BILL ANALYSIS �
AB 1976
Page 1
Date of Hearing: April 13, 2010
ASSEMBLY COMMITTEE ON HEALTH
William W. Monning, Chair
AB 1976 (Cook) - As Introduced: February 17, 2010
SUBJECT : Health care coverage: report of claim information.
SUMMARY : Requires a health plan or health insurer to, upon
written request from a group subscriber or group policyholder,
provide a report of specified aggregate and individual health
care claim information to the subscriber or policyholder within
30 days after receipt of the request, as specified.
Specifically, this bill :
1)Requires a health plan or health insurer that receives a
written request for a written report of claim information,
made on or after July 1, 2011, from a group subscriber or
policyholder to provide the report no later than 30 days after
receipt of the request. Prohibits the plan or insurer from
being required to provide the report more than twice in a
12-month period.
2)Requires the health plan or health insurer to provide the
report pursuant to 1) above by one of the following means:
a) In a written report;
b) Through an electronic file transmitted by secure
electronic mail or a file transfer protocol site; or,
c) By making the required information available through a
secure Internet Web site or Web portal accessible by the
requesting plan, plan sponsor, or plan administrator.
3)Requires the report of claim information to contain all
information available to the health plan or health insurer for
the 36-month period preceding the date of the report, or the
entire coverage period, whichever is shorter, except for the
requirement in 4) below, and requires the report to include
the following, after removing any individually identifiable
information:
a) Aggregate paid claims experience by month, including,
but not limited to, claims experience for medical, dental,
and pharmacy benefits, including capitation costs or
payments in the case of health maintenance organizations,
�
AB 1976
Page 2
as applicable. Requires the health plan or health insurer
to use $20,000 as the pooling point for aggregate
reporting;
b) Total premiums paid by month;
c) The total number of covered employees on a monthly basis
by coverage tier, including whether the coverage was for
one of the following:
i) An employee only;
ii) An employee with dependents only;
iii) An employee with a spouse only;
iv) An employee with a spouse and dependents; and,
v) The total dollar amount of claims pending as of the
date of the report.
d) A separate description and individual claims report for
any individual whose total paid claims exceed $20,000
during the 12-month period preceding the date of the
report.
4)Requires the report pursuant to the individual claimant in 3)
d) above to include the amounts paid during the previous
12-month period; and, the applicable procedure codes and
diagnosis codes.
5)Prohibits a health plan or health insurer from disclosing any
information in the report required by this bill if the
disclosure is prohibited under another state or federal law
that imposes more stringent privacy restrictions than those
imposed under the federal Health Insurance Portability and
Accountability Act (HIPAA).
6)If the request for claims information pursuant to 3) above is
received after the termination date of the group health plan
or group insurance policy, the report required by this bill
must contain all information available to the health plan or
health insurer for the 36-month period described in 3) above.
Requires the report to include the information described in 3)
above, excluding any individually identifiable health
information.
7)Specifies that, in order to be entitled to receive the report
in 6) above, the group subscriber or group policyholder must
request the report on or before the second anniversary of the
�
AB 1976
Page 3
termination of coverage.
8)Specifies that a report of claim information provided pursuant
to this bill by or to a state or local agency, as defined, is
confidential and exempt from public disclosure, as specified.
9)Imposes unspecified administrative penalties assessed by the
Department of Managed Health Care (DMHC) or California
Department of Insurance (CDI) on health plans or health
insurers that fail to comply with this bill, subject to
appropriate notice of, and opportunity for, a hearing, as
specified.
10)Exempts specialized health plans and health insurance
policies from the requirements of this bill.
11)Specifies that any reference to federal statute or
regulations in this bill refers to the statute or regulation
as it existed on January 1, 2010, but authorizes the Director
of DMHC and the Commissioner of CDI to, by rule, and in
consultation, adopt a federal statute or regulation that was
amended, enacted, or adopted at a later date.
12)Defines various terms for purposes of this bill.
EXISTING LAW :
1)Provides for regulation of health plans by DMHC under the
Knox-Keene Health Care Service Plan Act of 1975 (Knox-Keene)
and for regulation of health insurers by the CDI under the
Insurance Code.
2)Prohibits, under the Confidentiality of Medical Information
Act (CMIA), a health care provider, health plan, or health
care contractor from disclosing a person's medical information
without first obtaining that person's authorization, except as
specified.
3)Requires under the CMIA, notwithstanding 2) above, a health
care provider, health plan, or health care contractor to
disclose medical information if required by a subpoena, search
warrant, or other court order. Permits a provider, plan, or
contractor to disclose information in other specified
circumstances, including for purposes of diagnosis or
treatment or as necessary to provide billing or other
administrative services to the provider or plan. Prohibits a
�
AB 1976
Page 4
provider, plan, or contractor from disclosing a person's
medical information for marketing purposes, or any other
purpose not necessary to provide health care services to the
patient, without express authorization from that person.
4)Prohibits under the California Insurance Information and
Privacy Protection Act, insurers, including health insurers,
from disclosing any personal or privileged individual
information collected or received in an insurance transaction,
except as specified, including that the information may be
disclosed to insurers, agents, or self-insurers if related to
an insurance transaction involving the individual, as
specified, and to a group policyholder for the purpose of
reporting claims experience or conducting an audit of an
insurer or agent, as specified.
5)Prohibits, under HIPAA, with exceptions, covered entities from
using or disclosing protected health information (PHI), except
pursuant to a written authorization signed by the patient or
for treatment, payment, or health care operations, and
generally requires a covered entity to make reasonable efforts
to limit the use or disclosure of PHI to the minimum necessary
to accomplish the intended purpose of the disclosure. Defines
PHI as individually identifiable health information which
identifies, or can be used to identify, an individual.
FISCAL EFFECT : This bill has not yet been analyzed by a fiscal
committee.
COMMENTS :
1)PURPOSE OF THIS BILL . According to the author, this bill will
help control health care costs and increase competition in the
health insurance marketplace by giving employers greater
access to more detailed information about health insurance
claims for their employees. The author asserts that this bill
would allow the exchange of meaningful information in a
timelier manner while removing any individually-identifiable
information. The author states that the requirements in this
bill are modeled after loss experience reporting (LER)
legislation in other states. Typically, according to the
author, LER requires health insurance carriers to provide
employer groups with detailed summary statements of the
medical care claims paid over the course of the contract and,
in part, this claims data helps to establish a health
�
AB 1976
Page 5
insurance premium. The author argues this bill is intended to
counter the natural information imbalance that occurs when
employers sit down at the negotiating table with health
insurers. Insurers hold all of the actual loss data, and
employers usually have nothing but vague notions of the extent
to which their employees have used medical care in the past
six months or year. The author argues that LER brings
considerably more transparency to the employer-insurer
transaction, particularly with regard to price dimensions.
The author states that in the absence of LER (or in the
presence of voluntary but incomplete loss reporting), employer
groups must generally assume that premium increases are solely
a function of loss experience, without the tools to determine
the extent to which those two things are related. The author
maintains that, without LER, it is difficult for employer
groups to determine the extent to which premium increases are
driven by loss experience (i.e., actual medical claims paid)
versus changes in the fixed administrative costs of the
insurer. Furthermore, the author states that the transparency
associated with LER has the potential to force health plans
and insurers to explain factors unrelated to direct loss
experience and will, over time, result in premiums and premium
increases that are more closely aligned with loss experience.
2)BACKGROUND . According to the Privacy Rights Clearinghouse
(PRC) in San Diego, California, many people consider
information about their health to be highly sensitive,
deserving of the strongest protection under the law.
Long-standing laws in many states and the age-old tradition of
doctor-patient privilege have been the mainstay of privacy
protection for decades. The federal HIPAA sets a national
standard for privacy of health information under the Privacy
Rule, but HIPAA only applies to medical records maintained by
health care providers, health plans, and health clearinghouses
- and only if the facility maintains and transmits records in
electronic form. PRC points out that a great deal of
health-related information exists outside of health care
facilities and the files of health plans, and thus beyond the
reach of HIPAA. The extent of privacy protection given to
medical information often depends on where the records are
located and the purpose for which the information was
compiled. The laws that cover privacy of medical information
vary by situation. PRC indicates that confidentiality is
likely to be lost in return for insurance coverage, an
employment opportunity, application for a government benefit,
�
AB 1976
Page 6
or an investigation of health and safety at a work site.
Medical records are created when a patient receives treatment
from a health professional such as a physician, nurse,
dentist, chiropractor, or psychiatrist. Records may include a
person's medical history, details about lifestyle (such as
smoking or involvement in high-risk sports), and family
medical history. In addition, medical records contain
laboratory test results, medications prescribed, and reports
that indicate the results of operations and other medical
procedures. Medical records could also include the results of
genetic testing used to predict future health.
3)HIPAA . The privacy regulations enacted pursuant to HIPAA
became effective April 14, 2003. HIPAA Privacy Rules only
apply to covered entities, including health care providers,
health plans and health care clearinghouses, such as medical
billing services. HIPAA applies to covered entities when they
use electronic means to perform HIPAA covered transactions,
including transmission of health claims, remittance and
payment advice, and even simply accessing a health plan's Web
site to check the eligibility of a patient. If a provider or
health plan is covered by HIPAA, then all PHI held by the
provider, whether on paper, oral, or electronic form, is
subject to HIPAA privacy rules. HIPAA covers any information
about a person's past, present, or future mental or physical
health including information about payment for health care
services. A person's health information, combined with some
fact that identifies the person, (name, address, telephone
number, social security number, etc.) is referred to as
protected health information or PHI. PHI can be oral,
handwritten, or entered into a computer. HIPAA generally
requires patient authorization to disclose information for
non-treatment purposes, such as to employers, life insurers,
underwriters, or researchers. Under federal law, patient
authorization is not required when medical information is used
for treatment, payment, or health care operations disclosed as
part of specified "business associate" relationships
established through contract. Disclosure for non-treatment
purposes must generally be limited to the minimum necessary.
Under federal law, if a HIPAA provision conflicts with a
provision of state law, the provision that is most protective
of patient privacy prevails.
4)CMIA . As a general rule, under CMIA (Section 56.10 of the
Civil Code), health care providers and Knox-Keene health plans
�
AB 1976
Page 7
are prohibited from disclosing a patient's confidential
medical information without the consent of the patient.
(Note: health insurers subject to the jurisdiction of the
Insurance Commissioner are covered by Insurance Code privacy
protections related to personal or privileged information
collected or transmitted in an insurance transaction, but are
not subject to CMIA.) However, there are many exceptions to
this rule, where disclosure by the plan or provider is either
required or permitted by law.
Under CMIA, a provider or health plan is required to release
medical record information, even without a patient's written
authorization, to such entities under specified circumstances
as a court; a board, commission, or administrative agency; a
party to a proceeding before a court or administrative agency;
an arbitrator or arbitration panel; a law enforcement agency;
a patient or the patient's representative; a coroner; and, if
otherwise specifically required by law. CMIA also specifies
that a health plan or health care provider ma y, at their
discretion, release medical information without the patient's
written authorization to certain specified entities under very
specific limited circumstances.
5)SUPPORT . The California Association of Health Underwriters
(CAHU) writes in support that employers often ask their agent
why the group receives a large premium increase at renewal.
CAHU contends that, without specific claims information on
that group, the agent is unable to explain the underwriting
decision to increase rates. According to CAHU, without claims
information, an employer group is at a distinct disadvantage
when shopping for other coverage as other carriers typically
request three years of claims data in order to underwrite the
group. CAHU maintains that, without claims information,
carriers usually quote "book" rates which may be substantially
higher than the rates that would be quoted if the carriers had
the claims data required under this bill. CAHU argues that
insurance agents must have the claims data in order to find
the benefits and price that are best for the specific
employer. CAHU asserts that this bill will allow agents to
assist employers in retaining health insurance, finding the
right benefits, and controlling costs.
6)OPPOSE UNLESS AMENDED . Kaiser Permanente opposes this bill
unless it is amended to eliminate the requirement that health
plans disclose individually identifiable medical information
�
AB 1976
Page 8
to group health plans, plan sponsors or plan administrators.
According to Kaiser, this bill compels the disclosure of
private, individually-specific medical information to most
purchasers of health coverage, specifically compelling
disclosure of health claims information about individuals
whose claims exceed $20,000 in a given year, including an
itemized list of the specific medical procedures and diagnoses
for that individual. Kaiser asserts that such disclosures
undermine existing privacy protections imposed by the CMIA and
violate the California Constitution's protection of the right
of privacy. Kaiser argues that it is inappropriate for the
Legislature to compel the disclosure of such personal and
intimate information, without the express written
authorization of the individuals whose medical information is
being shared. According to Kaiser, it is especially
inappropriate given the harm that individuals are likely to
sustain when their medical information is shared with their
employers or other large purchasers of health care coverage.
7)OPPOSITION . Health plans and health insurers object to this
bill because they contend that it places them in the unfair
position of either providing relatively detailed individual
claims data to employers or running afoul of state or federal
law. Opponents point out that this bill requires plans and
insurers to provide to employers separate individual claims
reports, including the applicable procedure and diagnostic
codes for that individual's procedures, and should they fail
to do so, they would be subject to unspecified administrative
penalties from their respective regulators. They question if
such detailed individual claims experience data is necessary
for policy price comparisons or to determine whether or not a
company could self-insure. Additionally, opponents state that
it would be difficult for them to comply with the timelines
for disclosure under this bill, as some of the data is
difficult to collect. Lastly, they add that the additional
administrative expenses of producing these loss experience
reports could be significant, especially if they are
overwhelmed by requests for detailed claims information. They
note that these costs could otherwise be used to provide
actual health care services.
8)PRIOR LEGISLATION . AB 562 (Cook) of 2009 would have required
a health insurance issuer to, upon request, provide specified
aggregate and individual health care claims information, for
�
AB 1976
Page 9
employers with more than 50 employees, to an employee welfare
benefit plan (maintained by an employer or employee
organization), joint employer-employee plan, a governmental
entity, or plan administrator, as specified. AB 562 failed
passage in the Assembly Health Committee.
9)DOUBLE REFERRAL . This bill has been double-referred. Should
this bill pass out of this committee, it will be referred to
the Assembly Judiciary Committee.
10)POLICY QUESTIONS AND COMMENTS .
a) Disclosure of individual information . This bill
requires health plans and health insurers to provide a
separate description and individual claims report for any
individual whose total paid claims exceed $20,000 during
the 12-month period preceding the date of the report,
including, for that individual, the amounts paid during the
previous 12-month period and the applicable procedure and
diagnosis codes. This information may be PHI because it
can potentially result in identification of a specific
individual. What is the rationale for disclosure of
individual claims data? If the main purpose of the
disclosure of claims data required by this bill is access
to the claims experience of group subscribers and group
policyholders for insurance purchasing purposes, why is
aggregate data not sufficient?
b) Legal Conflicts . In addition to the potential for
conflict with numerous state and federal laws, this bill on
the one hand requires health plans to provide specified
aggregate and individual claims data but then prohibits the
same health plans from disclosing any information
prohibited under another state or federal law that imposes
more stringent privacy restrictions than HIPAA. Under
current law, CMIA does impose more stringent restrictions
relating to the disclosure of PHI than HIPAA. What is the
purpose of imposing disclosure requirements and then
prohibiting plans and insurers from implementing the
requirements in the same bill?
REGISTERED SUPPORT / OPPOSITION :
Support
�
AB 1976
Page 10
California Association of Health Underwriters
Oppose unless amended
Kaiser Permanente
Opposition
Association of California Life & Health Insurance Companies
California Association of Health Plans
Health Net
Analysis Prepared by : Cassie Rafanan / HEALTH / (916)
319-2097