services research as approved by
an Institutional Review Board (IRB), and if there is reason believe there is a serious and
imminent threat to the health or safety of a person or the public, for Workers' Compensation purposes, for organ donation and for victims of abuse, neglect and domestic violence.
- The rule also outlines numerous changes in administrative practices. These changes
include new business processes, policies and procedures, staff training and will require
additional organizational resources.
- The date for compliance will be for providers, health plans and health care clearinghouses,
February 26, 2003. For small health plans, the date is pushed back one year until February
26, 2004.
- The rule preempts any contrary provision of state law, with limited exceptions. A
provision of state law relating to the privacy of health information that is more stringent
than the rule would not be preempted.
- Finally, the cost to the industry of implementing these new federal privacy regulations is
significant, especially for providers in private practice. Sufficient time is needed to
implement the new requirements for privacy protection, adopt new business processes that
are compliant with the rule, designate a privacy official to write policies and procedures,
train staff, and develop sanctions for staff member who fail to comply with the rule.
- Given the enormous change in business practices and the broad scope of the federal rules,
perhaps it would be prudent to follow the federal timelines for implementation of this
wide-reaching change in health care.
DW/lrs:njw:prr:ar