Where Data Stops: Employers want more data for cost planning, but where is line drawn?

June 1, 2008

The U.S. healthcare system continues to struggle with costs. As costs have climbed, data needs among employers are changing swiftly. Some employers are asking their health plan providers for deeper, more telling employee health information, only to find that they aren't able to obtain it because of HIPAA and similar laws.

The U.S. Healthcare system continues to struggle with costs, and there are few lights at the end of the tunnel. As costs have climbed, data needs among employers are changing swiftly.

Desperate for an advantage, some employers are asking their health plan providers for deeper, more telling employee health information, only to find that they aren't able to obtain it because of HIPAA and similar laws.

Blaine Bos, worldwide partner in the health and benefits division of Mercer, consults with employers of all sizes. He says data needs vary considerably by size and complexity of employer. For instance, the large employer with employees scattered across several states will be seeking detailed data and may drill down to smaller categories of information.

Data mining skeptics such as Deborah Peel, psychiatrist, founder and chair, Patient Privacy Rights Group (PPRG), sees such mining as undermining consumers' rights to privacy.

"For one, it's almost completely impossible to de-identify health data," she says. "It's so rich in details that if they have year of birth or ZIP code, you could easily be re-identified."

Bos of Mercer disagrees. With HIPAA protections, he believes benefit information is fully encrypted.

"You can't determine whether this is Suzie Jones or Don Knotts," he says.

Peel points out that patient protections aren't as iron clad as they were originally intended to be. Prescription records have been sold for the last decade to insurers and large employers.

"One prescription data mining company that sells identifiable records reported revenues of $2 billion. There could be hundreds of organizations like this one," she says. "No one thinks their pharmacies are selling their data. Thieves and hackers are a worry. But in healthcare they don't have to steal it, they can just buy it."

The Patient Privacy Rights Group is involved in protecting consumer rights because no other groups have that sole mission, Peel says.

"No consumer organizations, no privacy organizations, nobody was watching what was going on to protect privacy of health records," she says.

TEXAS SITUATION

In March, the Texas legislature became the first in the United States to mandate that insurance companies give out employee health records to their clients, circumstances permitted under federal law. Effective Jan. 1, 2008, companies offering insurance could obtain a list of their employees and beneficiaries-labeled with a number or code only-whose health bills were more than $15,000 in the prior year. Additional information available includes diagnoses, dates of service, amount paid, prognoses, future costs, and treatment plans.

Proponents of the legislation contend the information is necessary to better determine health expenses. Opponents argue it completely defies patient privacy and puts the employer in a vulnerable situation of knowing a little too much information, which could lead to potential law suits.

It is legislation such as this that has observers such as Peel, up in arms. According to her, employees would have no way of knowing that their employer sought their medical records. In Texas, an at-will state-an employer can fire anyone for any reason.

However, employers still remain unable to gather health information protected by other federal or state laws, including HIV status or mental illness.

Bos contends that Texas' move is aimed at smaller employers to help them with costs. He believes some insurers might find the requirements onerous, however, and would increase their fees to cover the new administrative costs. The bottom line is that employers do need some kind of reliable data, especially self-funded employers.

Peel says if employers and corporations have total access to every health record, "it will be a huge mess. There are no audit trails for how far your information goes. You can't even behoove how you've been harmed," she says.