The Health Insurance Portability and Accountability Act: more than we bargained for, and less.
Today, the bill's sponsors have good reason to be modest about its portability achievements: HIPAA provided little, if any, help to vulnerable consumers seeking more affordable health insurance options. It did create a false sense of security that lulled many buyers into getting less value for their insurance dollar. HIPAA tried to lock an outdated, employer-based insurance market structure into place. It stifled promising market innovations such as medical savings accounts (MSAs). Most recently, it has confronted proposed defined contribution health plans with legal uncertainties about how they might be regulated.
Meanwhile, the accountability side of HIPAA launched an expansion of the federal government's role in controlling private health arrangements and reversed decades of regulatory deference to the states. Its vague statutory language set in motion a nearly incomprehensible maze of federal health privacy regulations that promised little in the way of effective privacy protection, yet imposed extraordinary compliance burdens. The HIPAA "privacy" regulations issued in April 2001 and modified slightly in March 2002 actually granted government officials greater access to personal health information.
HIPAA also sought to lower health care costs by reducing "fraud and abuse." It incorporated a number of the 1993 Clinton health plan's proposed criminal and civil sanctions against physicians and other health care providers. HIPAA federalized health fraud law, stiffened penalties, ramped up spending committed to fraud control, and stimulated an unprecedented number of enforcement actions. Instead of improving prepayment claims review processes in federal health programs, it used the threat of severe sanctions to criminalize billing disputes and coerce discounts after the fact.
When HIPAA came before Congress, members were eager to gain credit for positive health care accomplishments that would not appear to cost taxpayers any money and did not threaten to overhaul the entire health care system. Relatively minor health insurance regulatory reforms that addressed the anxieties of middle-class voters offered a politically popular fix. So HIPAA was sold with the promise that it would reduce job lock by restricting preexisting condition exclusions or other "health status" discrimination that might otherwise jeopardize insurance coverage for workers whenever they changed jobs.
Legislators did not mention that HIPAA could not guarantee that a worker's next employer would offer health insurance coverage. Nor did HIPAA control what insurers would charge for group coverage. At best, it promised guaranteed access, not affordability, because it left rate regulation up to individual states. In the fragile small-group market, HIPAA did little harm because it also provided little help. By aiming at a small problem (fewer than 1 percent of the population was likely to be denied health insurance for medical reasons), and offering largely illusory solutions, HIPAA had little overall effect on rates of insurance coverage, job mobility, or insurance prices. Tight labor markets and a booming economy throughout the second half of the last decade delivered higher levels of private coverage--not HIPAA.
For insurance portability, HIPAA largely codified at the federal level what most states had already done. HIPAA's time limits on pre-existing condition exclusions matched or exceeded the existing practices of most private insurers. HIPAA's insurance reforms for the traditionally less-regulated individual market were even more cosmetic. Before HIPAA, most individual policies already were guaranteed renewable.
While most observers focused on HIPAA's superficially appealing, but ultimately hollow, portability promises, the legislation launched a host of new federal regulatory burdens on private health care delivery. HIPAA's restrictive demonstration project for MSAs slowed the growth of the overall MSA market. HIPAA's arsenal of new federal health care offenses and increased funding for fraud and abuse control expanded the criminalization of medical practice.
As the current Congress considers patients' bill of rights legislation that would add a new round of federal regulatory controls over private managed care insurance, this special issue of the Cato Journal examines the HIPAA record. All but one of the articles ("Defined Contribution," by E. Haavi Morreim) was originally presented at the Cato Institute conference, "Making A Federal Case Out of Health Care: Five Years of HIPAA," held in Washington on July 31, 2001.
Dick Armey, House Majority Leader, places HIPAA in its appropriate political context as the first health policy legislation passed by a new Republican majority that found itself in control of both houses of Congress for the first time in more than 40 years. He acknowledges that HIPAA was a mistake that had unintended consequences. Its promise to make insurance more portable was oversold, but it set a dangerous precedent for federal regulation of health insurance, expanded government access to medical records, and overshot the mark in cracking down on health fraud. Armey finds that the policy lessons to be learned from the mistakes of HIPAA include making MSAs permanent, workable, and universal; reforming the tax treatment of health care; and giving workers more choice and control through defined contribution health plan options.
Health privacy regulations triggered by HIPAA are the subject of a pair of papers. Richard Epstein, professor of law at the University of Chicago, observes that HIPAA reversed a tradition of favoring the free flow of medical information for reasonable uses within customary channels. Instead of relying on sanctions imposed after the fact to address identifiable harm, HIPAA imposed ex ante regulation of how health information is disclosed and used. Epstein notes that HIPAA launched a massive round of government regulation to solve a wide range of problems without any evidence of systemic and sustained abuse. He warns that even a modest version of HIPAA's privacy rules could become a permanent impediment on the operation of private sector health care and provide political momentum for its ultimate nationalization.
Fred Cate, professor of law at Indiana University--Bloomington, emphasizes that the HIPAA privacy rules ignore many of the lessons we have learned from experience with other privacy laws and regulations. He finds that the HIPAA rules fail to use clear and narrow definitions. They ignore the concept of harm and rely too much on burdensome notice and consent rules. Cate warns that the costs of HIPAA privacy regulation will reduce access to medical care, compromise its effectiveness, and slow the pace of medical research and innovation. He recommends that HIPAA regulators should apply legal requirements for medical privacy consistently, instead of actually reducing the standard by which the government may obtain access to health information. Privacy law again should focus more on preventing intrusion by the government, because only the government collects and uses information free from market competition and consumer preferences.
The next set of articles reviews the promises versus the results of HIPAA's insurance portability reforms. Mark Pauly, professor of health care systems at the University of Pennsylvania's Wharton School, focuses primarily on HIPAA's rules for the individual insurance market. He finds that they mostly forbid practices that rarely happen anyway, but they impose substantial administrative costs and create a false sense of security. Pauly concludes that strengthening incentives for better information disclosure, relying more on reputation formation, and redesigning the tax financing of health care access are preferable to designing ponderous regulatory schemes.
Mark Hall, professor of law and public health at Wake Forest University, notes that HIPAA's small-group insurance access provisions at best created modest gains but with hidden costs. For example, HIPAA's insistence that employer-supported health insurance be regulated as group insurance forecloses or deters potential market innovations like defined contribution health plans that blur the distinctions between the individual and group markets. Portability provisions such as guaranteed issue that allow small groups to easily leave insurers when they receive steep rate hikes may encourage "low-balling" price competition and increase market volatility. Complex regulatory schemes are required to make HIPAA's insurance reforms functional. Hall concludes that HIPAA may have increased accessibility to insurance in the small-group market, but it did not help affordability problems there.
Two other articles analyze potential health policy reforms in the post-HIPAA world. The first article, which I authored, reviews the growing role of federal regulators in health care policy and proposes several reforms to bypass centralized regulation of private health insurance: including greater parity in the tax treatment of health care financing arrangements, market-based pooling options that provide long-term protection against changes in individual health status, and elimination of HIPAA's regulatory barriers to innovative insurance options. The article outlines how a competitive federalism approach to health insurance regulation could stimulate consumer-driven competition among state regulators that reaches across geographic boundary lines.
In the second article, E. Haavi Morreim, professor of bioethics at the University of Tennessee, Memphis, finds the U. S. health care system nearing the end of the managed-care era and facing another set of crossroads. Traditional cost containment tools are losing their effectiveness and health care costs are climbing once again. Morreim believes this presents an opportunity to bring patients back into decision making for which care is cost-worthy. She notes the early stages of a shift from defined benefit to defined contribution health plans, considers it probably inevitable, and expects it to be highly desirable. Restoring power and responsibility to patients through consumer-directed health care benefits can allow them to shape their care according to their own values and preferences.
The final set of articles considers the unintended consequences of more aggressive enforcement actions against health care fraud that were encouraged and augmented by HIPAA. Grace-Marie Turner, president of the Galen Institute, points out that HIPAA launched a new national health care fraud and abuse control program, created new federal health care crimes, and provided new funding for federal anti-fraud programs. Rather than begin to fax complex public and private health insurance programs that invite fraud, abuse, and mistakes, Congress instead chose to impose an expanding regulatory dragnet that ensnares innocent doctors in hopes that it will catch some of the criminals. Turner notes that HIPAA resurrected nearly identical language from many of the enforcement provisions proposed three years before in the Clinton administration's original health plan. She concludes that more aggressive oversight continues to corrode the doctor-patient relationship and creates a climate of fear and defensiveness that impairs the quality of medical care.
Finally, David Hyman, professor of law at the University of Maryland, describes how HIPAA federalized much of the law of health care fraud and created stronger incentives to pursue such conduct. He demonstrates that widely disseminated estimates of the incidence of fraud and abuse in health care (generally assumed to be about 10 percent to total spending) in fact lack any empirical foundation at all. Hyman concludes that the little we do know about health care fraud and abuse is dwarfed by what we do not know and what we know that is not so. However, when compared to the private sector, the federal government appears to under-invest in reviewing claims before the fact and then tries to compensate by imposing large sanctions (and seeking discounts) after the fact.
Restoring Patient Power
Overall, the articles in this issue highlight the unintended consequences of "incremental" federal reforms that failed to achieve their advertised objectives, but reached deeply into many sectors of our private health care system. While providing little if any help to consumers seeking more affordable and flexible health insurance options, HIPAA threatens to foreclose or chill promising market innovations like MSAs and defined contribution plans. It set in motion a bewildering and contradictory array of privacy regulations that promise few tangible benefits to consumers but lots of compliance burdens and micromanagement of health information practices. HIPAA refueled the fraud and abuse enforcement engine that extends the criminalization of medical practice well beyond evidence of misconduct and harm. Before federal regulation of private health care delivery expands and accelerates further, we should consider alternative paths that restore patient power and individual consumer control by relying on decentralized, competitive private markets.
Tom Miller is Director of Health Policy Studies at the Cato Institute.
|Printer friendly Cite/link Email Feedback|
|Publication:||The Cato Journal|
|Date:||Mar 22, 2002|
|Previous Article:||Editor's note.|
|Next Article:||Just gotta learn from the wrong things you done.|