Weaponizing HIPAA Privacy
How health insurers hide behind HIPAA to avoid sharing claims data with employers, while farming every imaginable fact about plan members as they bid for those employers’ business.
I am reminded of an eccentric law professor I had who relished saying that “no good deed goes unpunished” whenever discussing the inevitable unintended consequences of legislation or contract terms. But after 22 years of the Health Insurance Portability and Accountability Act (HIPAA), I am not even sure the law was ever a good deed—at least not for those who have weaponized its use against employers.
The HIPAA privacy rule was designed to protect individuals’ medical records and other personal health information. However, the latest practices by health insurance carriers raise serious concerns about how they use these rules to maximize premiums.
Overly Cautious Here, Galloping Through Loopholes There
Companies that have fewer than about 250 employees on an insurance plan (the exact number varies from carrier to carrier) receive only meager, large-claims data at the end of the year. They do not get month-to-month information on claims versus premiums. The stated reason: Carriers are concerned that if they provide too much specific detail about employees’ health and claims activity, the employer may be able to discern who has what condition. This, the logic goes, violates HIPAA. And the smaller an employee population, the greater the risk. So most carriers will start to give out detailed claims information once a plan includes at least 250 employees. That is 250 with Carrier A, not 250 split across Carriers A and B.
This argument is absurd, but it has been the reality in the industry for twenty years. HIPAA gives insurance carriers political and social cover to appear to be vehement stewards of members’ private health information while keeping employers from telling concerned friends and co-workers why Susan is no longer in the office. Never mind that somebody in HR likely knows precisely why an employee is out because, for example, they administer the Family Medical Leave Act (FMLA). And yes, ideally, an employee will get a doctor’s note that expresses the need for leave without explaining the medical condition’s specifics—but we all know that this ideal circumstance rarely pans out, with loose lips revealing exactly what malady befalls an employee or dependent.
Claims inflation is around 4 percent. Yet carriers hit small companies with a practically obligatory 8 percent to 12 percent renewal cost increase and provide no justification for that bloated number because the employers are too small to receive detailed claims information. To do so may violate HIPAA. Yet, when the carrier bid on that employer’s plan, it may have sung a different tune.
Until 5 to 10 years ago, brokers could get medical insurance proposals from carriers without names, Social Security Numbers, or employee IDs of any kind. We would state “Employee 1” or provide no identifier to go along with the required demographic information. But then something changed.
The same carriers that are currently too scared of HIPAA to provide anonymous claims information to companies with fewer than 250 employees on a plan started refusing, several years ago, to provide proposals without a list of the names of all employees. Now it is so bad that carriers usually offer a proposal for a group only if they have a list of all employees on the plan, as well as all their dependents. And those that will provide a proposal based only on a census, with no names, often increase the premium so much that they might as well have refused to bid.
Scouring PHI from Everyone, Everywhere, All at Once
Insurance companies now regularly access third-party databases to obtain health-related information on potential customers before providing insurance quotes. While the HIPAA privacy rule restricts the use and disclosure of protected health information (PHI) by healthcare providers, health plans, and health insurers acting as an individual’s current provider, there is a loophole when it comes to health insurance carriers acting as bidders.
As bidders, health insurance carriers are not considered “covered entities” under HIPAA, which means they are not subject to the same privacy standards. This allows them to access and use PHI in ways that other entities, such as healthcare providers, cannot.
This practice is legally permissible because the insurance company and the individual do not yet have a direct relationship. These third-party databases are often populated with information from various sources, such as public records, consumer data brokers, and even social media. Since the information is not obtained directly from the individual or their healthcare provider, it is not subject to the same protections as information governed by HIPAA.
This is analogous to how the U.S. government circumvents Constitutional protections prohibiting it from directly conducting mass surveillance programs that spy on Americans. Instead of spying on its citizens, the United States relies on friendly foreign governments, such as England, to do so via the Prism software system. England can then report the desired information to the U.S. because the U.S. Constitution does not constrain England.
Ultimately, although health insurance carriers’ use of third-party databases to bloat their proposals may be legal under current regulations, the practice raises monumental ethical concerns and highlights the need for further discussion and reform of privacy laws.
Third-party databases use increasingly powerful artificial intelligence (AI) to amass and aggregate information from every imaginable source to create comprehensively weaponized profiles of individuals. Healthcare is the United States’ largest industry and largest private employer. It would be impossible to understate the Herculean amount of time, money, and energy insurers are directing toward knowing exactly what kind of health risk specific individuals represent. Health insurance carriers and other businesses can use the information in these databases for various purposes, such as targeted marketing, risk assessment, and—most importantly—pricing. Some examples of sources that contribute to these databases include:
- Public records. Public records consist of information made available by government agencies, such as birth records, marriage records, and court records. These records may contain health-related information, like details of a disability or a history of substance abuse, which insurance carriers can use to assess an individual’s risk.
- Consumer data brokers. Consumer data brokers are companies that collect, analyze, and sell personal information about individuals to other businesses. They gather data from warranty registrations, magazine subscriptions, and online surveys. Data brokers may also have access to health-related information, such as prescription drug purchase records or medical claims data, which can provide insights into an individual’s health conditions.
- Social media. Social media platforms, such as Facebook, Twitter, and Instagram, can provide a wealth of personal information about individuals, including their health habits and conditions. In the modern world, people are seemingly compelled to share incredibly personal information publicly. This becomes a carrier’s treasure trove. For example, someone may share on social media information about a recent surgery, a chronic illness, or their fitness goals. Insurance carriers may then use this information to make guesses about the individual’s health and potential risks.
- Online forums and support groups. Many individuals with specific health conditions participate in online forums and support groups to share their experiences and learn from others. Insurance carriers, often through data brokers, mine these forums for information about individuals’ health conditions and treatment experiences to inform their underwriting decisions.
There are several well-known data brokers that reportedly provide consumer information to various industries, including insurance. These include:
- LexisNexis Risk Solutions is a leading provider of data and analytics solutions for various industries, including insurance. LexisNexis offers risk assessment products that can help insurance carriers determine the potential risk associated with an individual based on data from public records, court documents, and other sources.
- Acxiom is a data broker that collects and sells consumer information to various industries. It provides data on demographics, lifestyle, and purchasing habits, which insurance carriers can use to assess potential risks and tailor their products accordingly.
- Experian, TransUnion, and Equifax are primarily known as credit reporting agencies, but they also offer data and analytics solutions to businesses in various sectors, including insurance. They provide consumer data and risk assessment tools to help insurers with underwriting and pricing decisions.
- CoreLogic specializes in property and casualty insurance data, providing information on property characteristics, risk, and claims history. This information can be useful for insurance carriers in assessing the potential risk associated with insuring a specific property or individual.
One of the most popular models for analyzing and scoring individuals’ health has been DxCG, now known as Verisk Health. In 2018, Veritas Capital Portfolio and Verscend Technologies completed the acquisition of Cotiviti Holdings, a leading provider of “payment accuracy and analytics.” The combined company, which now operates under the name Cotiviti, specializes in healthcare analytics solutions, particularly in risk adjustment and predictive modeling. One of Cotiviti’s key offerings is the Diagnostic Cost Group (DCG) model, used by insurance carriers, healthcare providers, and other organizations to predict healthcare costs and assess the risk of individual patients or populations.
The DCG model leverages individuals’ diagnostic and demographic information, as well as data on their healthcare utilization. By analyzing this information, the model can predict the future healthcare costs of an individual or a group. The DCG model is particularly useful for analyzing and scoring in populations with chronic conditions or high healthcare utilization.
So, What Is the Point of HIPAA?
Conspiracy-minded folks might conclude that HIPAA’s primary achievement has been to protect the bottom line of the gargantuan government-healthcare complex by obfuscating inflated premium renewal costs while doing nothing, in practice, to keep bidding carriers from extracting the very same PHI the law is supposed to be shielding. Was that the goal at inception? Not amongst most who championed it, but perhaps for some. And undoubtedly, things have progressed down that path with AI’s expanding power to vacuum up these kernels of health information from every nook and cranny of the interweb.
As previously discussed, the use of diagnostic and demographic information in risk adjustment models during the bidding process is not subject to the same restrictions as the PHI governed by HIPAA. But even if it were, a simple sleight of hand could easily make it usable in this process.
For example, suppose the data were de-identified, meaning that it was stripped of information that could be used to identify an individual. In that case, it could be shared and used for underwriting without violating HIPAA rules. A carrier could send over a roster of 500 employees and all their dependents, asking that the DCG model report back any specific claimant concerns. The model could then send back a report to the carrier, explaining that 11 potential members are likely to exceed $100,000 in claims cost next year, with three over $500,000 and one more than $1 million. The model could even report—without the use of names—the exact diagnosis and prognosis for each of these individuals by labeling them as “Member 1,” “Member 2,” etc. HIPAA would never be invoked because no individual would be unmasked to that person’s employer, carrier, or broker.
Additionally, specific organizations involved in healthcare data management, such as data aggregators, may not be considered covered entities under HIPAA at all, which means they are not subject to the same privacy standards anyway. These organizations may be able to share diagnostic and demographic information with insurance carriers for underwriting purposes, as long as they comply with other applicable laws and regulations, such as the Fair Credit Reporting Act (FCRA) or state-specific privacy laws.
Using third-party databases, risk adjustment models like the DCG, and other analytics tools, insurance carriers are exploiting a nefarious loophole that violates the spirit of HIPAA. These practices may be legal under the current inane regulations, but they raise significant ethical concerns about privacy and potential discrimination.
Contrast this unsavory practice with the ways these same carriers hide behind HIPAA privacy rules to shield clients’ claims data while asking for the latest 12 percent increase. It boggles the mind that we have allowed this to happen. But I am again reminded that “no good deed goes unpunished.”
Meanwhile, concerned co-workers and friends still have no idea where Susan is or whether she is OK.
Craig Gottwals is a healthcare attorney and senior vice president at McGriff Insurance Services.
From: BenefitsPRO