BILL ANALYSIS �
AB 562
Page 1
Date of Hearing: April 21, 2009
ASSEMBLY COMMITTEE ON HEALTH
Dave Jones, Chair
AB 562 (Cook) - As Amended: April 15, 2009
SUBJECT : Health care coverage: report of claim information.
SUMMARY : Requires a health insurance issuer to, upon request,
provide specified aggregate and individual health care claims
information, for employers with more than 50 employees, to an
employee welfare benefit plan (maintained by an employer(s) or
employee organization(s)), joint employer-employee plan, a
governmental entity, or plan administrator, as specified.
Specifically, this bill :
1)Requires a "health insurance issuer," as defined in this bill
by reference to federal regulations under the Health Insurance
Portability and Accountability Act (HIPAA), that receives a
written request for a written report of claims information,
made on or after July 1, 2010, from a "plan," "plan sponsor,"
or "plan administrator," as those terms are defined in this
bill by reference to federal regulations under the Employer
Income Retirement Security Act (ERISA), for a covered group of
50 or more employees, to provide the report to the requesting
party no later than 30 days after receipt of the request.
2)Requires a health insurance issuer to provide the report
pursuant to 1) above by one of the following means:
a) In a written report;
b) Through an electronic file transmitted by secure
electronic mail or a file transfer protocol site; or,
c) By making the required information available through a
secure Internet Web site or Web portal accessible by the
requesting plan, plan sponsor, or plan administrator.
3)Requires the report of claim to contain all information
available to the health insurance issuer that is responsive to
the request for a 36-month period preceding the date of the
report, or the entire coverage period, whichever is shorter,
except for the requirement in 4) below, and requires the
report to include the following:
a) Aggregate paid claims experience by month, including,
�
AB 562
Page 2
but not limited to, claims experience for medical, dental,
and pharmacy benefits, including capitation costs or
payments in the case of health maintenance organizations
(HMOs), as applicable. Requires the insurance issuer to
use $20,000 as the pooling point for aggregate reporting;
b) Total premiums paid by month;
c) The total number of covered employees on a monthly basis
by coverage tier, including whether the coverage was for
one of the following:
i) An employee only;
ii) An employee with dependents only;
iii) An employee with a spouse only;
iv) An employee with a spouse and dependents; and,
v) The total dollar amount of claims pending as of the
date of the report.
4)A separate description and individual claims report for any
individual whose total paid claims exceed $20,000 during the
12-month period preceding the date of the report. Requires
the report to include the following related to the claims for
that individual: The amounts paid during the previous
12-month period; and, the applicable procedure codes and
diagnosis codes.
5)Prohibits a health insurance issuer from disclosing any
information in the report required by this bill if the
disclosure is prohibited under another state or federal law
that imposes more stringent privacy restrictions than those
imposed under HIPAA.
6)If the request for claims information as in 4) above, is
received after the termination date of the group health plan,
the health insurance issuer must provide all information
available that is responsive to the request, including the
information described in 3) above, if the plan, plan sponsor,
or plan administrator requests the report on or before the
second anniversary of the termination of coverage.
7)Imposes unspecified administrative penalties on health
insurance issuers who violate the provisions of this bill.
8)Exempts the disclosures required by this bill from the
�
AB 562
Page 3
prohibition imposed in state law on health plans and health
insurers against releasing any information to an employer that
would directly or indirectly indicate that an employee is
receiving or has received services from a health care provider
covered by the health plan or insurer unless authorized to do
so by the employee.
9)Defines the following for purposes of this bill:
a) By reference to federal HIPAA regulations:
i) "Group health plan" as an employee welfare benefit
plan, as defined in ERISA, including insured and
self-insured plans;
ii) "Health insurance issuer" as an insurance company,
insurance service or insurance organization, including an
HMO, licensed to engage in the business of insurance in a
state and subject to state laws that regulate insurance;
and,
iii) "Protected health information (PHI)" as individually
identifiable health information, which identifies an
individual or can be used to identify an individual.
b) By reference to federal ERISA regulations:
i) "Employer" as any person acting directly as an
employer, or indirectly in the interest of an employer,
in relation to an employee benefit plan;
ii) "Plan" as an employee welfare benefit plan, which
means any plan, fund, or program established or
maintained by an employer or employee organization, or by
both, for the purposes of providing employee benefits,
including but not limited to, health benefits;
iii) "Plan administrator" as the person specifically
designated by the terms of the plan;
iv) "Plan sponsor" as an employer or employee
organization, or joint employer-employee plan or trust;
c) "Governmental entity" as a state agency or political
subdivision of a state; and,
d) "Political subdivision" as a county, municipality,
special-purpose district, or other subdivision of state
government in a limited geographic area.
�
AB 562
Page 4
10)Specifies that any reference to federal statute or
regulations in this bill refers to the statute or regulation
as it existed on January 1, 2009, but authorizes the
Commissioner of the California Department of Insurance (CDI)
and the Director of the Department of Managed Health Care
(DMHC) to by rule, and in consultation, adopt a federal
statute or regulation that was amended, adopted, or enacted at
a later date.
EXISTING LAW :
1)Provides for regulation of health plans by DMHC under the
Knox-Keene Health Care Service Plan Act of 1975 (Knox-Keene)
and for regulation of health insurers by the CDI under the
Insurance Code.
2)Prohibits health plans and health insurers from releasing any
information to an employer that would directly or indirectly
indicate that an employee is receiving or has received
services from a health care provider covered by the health
plan or insurer unless authorized to do so by the employee.
3)Prohibits, under the Confidentiality of Medical Information
Act (CMIA), a provider of health care, health care service
plan, or health care contractor from disclosing a person's
medical information without first obtaining that person's
authorization, except as specified.
4)Requires under the CMIA, notwithstanding 3) above, a health
care provider, health care service plan, or health care
contractor to disclose medical information if required by a
subpoena, search warrant, or other court order. Permits a
provider, plan, or contractor to disclose information in other
specified circumstances, including for purposes of diagnosis
or treatment or as necessary to provide billing or other
administrative services to the provider or plan. Prohibits a
provider, plan, or contractor from disclosing a person's
medical information for marketing purposes, or any other
purpose not necessary to provide health care services to the
patient, without express authorization from that person.
5)Prohibits under the California Insurance Information and
Privacy Protection Act, insurers, including health insurers,
from disclosing any personal or privileged individual
information collected or received in an insurance transaction,
�
AB 562
Page 5
except as specified, including that the information may be
disclosed to insurers, agents, or self-insurers if related to
an insurance transaction involving the individual, as
specified, and to a group policyholder for the purpose of
reporting claims experience or conducting an audit of an
insurer or agent, as specified.
6)Under HIPAA, prohibits, with exceptions, covered entities from
using or disclosing PHI, except pursuant to a written
authorization signed by the patient or for treatment, payment,
or health care operations, and generally requires a covered
entity to make reasonable efforts to limit the use or
disclosure of PHI to the minimum necessary to accomplish the
intended purpose of the disclosure. Defines PHI as
individually identifiable health information which identifies,
or can be used to identify, an individual.
FISCAL EFFECT : This bill has not yet been analyzed by a fiscal
committee.
COMMENTS :
1)PURPOSE OF THIS BILL . According to the author, this bill will
help control health care costs and increase competition in the
health insurance marketplace by giving employers greater
access to more detailed information about health insurance
claims for their employees. The author asserts that this bill
would allow the exchange of meaningful information in a
timelier manner while protecting individual privacy. The
author refers to the requirements in this bill as Loss
Experience Reporting (LER) and argues this bill is intended to
counter the natural information imbalance that occurs when
employers sit down at the negotiating table with health
insurers. Insurers hold all of the actual loss data, and
employers typically have nothing but vague notions of the
extent to which their employees have used medical care in the
past six months or year. The author argues that LER makes the
employer-insurer transaction considerably more transparent,
particularly in price dimensions. In the absence of LER (or
in the presence of voluntary but incomplete loss reporting),
employer groups must generally assume that premium increases
are solely a function of loss experience, without the tools to
determine the extent to which those two things are related.
The author states that in the absence of LER, it is difficult
for employer groups to determine the extent to which premium
�
AB 562
Page 6
increases are driven by loss experience (i.e., actual medical
claims paid) versus changes in the fixed administrative costs
of the insurer. Finally, the author states greater price
transparency will, over time, result in premiums and premium
increases that are more closely aligned with loss experience.
2)BACKGROUND . According to the Privacy Rights Clearinghouse
(PRC) in San Diego, California, many people consider
information about their health to be highly sensitive,
deserving of the strongest protection under the law.
Long-standing laws in many states and the age-old tradition of
doctor-patient privilege have been the mainstay of privacy
protection for decades. The federal HIPAA sets a national
standard for privacy of health information under the Privacy
Rule, but HIPAA only applies to medical records maintained by
health care providers, health plans, and health clearinghouses
- and only if the facility maintains and transmits records in
electronic form. PRC points out that a great deal of
health-related information exists outside of health care
facilities and the files of health plans, and thus beyond the
reach of HIPAA. The extent of privacy protection given to
medical information often depends on where the records are
located and the purpose for which the information was
compiled. The laws that cover privacy of medical information
vary by situation. PRC indicates that confidentiality is
likely to be lost in return for insurance coverage, an
employment opportunity, application for a government benefit,
or an investigation of health and safety at a work site.
Medical records are created when a patient receives treatment
from a health professional such as a physician, nurse,
dentist, chiropractor, or psychiatrist. Records may include a
person's medical history, details about lifestyle (such as
smoking or involvement in high-risk sports), and family
medical history. In addition, medical records contain
laboratory test results, medications prescribed, and reports
that indicate the results of operations and other medical
procedures. Medical records could also include the results of
genetic testing used to predict future health.
3)HIPAA . The privacy regulations enacted pursuant to HIPAA
became effective April 14, 2003. HIPAA Privacy Rules only
apply to covered entities, including health care providers,
health plans and health care clearinghouses, such as medical
billing services. HIPAA applies to covered entities when they
use electronic means to perform HIPAA covered transactions,
including transmission of health claims, remittance and
�
AB 562
Page 7
payment advice, and even simply accessing a health plan's Web
site to check the eligibility of a patient. If a provider or
health plan is covered by HIPAA, then all PHI held by the
provider, whether in paper, oral, or electronic form, is
subject to HIPAA Privacy Rules. HIPAA covers any information
about a person's past, present, or future mental or physical
health including information about payment for health care
services. A person's health information, combined with some
fact that identifies the person, (name, address, telephone
number, social security number, etc.) is referred to as PHI.
PHI can be oral, handwritten, or entered into a computer.
HIPAA generally requires patient authorization to disclose
information for non-treatment purposes, such as to employers,
life insurers, underwriters, or researchers. Under federal
law, patient authorization is not required when medical
information is used for treatment, payment, or health care
operations disclosed as part of specified "business associate"
relationships established through contract. Disclosure for
non-treatment purposes must generally be limited to the
minimum necessary. Under federal law, if a HIPAA provision
conflicts with a provision of state law, the provision that is
most protective of patient privacy prevails.
4)CMIA . As a general rule, under CMIA (Section 56.10 of the
Civil Code), health care providers and Knox-Keene health care
service plans are prohibited from disclosing a patient's
confidential medical information without the consent of the
patient. (Note: health insurers subject to the jurisdiction
of the Insurance Commissioner are covered by Insurance Code
privacy protections related to personal or privileged
information collected or transmitted in an insurance
transaction, but are not subject to CMIA.) However, there
are many exceptions to this rule, where disclosure by the plan
or provider is either required or permitted by law.
Under CMIA, a provider or health plan is required to release
medical record information, even without a patient's written
authorization, to the following:
a) A court pursuant to a court order;
b) A board, commission, or administrative agency for
purposes of resolving a dispute pursuant to its lawful
authority;
c) A party to a proceeding before a court or administrative
agency pursuant to an investigative subpoena;
�
AB 562
Page 8
d) An arbitrator or arbitration panel, when arbitration is
lawfully requested by either party pursuant to a subpoena;
e) A government law enforcement agency pursuant to a search
warrant;
f) A patient or the patient's representative;
g) A coroner, when requested, as specified; and,
h) If otherwise specifically required by law.
Under CMIA, a health plan or health care provider ma y, in
their discretion, release medical information about without
the patient's written authorization to the following entities
in the following limited circumstances:
i) Billing, claims management, medical data processing, or
other administrative services for the health care provider
or health plan;
j) Employers, insurers, health plans or other entities
responsible for paying for health care, as specified, and
to the extent necessary to allow for payment to be
determined and made;
aa) Organizations or professional societies that review the
competence or qualifications of health care professionals;
bb) Any private or public body responsible for licensing or
accrediting health care providers or health plans for
review at the premises of the health care provider or
health plan;
cc) Agencies, investigators, and educational and research
organizations engaged in bona fide research projects
provided that the recipient does not further disclose a
person's identity;
dd) An employer who has paid for employment-related health
care services in connection with a lawsuit or arbitration
dispute where the medical condition is an issue, provided
that the information is disclosed only in connection to the
proceeding, or when used to determine entitlement to leave
from work for medical reasons or physical limitations that
prevent a person from performing his or her job;
ee) The sponsor, insurer, or administrator of a group or
individual health plan for the purpose of evaluating an
application for coverage of benefits;
ff) A health care service plan to other health care
providers for purpose of administering the plan;
gg) Probate officers or domestic relations investigators for
the purposes of determining the need for a conservatorship
or guardianship;
�
AB 562
Page 9
hh) Organ procurement organizations or tissue banks for
purpose of aiding a transplant;
ii) Federal Food and Drug Administration when medical
information relates to problems with drug products or
medical devices;
jj) Disaster relief organizations for the purpose of
responding to disaster welfare inquiries, but only basic
information such as name, city of residence, age, sex, and
general condition may be disclosed;
aaa) Third parties for purposes of encoding, encrypting, or
otherwise making information anonymous; and,
bbb) Disease management organizations that provide services
to patients in order to improve their overall health in
accordance with certain practice guidelines to which a
physician refers a patient.
5)SUPPORT . The California Association of Health Underwriters
(CAHU) writes in support of the introduced version of this
bill because employers often ask their agent why the group
receives a large premium increase at renewal. CAHU contends
that without specific claims information on that group the
agent is unable to explain the underwriting decision to
increase rates. Without claims information, an employer group
is at a distinct disadvantage when shopping for other coverage
as other carriers typically request three years of claims data
in order to underwrite the group. Without claims information,
CAHU argues the carriers usually quote "book" rates which may
be substantially higher that the rates that would be quoted if
the carriers had the claims data required to be provided under
this bill. CAHU argues that insurance agents must have the
claims data in order to find the benefits and price that are
best for the specific employer. According to CAHU, this bill
will allow agents to assist employers in retaining health
insurance, finding the right benefits, and controlling costs.
6)OPPOSE UNLESS AMENDED . Kaiser Permanente opposes this bill
unless it is amended to eliminate the requirement that health
plans disclose individually identifiable medical information
to group health plans, plan sponsors, or plan administrators.
According to Kaiser, this bill compels the disclosure of
private, individually-specific medical information to most
purchasers of health coverage, specifically compelling
disclosure of health claims information about individuals
whose claims exceed $20,000 in a given year, including an
itemized list of the specific medical procedures and diagnoses
�
AB 562
Page 10
for that individual. Kaiser asserts that such disclosures
undermine existing privacy protections imposed by the
California CMIA and violate the California Constitution's
protection of the right of privacy set forth in Article I,
Section 1. Kaiser argues that it is inappropriate for the
Legislature to compel the disclosure of such personal and
intimate information, without the express written
authorization of the individuals whose medical information is
being shared. According to Kaiser, it is especially
inappropriate given the harm that individuals are likely to
sustain when their medical information is shared with their
employers, or other large purchasers of health care coverage.
7)OPPOSITION . Health plans and health plan organizations write
in opposition to the introduced version of this bill which
they argue would put health plans in the difficult position of
being in conflict with both state and federal laws. The
California Association of Health Plans (CAHP) writes that this
bill could result in unintended consequences and legal
implications for health plans required to disclosure
individual and not just aggregate information. CAHP expresses
concern that a health plan that complies the requirement in
this bill to provide individual claims information could
possibly make the health plan liable for and subject to legal
action under the right of privacy in the California
Constitution, Article 1, Section 1. CAHP also argues that,
even if this bill is technically legal, implementing the
provisions under the specified timeframes would be very
difficult. CAHP points out that while health plans are aware
of the claims they pay directly, they may not know all of the
claims experience of an employer group if the care is
delivered under a delegated arrangement with a contracted
medical group or provided in an emergency setting. Health Net
writes in opposition to the introduced version that the
additional administrative expense of producing the loss
experience reports could be significant, especially if health
plans are overwhelmed by requests for detailed claims
information.
8)RELATED LEGISLATION . AB 952 (Krekorian) would create an
exception in CMIA and specifically authorize a health care
service plan to disclose summary health information and PHI to
a third party administrator or employee welfare benefit plan,
to the extent authorized by, and in a manner consistent with,
�
AB 562
Page 11
HIPAA. AB 952 is scheduled to heard in Assembly Health
Committee on May 5, 2009.
9)QUESTIONS AND COMMENTS .
a) Disclosure of individual information . The author's
stated intent in the most recent amendments was to limit
this bill by requiring health plans to disclose aggregate
but not individual claims data. However, this bill still
requires health plans to provide a separate description and
individual claims report for any individual whose total
paid claims exceed $20,000 during the 12-month period
preceding the date of the report, including, for that
individual, the amounts paid during the previous 12-month
period and the applicable procedure codes and diagnosis
codes. This information may be PHI because it can
potentially result in identification of a specific
individual. What is the rationale for disclosure of
individual claims data? If the primary purpose of
requiring claims data to be disclosed is access to the
claims experience of the group for insurance purchasing
purposes, as suggested by proponents, why is aggregate
claims data not adequate?
b) Legal Conflicts . In addition to the potential for
conflict with numerous state and federal laws, this bill on
the one hand requires health plans to provide specified
aggregate and individual claims data but then prohibits the
same health plans from disclosing any information
prohibited under another state or federal law that imposes
more stringent privacy restrictions than HIPAA. Under
current law, CMIA does impose more stringent restrictions
relating to the disclosure of PHI than HIPAA. What would
be the purpose of imposing a requirement to disclose and
then prohibiting the health plans from implementing the
disclosure requirement in the same bill? What is the
intent and what would be the impact of establishing this
inherent legal conflict in this bill?
c) Drafting and interpretation challenges . The definitions
and terms in this bill are included by reference to a
variety of federal statutes and regulations but have no
analogous provisions in California law. For example, the
federal definition of health insurance issuer includes any
insurer subject to state laws, which presumably includes
�
AB 562
Page 12
health plans and health insurers because both are subject
to HIPAA, and this bill amends the relevant statutes,
Knox-Keene and the Insurance Code. In addition, this bill
imposes the same disclosure requirements on health plans
and health insurers which are subject to different state
privacy laws, CMIA and the Insurance Information and
Privacy Protection Act. This bill establishes new civil
penalties in both Knox-Keene and the Insurance Code to be
assessed against "health insurance issuers." Within the
context of multiple, complex, and overlapping state and
federal privacy laws, the amendments to Knox-Keene and the
Insurance Code in this bill are inconsistent with the
terminology in those bodies of law and may create further
uncertainty and confusion about implementation and
enforcement.
10)TECHNICAL AMENDMENT . On page 4, line 21, delete "and (6)"
and on page 9, line 30, delete "and (6)." There is no
subdivision (6) in either section.
11)DOUBLE REFERRAL . This bill has been double-referred. Should
this bill pass out of this committee, it will be referred to
the Assembly Judiciary Committee.
REGISTERED SUPPORT / OPPOSITION :
Support
California Association of Health Underwriters (prior version)
Small Business Owners Association (prior version)
Oppose unless amended
Kaiser Permanente
Opposition
California Association of Health Plans (prior version)
Health Net (prior version)
Analysis Prepared by : Deborah Kelch / HEALTH / (916) 319-2097