Tag Archives: healthcare

A Workplace Wellness Skeptic Lets Loose

This an excerpt from an interview that HIStalk conducted with Al Lewis, JD, the author of several books on healthcare outcomes, the operator of the website, They Said What? Because the Wellness Industry’s Pants Are On Fire, and the founder and CEO of Quizzify. The full interview can be found here

Tell me about yourself and what you do.

I am CEO and quizmeister-in-chief of Quizzify, which is a an employee health literacy company. As we say, wiser employees make healthier decisions. However, I believe we are having this conversation because of my personal blog, which is called, “They Said What?” in which wellness vendors, diabetes vendors and related vendors are critically analyzed to in fact show that they usually don’t achieve what they claim to achieve.

You’re offering $3 million to any company that can convince an impartial panel that its program can save employers money. Do you have concerns about having to pay up?

None whatsoever. The entry fee is $300,000, and, believe me, it’s worth [the risk] with this impartial panel of five judges, of which I only get to appoint one and the burden of proof is on me. They don’t have a chance, which explains why nobody has tried to take me up on it.

Is it lack of knowledge or intentional deception that motivates wellness companies to sell services to employers without having sound science behind them?

Confucius put it very well. He said, and in those days it was all gender-specific, that, “When a man makes a mistake and it’s pointed out to him and he doesn’t correct it, he is telling a lie.” So at this point, these folks know they are lying. They have made the gamble, and it’s a good gamble, that vastly more people are going to read their ads than are going to read my website. So what they do, and they’ve gotten very good at this in the last couple of years, is simply ignore my postings instead of responding to them so as not to create a news cycle and a whole discussion.

Is the available science good enough that they could do it right if they really wanted to?

I would say that, for wellness generally, it is mathematically impossible to save money. There are not enough wellness-sensitive medical events. Even if you were to reduce 100% of them, you could not pay for most wellness programs. I’m not going to say it’s impossible, but it has clinically never even gotten close to that 100%. The typical reduction in risk is 0%, somewhere between minus 2% and plus 2%, while you would need a mathematically impossible 100% to 150% reduction to break even.

Most vendors are counting on the fact that most employers have absolutely no idea how many of their employees go to the hospital every year for diabetes. I could tell you if you like, unless you want to take a guess. Out of 1,000 people under the age of 65, how many go to the hospital with a primary diagnosis of diabetes in the insured population?

I’ll say two.

Actually, that’s very close. It’s more like one. Occasionally, I run health and wellness trivia contests at conferences. How does the radiation in the CT scan compare with the radiation in an X-ray? But I also throw in that specific question. If you added all the diabetes events and all heart attacks together in a typical employer population, what would the rate be per thousand? In fact, it would be two, if you put both of those together. The guesses that I get are usually somewhere between 20 per thousand and 200 per thousand.

What about the perception of the incidence of chronic disease in general?

It’s not my take, it’s the world’s take. Because I do this show of hands thing, I do these trivia contests all the time. The employer benefits community thinks it is between about 20 and 200 of these events per 1,000 employees. Which of course makes no sense whatsoever. This is just what they say because they get bombarded with information talking about all the people who have diabetes and all the expensive chronic disease. Let’s take those two things one at a time.

A lot of people do have diabetes. They may not even know it. It’s not going to become an issue for them for many years after they find out. If in fact an employer intervenes, they may possibly be able to control it. But what the [employer is] doing is saving Medicare money down the road because virtually nobody goes to the hospital with diabetes before the age of 65. Yet employers want to start paying for medication for these folks, so it’s a net increase in cost.

And then your other point of chronic disease. I’ve written extensively on this fallacy that 86% of cost is chronic disease. If you read… carefully, you’ll find that they are saying that 50% of adults have chronic disease. Now if you’re defining chronic disease that broadly, you’re including a whole lot more things besides the things that a wellness vendor can get to. You’re including arthritis. You’re including hypertension. Who doesn’t have hypertension?

If you put all that together and say, “Let’s count every dollar that someone with hypertension spends on healthcare….” So. someone with hypertension breaks [a] leg, you count that. You probably don’t even get to 86%, but most of that is also going to be in the over-65 population. In the under-65 population, the major drivers of costs are birth events and musculoskeletal.

The wellness vendors have done a great job of moving the goalposts. It used to be they would say, “You’re going to get a three-to-one financial return.” Then they started saying, “You’ll get a one-to-one return.” Now they’re saying, “There is really no financial return, but the employees will be healthier.”

If you actually look at the health of the employees … I’m not going to name names, except to say that there are a handful of vendors, generally the ones validated by the Validation Institute, that get more than a trivial improvement in health. There are other vendors — and I don’t mind naming names; Interactive Health and Wellsteps come to mind — where employees actually get worse as a result of these programs.

If that’s the case, won’t those companies eventually get fired for failing to deliver?

Some number of them are getting shown the door, but new employers are coming in. The problem is that the vendors have figured out how to measure outcomes fallaciously in such a way that most employers and most consultants aren’t going to catch them. They compare participants [with] non-participants, for example. It’s been proven up, down, sideways, backwards, forwards and eight ways to Sunday that every iota, every dollar of savings in a participant versus a non-participant comparison is due to the mindset of the participants versus the non-participants and not to the program.

How do I know that? There are several data points. Studies have benchmarked those things and found exactly that. But the most dramatic one is a company called HealthFitness Corporation that did a wellness program for a company called Eastman Chemical. They separated the groups into participants and non-participants in Year Zero. But due to a whole bunch of incompetence and delays, they didn’t get the program started until Year Two. By the time they started the programs, the participants had already dramatically outperformed non-participants.

The funny part about that is that my nemesis, the Snidely Whiplash to my Dudley Do-Right or the Lex Luthor to my Superman, was stuck with this, so he moved the goalposts. He said, “Oh, we overlooked that. That was our bad. We weren’t competent enough to realize that the program had actually started in Year Zero, not in Year Two. Therefore, you don’t know whether it’s due to the participants or non-participants.”

That turned out to be a big enough lie. And I don’t mind saying, oh, I’ll say on the record, Ron Goetzel is a liar. He can go ahead and sue me. The difference between him and me is that, if he calls me a liar, I’ll have him in court the next day. [Editor’s Note: We have emailed Goetzel to see if he wants to respond or offer a general defense of the economics of wellness, as he once did via an article we published. If he does so, we will update this article. To our knowledge, he has not yet responded to the original HIStalk article, published last week.]

They put out a graph that shows suddenly that the program started in Year Zero, not Year Two. The people who actually did the program got upset enough with that. If you go back and look at the website now, they have in fact replaced the lie with the truth, which is that the program started in Year Two after dramatic savings had already been found.

You’ve made the case that the simplest way to measure a workplace wellness program’s success is to ask the people who signed up if they participate regularly and see benefit from it. Do most programs fail even that basic test?

There is a tool put out by the Validation Institute that is the most elegant tool for measuring the cost-effectiveness of programs that I’ve ever seen. We are big supporters of it. You ask employees two questions. How much did you use something? You may not even have to ask them that because you already know. Then, did you find it useful? Then you multiply the number of times somebody used something times the usefulness they found. That gives you an engagement score as your Y axis. On the X axis is the cost of the program. You plot the engagement score against the cost of the program and you can tell in a single graph how cost-effective your programs are as viewed by employee use, employee engagement.

For the rest of the interview, click here to go to histalk2.com.

Why Healthcare Costs Soar (Part 2)

This is the second of a two-part series, by David Toomey and me, on why healthcare cost growth has historically been much higher that general inflation. 

In the last blog post, we outlined the complexity of the network negotiation process and the challenging dynamics among the insurance companies, the providers and the employers. The majority of employers have not seen financial data or interacted with providers enough to understand the quality and cost variation within a network. The big question looming is what to do around contract negotiations tied to network access, patient disruption and costs.

David invited a half-dozen large, self-insured employers in a market to delve deeper into the clinical care and cost variation analysis. The intent was to share performance data with the employers, so they could understand the positive financial impact that could come from channeling members to higher-value providers.

Reports showed that, within physician groups, there was wide variation in physician performance. But this took time for the employers to grasp because their businesses were focused on a consistent consumer experience—each cup of coffee made the same way with the same ingredients.

After a basic grounding in the data, the next step was to have the employers meet with the largest systems and physician groups, so the companies could get a sense of these suppliers’ value propositions beyond just claims-based performance reports. The employers felt they were ready for the first meetings with a major health system that we will call “the provider,” which outlined its capabilities and introduced its mission statement as well as its commitment to patients.

After the overview, the first employer question was, “Who is your customer?” The provider’s response: “The patient, of course.” Second employer question: “Who pays the bill?” The pr

Would a Formulary Help in California?

Introducing a closed pharmaceutical formulary into California workers’ compensation could produce two main benefits. The first is to further lower the cost of pharmaceuticals by either restricting or eliminating certain medications. The second is to reduce the possibility of drug addiction.

An October 2014 California Workers’ Compensation Institute (“CWCI”) report titled, “Are Formularies a Viable Solution for Controlling Prescription Drug Utilization and Cost in California Workers’ Compensation” states that pharmaceutical costs could be reduced by 12%, or $124 million, by introducing the Texas workers’ compensation pharmaceutical formulary.

To achieve the second benefit, an assembly member introduced AB1124 to establish an evidence-based medication formulary and wrote, “The central purpose of our workers’ comp system is to ensure injured workers regain health and get back to work. When workers get addicted to dangerous medications, goals of the program are not met. An evidence-based formulary has proven to be an effective tool in other states and should be considered in California.”

To confirm whether these benefits could be achieved through the introduction of the Texas formulary, a review of the CWCI study and the opioid medications available under the Texas formulary was conducted. The findings, summarized below, suggest that the answer is no.

Although California does not restrict or limit medications in treating injured workers, it does limit the prices paid and provides an opportunity to question prescribed medications that appear to be out of the ordinary. Medi-Cal prices (California’s Medicaid health care program) are used for establishing the maximum prices for workers’ compensation medications, in contrast to states such as Texas, which use the average wholesale price (AWP).

A review of two cost-saving examples that referenced specific medications calculated projected savings based on CWCI’s ICIS payment data for prescriptions paid between Jan. 1, 2012 and June 30, 2013.

The first example compared 50mg Tramadol prices from five different suppliers. The highest was $190, followed by $23, $18, $12 and $8 per script. Here, CWCI suggested that the manufacturer of the highest-priced script be removed from the California formulary. From mid 2009 through 2013, however, the unit price for 50mg Tramadol from the supplier of brand name Ultram and at least 10 other suppliers in California was nine cents, so the AWP for a script was $2. So, overpaying for medications is an issue even if the $190 supplier is removed.

The Workers’ Compensation Research Institute (WCRI) also reported that California claims administrators paid a unit price of 35 cents for 5mg Cyclobenzaprine and 70 cents for 10mg while the unit price from Californian suppliers was 10 cents for 10mg and 15 cents for 5mg. Again, the prices suggest that California claims administrators were paying more than the maximum prices.

Based on randomly selected manufacturers and strengths of the top 20 medications identified in the 2013 NCCI prescription drug study, California’s prices were on average 20% lower than the AWP and in some cases as little as 1/24th the cost. California prices were found to be at the lowest retail price range compared with those published on goodrx.com. Pharmacies located in Los Angeles, Miami and Dallas were used for comparison. Findings suggested employers in California workers’ compensation are paying no more than the general public for medications, whereas in Texas employers are paying more by using the AWP.

The second example compared script prices of seven opioid agonists, including Tramadol and Oxymorphone. Oxymorphone was the highest-priced script at $600 and Tramadol the lowest at $60 per script, suggesting a saving of as much as $540 if Tramadol were to be prescribed instead of Oxymorphone.

But prescribing oxymorphone when tramadol could suffice or vice versa could be regarded as an act of gross negligence by the physician. On the World Health Organization (WHO) analgesic ladder, tramadol and codeine are weak opioids regarded as “step two” while acetaminophen and NSAIDs are “step one.” “Step three” opioids include medications such as morphine, oxycodone and oxymorphone, which all differ in their pharmacodynamics and pharmacokinetics, so choosing one or more to treat pain becomes a balance between possible adverse effects and the desired analgesic effect. Oxymorphone (stronger than morphine or oxycodone) is recommended for use only when a person has not responded to or cannot tolerate morphine or other analgesics to control their pain.

A list of opioid medications published by Purdue Pharma was used to identify which opioids were excluded from the Texas formulary. The list of more than 1,000 opioid analgesics was prepared by Purdue to comply with the state of Vermont law 33 V.S.A. section 2005a, requiring pharmaceutical manufacturers to provide physicians with a list of all drugs available in the same therapeutic class. Being in the same class, however, does not necessarily mean they are interchangeable or have the same efficacy or safety.

The list showed available strengths and included (1) immediate and extended release, (2) agonists such as fentanyl, oxycodone, hydrocodone, oxymorphone, tramadol, codeine, hydromorphone, methadone, morphine, tapentadol and levorphanol and (3) combinations such as acetaminophen with codeine, oxycodone with acetaminophen, oxycodone with asprin, oxycodone with ibuprofen, hydrocodone with acetaminophen, hydrocodone with ibuprofen, acetaminophen-caffeine with dihydrocodeine, aspirin-caffeine with dihydrocodeine and tramadol with acetaminophen.

It appears that extended-release medications used for around-the-clock treatment of severe chronic pain have been excluded or are not listed in the Texas formulary, with a few exceptions. For example, 80mg OxyContin (Oxycodone) ER 12 hour (AWP $18, Medi-Cal $15) is excluded. 120mg Hysingla (Hydrocodone) ER 24 hour (AWP $41, Medi-Cal $34) is not listed. However, 200mg MS Contin (Morphine) ER 12 hour (AWP $31, Medi-Cal $26) and 100mcg Fentanyl 72 hour transdermal patch in both brand name and generic forms are approved under the Texas formulary. Immediate-release generic medications such as oxycodone, hydromorphone and hydrocodone with acetaminophen in all strengths are approved, but immediate-release hydrocodone with ibuprofen and oxymorphone in either immediate or extended release are excluded.

Would the objective of AB1124 be achieved by utilizing the Texas formulary? The above review suggests it would not. All the opioid medications available through the Texas formulary have the potential to cause addiction and be abused, possibly leading to death either accidentally or intentionally. As an example, the executive director of the Medical Board of California has filed accusations against Dr. Henri Eugene Montandon for unprofessional conduct including gross negligence. His patient was found dead with three 100mcg fentanyl patches on his upper chest. The autopsy revealed he potentially had toxic levels of fentanyl, codeine and morphine in his bloodstream at time of death. These three opioids are available under the Texas formulary.

An article published on the website www.startribune.com described the challenges in treating returning soldiers from combat duty. The article discusses Zach Williams, decorated with two Purple Hearts who was found dead in his home from a fatal combination of fentanyl and venlafaxine, an antidepressant. Venlafaxine in both immediate- and extended-release form is approved in the Texas formulary. In addition, the following statement was made in a 2011 CWCI study into fentanyl: “Of the schedule II opioids included in the Institute’s study, the most potent is fentanyl, which is 75 to 100 times more powerful than oral morphine.”

The top 20 medications identified by the 2013 NCCI prescription drug study were also compared with the Texas formulary, and six medications were found to be excluded, including three extended-release opioids, OxyContin (Oxycodone), Opana ER (Oxymorphone) and the once-daily Kadian ER (Morphine). The twice-daily, extended-release morphine MS Contin, however, was approved. Flector, a non-steroidal anti-inflammatory transdermal patch used for acute pain from minor strains and sprains, was excluded, as was carisoprodol a muscle relaxant classified by the DEA as a Schedule IV medication (the same as Tramadol). The Lidocaine transdermal patch, which is a local anesthetic available in both brand name and generic. was also excluded. Lidocaine patches have been found to assist in controlling pain associated with carpal tunnel syndrome, lower back pain and sore muscles. Apart from carisoprodol, it would appear the remaining five were excluded from the Texas formulary because of their high price rather than concerns regarding their safety or potential for abuse.

The U.S. Food and Drug Administration (FDA) is responsible for the approval of all medications in the U.S. Its approved list is the U.S. pharmacy formulary (or closed formulary). California workers’ compensation uses this list for treatment and the Medi-Cal formulary for medication pricing. In comparison, Texas workers’ compensation uses its own formulary, which is a restricted list of FDA-approved medications, and pays a higher price for approved medications than California’s system does.

Implementing an evidence-based formulary, such as in Texas, may result in an injured worker’s not having the same choice of medications as a patient being treated for pain under California’s Medicaid healthcare program. How can this be morally justified? Will we see injured workers paying out-of-pocket to receive the medications necessary to control their pain?

Claims administrators can greatly reduce pharmaceutical costs through their own initiatives by (1) ensuring that they pay no more than the Department of Industrial Relations (DIR) published price for a medication, (2) ensuring that physicians within their medical provider network (MPN) treat pain using the established pharmacological frameworks such as the WHO analgesic ladder, (3) ensuring that quantities and medication strengths are monitored, along with how a person has responded to analgesics, (4) ensuring that, when controlling pain with opioids, there is a heightened awareness for potential abuse, misuse and addiction, (5) establishing a multimodal pain management regimen including non-pharmacological therapies such as acupuncture, aerobics, pilates, chiropractic and physical therapy tailored to a person’s medical condition and, (6) for chronic pain, considering introducing an Internet-delivered pain management program based on the principles of cognitive behavioral therapy.

The progress of many of these initiatives can be automatically monitored through a claims administrator’s technology solution, where a yellow or red flag is raised when prices paid exceed the legislated maximum amounts, when a pharmacological step therapy or progressive plan has been breached or when non-pharmacological therapy goals have not been achieved.

Using these initiatives, as opposed to restricting specific manufacturers or medications through a closed formulary, will undoubtedly yield a far better outcome for the injured worker and lower the cost to the employer, benefiting all involved.

More Pressure to Protect Health Data

Health plans, insurers and other health plan industry service providers need to ensure that their Internet applications properly safeguard protected health information (PHI), based on a recent warning from Department of Health and Human Services (HHS) Office of Civil Rights (OCR).

The warning comes in a resolution agreement with St. Elizabeth’s Medical Center (SEMC) that settles OCR charges that it breached the Health Insurance Portability and Accountability Act (HIPAA) by failing to protect the security of personal health data when using Internet applications. The agreement shows how complaints filed with OCR by workforce members can create additional compliance headaches for covered entities or their business associates.

With recent reports on massive health plan and other data breaches fueling widespread regulatory concern, covered entities and their business associates should prepare to defend the adequacy of their own HIPAA and other health data security practices. Accordingly, health plans and their employer or other sponsors, health plan fiduciaries, health plan vendors acting as business associates and others dealing with health plans and their management should contact legal counsel experienced in these matters for advice within the scope of attorney-client privilege about how to respond to the OCR warning and other developments to manage their HIPAA and other privacy and data security legal and operational risks and liabilities.

SEMC Resolution Agreement Overview

The SEMC resolution agreement settles OCR charges that SEMC violated HIPAA. The charges stem from an OCR investigation of a Nov. 16, 2012, complaint by SEMC workforce members and a separate data breach report that SEMC made to OCR of a breach of unsecured electronic PHI (ePHI). The information was stored on a former SEMC workforce member’s personal laptop and USB flash drive, and 595 individuals were affected.

In their complaint, SEMC workers complained that SEMC violated HIPAA by allowing workforce members to use an Internet-based document application to share and store documents containing electronic protected health information (ePHI) of at least 498 individuals without adequately analyzing the risks. OCR says its investigation of the complaint and breach report revealed among other things that:

  • SEMC improperly disclosed the PHI of at least 1,093 individuals;
  • SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
  • SEMC failed to identify and respond to a known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome in a timely manner.

To resolve OCR’s charges, SMCS agreed to pay $218,400 to OCR and implement a “robust corrective action plan.” Although the required settlement payment is relatively small, the resolution agreement merits attention because of its focus on security requirements for Internet application and data use and sharing activities engaged in by virtually every covered entity and business associate.

HIPAA-Specific Compliance Lessons

OCR Director Jocelyn Samuels said covered entities and their business associates must “pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications.” She stated that, “to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

The resolution agreement makes clear that OCR expects health plans and other covered entities and their business associates to be able to show both their timely investigation of reported or suspected HIPAA susceptibilities or violations as well as to self-audit and spot test HIPAA compliance in their operations. The SEMC corrective action plan also indicates covered entities and business associates must be able to produce evidence showing a top-to-bottom dedication to HIPAA, to prove that a “culture of compliance” permeates their organizations.

Covered entities and business associates should start by considering the advisability for their own organization to take one or more of the steps outlined in the “robust corrective action plan,” starting with the specific steps that SEMC must take:

  • Conducting self-audits and spot checks of workforce members’ familiarity and compliance with HIPAA policies and procedures on transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems, including unsecured networks and devices; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; security incident reporting related to ePHI; and
  • Inspecting laptops, smartphones, storage media and other portable devices, workstations and other devices containing ePHI and other data devices and systems and their use; and
  • Conducting other tests and audits of security and compliance with policies, processes and procedures; and
  • Documenting results, findings, and corrective actions including appropriate up-the-ladder reporting and management oversight of these and other HIPAA compliance expectations, training and other efforts.

Broader HIPAA Compliance and Risk Management Lessons

Covered entities and their business associates also should be mindful of more subtle, but equally important, broader HIPAA compliance and risk management lessons.

One of the most significant of these lessons is the need for proper workforce training, oversight and management. The resolution agreement sends an undeniable message that OCR expects covered entities, business associates and their leaders to be able to show their effective oversight and management of the operational compliance of their systems and members of their workforce with HIPAA policies.

The resolution agreement also provides insights to the internal corporate processes and documentation of compliance efforts that covered entities and business associates may need to show their organization has the required “culture of compliance.” Particularly notable are terms on documentation and up-the-ladder reporting. Like tips shared by HHS in the recently released Practical Guidance for Health Care Governing Boards on Compliance Oversight, these details provide invaluable tips.

Risks and Responsibilities of Employers and Their Leaders

While HIPAA places the primary duty for complying with HIPAA on covered entities and business associates, health plan sponsors and their management still need to make HIPAA compliance a priority for many practical and legal reasons.

HIPAA data breach or other compliance reports often trigger significant financial, administrative, workforce satisfaction and other operational costs for employer health plan sponsors. Inevitable employee concern about health plan data breaches undermines employee value and satisfaction. These concerns usually require employers to expend significant management and financial resources to respond.

The costs of investigation and redress of a known or suspected HIPAA data or other breach typically far exceed the actual damages to participants resulting from the breach. While HIPAA technically does not make sponsoring employers directly responsible for these duties or the costs of their performance, as a practical matter sponsoring employers typically can expect to pay costs and other expenses that its health plan incurs to investigate and redress a HIPAA breach. For one thing, except in the all-too-rare circumstances where employers as plan sponsors have specifically negotiated more favorable indemnification and liability provisions in their vendor contracts, employer and other health plan sponsors usually agree in their health plan vendor contracts to pay the expenses and to indemnify health plan insurers, third party administrators and other vendors for costs and liabilities arising from HIPAA breaches or other events arising in the course of the administration of the health plan. Because employers typically are obligated to pay health plan costs in excess of participant contributions, employers also typically would be required to provide the funding their health plan needs to cover these costs even in the absence of such indemnification agreements.

Sponsoring employers and their management also should be aware that the employer’s exception from direct liability for HIPAA compliance does not fully insulate the employer or its management from legal risks in the event of a health plan data breach or other HIPAA violation.

While HIPAA generally limits direct responsibility for compliance with the HIPAA rules to a health plan or other covered entity and their business associates, HIPAA hybrid entity and other organizational rules and criminal provisions of HIPAA, as well as various other federal laws, arguably could create liability risks for the employer. See, e.g., Cyber Liability, Healthcare: Healthcare Breaches: How to Respond; Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond. For example, hybrid entity and other organizational provisions in the HIPAA rules generally require employers and their health plan to ensure that health plan operations are appropriately distinguished from other employer operations for otherwise non-covered human resources, accounting or other employer activities to avoid subjecting their otherwise non-covered employer operations and data to HIPAA Rules. To achieve this required designation and separation, the HIPAA rules typically also require that the health plan include specific HIPAA language and the employer and health plan take appropriate steps to designate and separate health plan records and data, workforces and operations from the non-covered business operations and records of the sponsoring employer. Failure to fulfill these requirements could result in the unintended spread of HIPAA restrictions and liabilities to other aspects of the employer’s human resources or other operations. Sponsoring employers will want to confirm that health plan and other operations and workforces are properly designated, distinguished and separated to reduce this risk.

When putting these designations and separations in place, employers also generally will want to make arrangements to ensure that their health plan includes the necessary terms and that the employer implements the policies necessary for the employer to provide the certifications to the health plan that HIPAA will require that the health plan receive before HIPAA will allow health plan PHI to be disclosed to the employer or its representative for the limited underwriting and other specified plan administration purposes permitted by the HIPAA rules.

Once these arrangements are in place, employers and their management also generally will want to take steps to minimize the risk that their organization or a member of the employer’s workforce honors these arrangements and does not improperly access or use health plan PHI systems in violation of these conditions or other HIPAA rules. This or other wrongful use or access of health plan PHI or systems could violate criminal provisions of HIPAA or other federal laws making it a crime for any person – including the employer or a member of its workforce – to wrongfully access health plan PHI, electronic records or systems. Because  health plan PHI records also typically include personal tax, Social Security information that the Internal Revenue Code, the Social Security Act and other federal laws generally would require the employer to keep confidential and to protect against improper use, employers and their management also generally should be concerned about potential exposures for their organization that could result from improper use or access of this information in violation of these other federal laws. Because HIPAA and some of these other laws under certain conditions make it a felony to violate these rules, employer and their management generally will want to treat compliance with these federal rules as critical elements of the employer’s federal sentencing guideline and other compliance programs.

Employers or members of their management also may have an incentive to promote health plan compliance with HIPAA or other health plan privacy or data security requirements.

For instance, health plan sponsors and management involved in health plan decisions, administration or oversight could face personal fiduciary liability risks under ERISA for failing to act prudently to ensure health plan compliance with HIPAA and other federal privacy and data security requirements.. ERISA’s broad functional fiduciary definition encompasses both persons and entities appointed as “named” fiduciaries and others who functionally exercise discretion or control over a plan or its administration. This fiduciary status and risk can occur even if the entity or individual is not named a named fiduciary, expressly disclaims fiduciary responsibility or does not realize it bears fiduciary status or responsibility. Because fiduciaries generally bear personal liability for their own breaches of fiduciary duty as well as potential co-fiduciary liability for fiduciary breaches committed by others that they knew or prudently should have known, most employers and members of their management will make HIPAA health plan compliance a priority.

Furthermore, most employers and their management also will appreciate the desirability of taking reasonable steps to manage potential exposures that the employer or members of its management could face if their health plan or the employer violates the anti-retaliation rules of HIPAA or other laws through the adoption and administration of appropriate human resources, internal investigation and reporting, risk management policies and practices. See Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints.

Manage HIPAA and Related Risks

At minimum, health plans and their business associates should move quickly to conduct a documented assessment of the adequacy of their health plan internet applications and other HIPAA compliance in light of the Resolution Agreement and other developments. Given the scope and diversity of the legal responsibilities, risks and exposures associated with this analysis, most health plan sponsors, fiduciaries, business associates and their management also will want to consider taking other steps to mitigate various other legal and operational risks that lax protection or use of health plan PHI or systems could create for their health plan, its sponsors, fiduciaries, business associates and their management. Health plan fiduciaries, sponsors and business associates and their leaders also generally will want to explore options to use indemnification agreements, liability insurance or other risk management tools as a stopgap against the costs of investigation or defense of a HIPAA security or other data breach.

Doubts on Testing for Breast Cancer

The Guardian carried a story by Sarah Boseley about the controversy in Europe and other countries about the effectiveness and safety of mammograms. It seems some of the early studies on the issue were deeply flawed.

The article says, “Internationally renowned cancer experts have cast fresh doubt on the benefits of breast cancer screening programs, warning that they save fewer lives than previously thought.”

Professor Julietta Patnick says, “There are potential risks as well as benefits associated with breast screening, including over-diagnosis, and it is important that women are given information that is clear and accessible before they go for a mammogram.”

She calls for women to have truly informed consent so they can decide to have a mammogram or not.

This is a controversial area. Should employers be involved in promoting this and prostate screenings? I’m not so sure.