Chapter 6: Laws Versus Regulations: the American Administrative Leviathan’s Outsized Impact.
I teach a graduate level class at The University of Texas at Dallas to students seeking their Masters of Healthcare Leadership and Administration, entitled Healthcare Law, Policy and Regulation. I’ve always thought it should be “Regulation” first, since there’s a hell of a lot more regulation in health law than law. One of my exam questions is, what’s the most legitimate complaint about the administrative state: that it lacks technical legitimacy, democratic legitimacy, or constitutional legitimacy? Presumably, the agencies are full of people with technical expertise. And they are headed by a democratically-elected president. But the Constitution never envisioned the vast federal bureaucracy. But here we are.
For decades, Congress has virtually failed to legislate. While Twain’s aphorism (“Nobody’s life, liberty or property is safe while Congress is in session”) still rings true, when things do need fixing (at least on a national level), it may require Congress to fix them. Legislating is hard: it’s usually an attempt to fix a problem, often an intractable one. And even if the true causes are known and there’s political will to actually address them, all actions have collateral, often unexpected or at least unintentional, effects. So in recent years, Congress has been content to highlight the problem, perhaps even point in a general direction for a fix, and task the administrative agencies to actually do the true legislating with regulations that are given the effective force of law. The result is that the Executive Branch does the job the Legislative Branch is tasked with in the Constitution. HIPAA is a prime example of that.
As I noted above, the original 1996 HIPAA statute gave Congress 2 years to come up with the Privacy Rule; obviously, that didn’t happen, so the heavy lifting of HIPAA was done by HHS: the Privacy Rule, as well as the Security Rule. Despite gripes by Senators Clinton and Kennedy, Congress never did anything to revise HIPAA from 1996, until the HITECH Act in 2009. As a result, HIPAA isn’t nearly so much a matter of law, but a matter or regulation.
HITECH itself was a part of the American Recovery and Reinvestment Act (known colloquially as the Stimulus Bill, and derisively as the Porkulus Bill), intended to help the US economy “recover” from the 2008 recession. It was, in fact, a horrific example of how not to pass legislation. Drunk on the success of the Obama election and majorities in the House and Senate (including a filibuster-proof 60 Senate seats), Democrats were determined to push through highly partisan bills stuffed to the gills with any and all wish-list items, the worst of which were HITECH and the even-worse Obamacare. HITECH was largely drafted by lobbyists, ran thousands of pages long, and was passed despite the fact that no lawmaker had read it. In fact, while it was being debated in the Senate, the copy under debate was amended by pen to fix a calculation error that hadn’t been discovered before the debate copy was printed. I guess that’s the government we deserve . . . (although the gods of the copybook headings would ask, “who won the next election?”).
HIPAA wasn’t the main focus of HITECH, but HITECH was the first statutory amendment to HIPAA. Did it wrap up needed changes? Of course not; additional regulations were needed in the form of the Omnibus Rule, finalized in January 2013. But HITECH did address a few specific fixes:
Business Associates: as noted above, business associates weren’t covered by HIPAA initially, and HHS had to invent the concept in the Privacy Rule and make them “contractually” obligated to follow HIPAA. HITECH made Business Associates directly liable for certain obligations under HIPAA, but it didn’t actually define what a Business Associate is; rather, it adopted the regulatory definition of HHS. It’s just not right that a Congressional statute depends for its defined terms on the regulatory agency. What if the agency changes the definition to something Congress didn’t intend? By definition (heh), this is a delegation of legislative authority.
Breach Notification: This probably deserves its own entry (number 21? 22?). HITECH added the breach notification requirement as well. As more fully discussed in Chapter 3 above, after California began the series of state data breach notification laws, HITECH added in a similar requirement with respect to HIPAA breaches. It must be a breach of unsecured PHI to be reportable, and while the definition of what constitutes a breach is pretty broad, there are several exceptions for common, low-harm occurrences. You’ll note that this approach is similar to the Privacy Rule’s basic “Rule” (see Chapter 9): state a general principle, but allow exceptions for common or anticipated events that aren’t problematic under the general principle. The first of the breach notification regulations did provide a very generous reportability exception for breaches that had a “low risk of financial, reputational, or other harm, ” which those of us who follow HIPAA for a living considered an Easter Egg, but it didn’t last; when the Omnibus Rule was passed, the “low risk of harm” standard was replaced with a “low risk of compromise” threshold, with 4 factors considered in determining the risk level: the identifiability or the PHI (but not the sensitivity; PHI is PHI whether it’s your perfectly normal blood pressure readings or your bizarre sexually-transmitted diseases), the entity receiving the PHI, whether the PHI was actually viewed, and whether the incident could be mitigated. Low risk of compromise is still a wild card, but it’s not nearly as broadly encompassing as low risk of harm.
The ”Hide” Rule: This is clearly the stupidest part of the HITECH Act, and was most clearly written by activists without a clue as to how healthcare information is normally used. The rule doesn’t really have a name, but I’ve deemed it the “hide” rule because its sole purpose is to allow a patient to hide information from his insurer. You know, I don’t like insurers either, but this is ridiculous. The language of the statute is sloppy and imprecise: it says if the individual “pays in full, out of pocket” for a medical service, and asks the provider to not provide information about the service to the patient’s insurer, the provider must comply. What if the patient is wearing an outfit without pockets? What if she takes her wallet out of her purse; is that a payment “out of pocket”? That’s not the type of language that should end up in a statute; it’s stupid, and shows what a clown show the entire HITECH process was. Laws should be specific and accurate; there’s no purpose for a “c’mon, you know what I meant” component of a law: it the law does not clearly and unambiguously state the requirements for compliance, it should not even be enforceable. But they felt good about it: “let’s stick it to the man!” But when it’s activists writing the legislation, what you’ll get is emotion, not logic.
Not only is the hide rule poorly composed, it doesn’t make any sense. If the patient pays for the first procedure “out of pocket” but wants the second one charged to insurance, or if the procedure results in the need for further care or prescription drugs, the insurer will rightfully decline to pay: there’s no medical necessity for the second procedure if there wasn’t a first procedure. Even HHS, when drafting the hide rule regulations, threw up their hands and told providers to just do their best. Like I said, ridiculous.
Potpourri: There were a handful of other components in HITECH and the Omnibus Rule, such as stricter limitations on sales of PHI, revisions to marketing requirements, genetic information issues. These were more incremental, as might be expected of an administrative agency fine-tuning existing rules.
There will be more regulations, certainly. In fact, some components of HITECH are still in limbo, awaiting new regulations. HITECH required covered entities using an EMR to provide an accounting of all treatment, payment, and healthcare operations disclosures, which were originally exempted from the disclosure requirement. The geniuses who wrote HITECH thought that if you used an EMR, you’d be able to track all disclosures, so that accounting for TPO disclosures would be easy. But that’s not true for most EMRs, and for those where it’s possible, it’s often logistically difficult. HHS proposed rules to address this, and to require accountings not just of disclosures, but of all access to a medical record; those proposed regulations were met with such objection from the industry that HHS quickly surrendered and pulled the regulations, promising to revise and republish them. It’s been almost 10 years, but there’s been no more action on an expansion of the accounting rule (trust me, that’s actually a good thing).
HITECH also set up a structure for victims of harm cause by a HIPAA violation to receive a portion of the fine levied by OCR. As you may know, there’s no private cause of action for a HIPAA breach, so while OCR can levy a multi-million dollar fine, the individual injured by the HIPAA violation gets nothing. However, OCR does get to keep the fines and they go towards OCR’s general budget. Congress tried to fix that, not by giving the patient (and the plaintiff’s bar) a private cause of action, but by allocating some of the fine to a type of restitution to the victim. However, HHS hasn’t drafted regulations yet to explain how that might work. Hmm, I wonder why not?
There are also some non-HITECH changes that should be expected (revisions to the Notice of Privacy Practice standards were actually published by the Trump administration, but have been pulled back off the table by the Biden administration). Certainly, there will be more to come from HIPAA. But statutory changes are not likely. Any revisions will almost certainly be from the administrative branch.