Population Health Insider, May 2009

Inside:

Stimulus law makes changes to HIPAA

Employers concerned about future of health benefits

Member experience directly correlates to plan satisfaction

Three types of alignment for better payer-provider relations

Stimulus law makes changes to HIPAA

Health plans, population health affected

The $787 billion American Recovery and Reinvestment Act of 2009 pushes healthcare into a new era of personal health information regulation and enforcement—and companies need to deal with these changes now.

As part of the stimulus act, President Barack Obama and Congress infused billions into the country’s struggling economy.

Not stopping there, Congress and Obama also set aside $19 billion for healthcare information technology (IT) and created new HIPAA regulations through the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Most HITECH news reports have focused on Medicare reimbursement incentives for healthcare providers who use certified electronic health records in a “meaningful way.” But there is another piece of HITECH that will have a larger effect on health plans and companies working in the managed care arena—changes to the HIPAA law.

Much of the new healthcare security and privacy requirements created through HITECH will go into effect February 18, 2010, one year after Congress passed the stimulus bill.

Over the next year, the federal government will issue many new health IT regulations to resolve questions that remain following the legislation’s passage.

“There’s nothing in there that was surprising, but I think some significant things in the bill will have consequences in the marketplace,” says David C. Kibbe, MD, MBA, principal of the Kibbe Group and senior advisor at the American Academy of Family Physicians.

Health plans, especially population health, disease management, and wellness companies, face several changes thanks to HITECH.

“This has a profound impact on disease management organizations, as well as the healthcare industry,” said Reece Hirsch, CIPP, partner at Sonnenschein Nath & Rosenthal, LLP, in San Francisco, who spoke during a members-only DMAA: The Care Continuum Webinar in March.

HITECH makes a number of changes to HIPAA, including extending the reach of privacy and security rules, imposing breach notification requirements on covered entities and business associates (BA), limiting certain uses and disclosures of personal health information (PHI), increasing individuals’ rights with their PHI, and adding enforcement and penalties for HIPAA violations.

Five things to know

The following are the five things health plans and disease management and population health companies need to know about the HITECH Act:

1. Federal leaders used the stimulus as a way to make HIPAA changes. Washington leaders have debated revising HIPAA for the past decade, and legislators used the stimulus bill as a way to revamp HIPAA’s privacy and security provisions.

These changes are an attempt to protect individual health information in the face of greater technology and sharing of patient information, Kibbe says.

“One good thing about HIPAA changes is that this clearly places patients in greater control of their health information, and I think that is not going to be mentioned as much as it ought to,” says Kibbe.

The electronic health information movement gained steam during the past year as Microsoft and Google entered the market. The addition of these technology giants helped spark the legislation, Kibbe says.

“There were those who felt, and I’m one of them, that we need to completely go back to square one in respect to healthcare information and its privacy and security because this idea of breaking the world up under covered entities and everyone else no longer makes sense. I think a lot of the confusion, and some of the consternation and some of the unintended consequences of this fix to HIPAA, is the result of it being a fix rather than a rewrite,” says Kibbe.

HITECH stops short of a European-type policy that requires any entity that handles personally identifiable health information to comply with the same privacy and security rules, but it does move the United States a step closer to that, he says. “That day is a little nearer as a result of these changes, but I don’t think [lawmakers] wanted to take the time to do that and didn’t feel it was actually necessary,” says Kibbe.

2. HITECH extends privacy and security rules.The new legislation protects patient information from unauthorized acquisition, access, use, or disclosure that compromises the security of privacy. As so-called covered entities, health insurers will need to work with their multiple vendors to make changes to BA agreements.

For example, health insurers must incorporate the new privacy and security requirements into agreements and remove amendments that are no longer necessary under HITECH from contracts. They may also need to amend notice of privacy practices to reflect new patient rights to their health information under HITECH, said Hirsch.

BAs, such as disease management companies, will need to perform those duties and incorporate changes to comply with the same obligations as covered entities.

An exception to the security rules is when an unauthorized person “would not reasonably have been able to retain” the information, said Hirsch.

The following are not considered breaches under the new law:

• An employee or other person who acts under the authority of the covered entity or BA and accesses the record in good faith and within the scope of employment or other professional relationship, but the information is not acquired or accessed by another person or entity
• An authorized person at a facility who inadvertently discloses the information to another authorized person at the facility, but the information is not accessed or disclosed further

3. HITECH imposes requirements for breach notification on HIPAA covered entities and BAs. HITECH requires that BAs comply with the same obligations and face the same potential penalties as covered entities. This means violations are not just problems that will be handled through BA agreements, but could be subject to federal action.

Covered entities and BAs must notify the proper people or entities within 60 days of discovering security breaches. The covered entities will also need to:

• Provide a description of facts surrounding the breach
• List the type of PHI
• Highlight the steps individuals should take to protect themselves
• Note what the covered entity is going to investigate and mitigate the issue
• Give contact information for inquiries

“This means that business associates are going to be required to pretty much do everything that a HIPAA covered entity is required to do under the HIPAA security rule,” Hirsch said. “It’s also important to note that the new HIPAA civil and criminal sanctions will also apply to business associates under the strengthened enforcement initiative of the HITECH Act.”

4. HITECH increases enforcement of and penalties for HIPAA violations. BAs that violate the new regulations will not merely need to deal with covered entities, but may face hefty fines from federal and state governments.

Critics, including the Office of Inspector General, have charged that the U.S. Department of Health and Human Services (HHS) enforcement of HIPAA regulations has been lax.

HITECH tackles the limited enforcement issue and speeding ticket–sized HIPAA fines. HITECH creates a tiered penalty that stretches to as much as $1.5 million for violations.

All civil money penalties will go to the Office of Civil Rights to fund future investigations. HITECH requires that HHS formally investigate any complaint of a HIPAA violation if preliminary investigation shows possible violations.

The new law also allows state attorneys general to bring civil actions in federal court on behalf of state residents.

“A security breach can be a disastrous event for many organizations because the adverse consequences can be enormous, from class-action lawsuits to regulatory action. One of the major components of HITECH is to really create new stringent security breach obligations for HIPAA covered entities,” Hirsch said.

5. Prepare for the changes now. Hirsch said BAs need to:

• Revise BA agreements to incorporate the new privacy and security requirements and remove amendments that are no longer necessary under HITECH from contracts
• Implement written policies and procedures that address each HITECH security rule standard
• Create an employee security awareness and training program
• Designate a security official
• Conduct a security risk analysis

As part of this process, BAs will need to track, store, and compile information so there is an audit trail in case of breaches.

“Because the security standards are fairly broad and general, the security risk analysis is key because that’s how an organization decides how to prioritize and justify the decision they make in implementing all of these broad and general standards. A formal, thorough security risk analysis is critical to that process,” said Hirsch.

Although many large BAs have a comprehensive security compliance program, smaller companies will need to create their own.

This may force some companies to decide that the added work and regulations are too much. Smaller BAs, especially those that work in areas beyond healthcare, may bow out of the industry rather than invest the money, time, and manpower to create procedures to follow HITECH regulations, said Hirsch.

Managed care companies need to prepare for these changes—and realize that there are more revisions coming.

HHS will issue clarifications during the next year before HITECH goes into effect February 2010.

“I am trying to remain fairly optimistic that it will settle down after a few months because I think the administration understands that there has to be a balance here between bringing better, cheaper, faster technology to healthcare at the same time that we deal with the legitimate fears people have about risks of privacy,” Kibbe says.

Employers concerned about future of health benefits

Healthcare costs are expected to stay steady for the third straight year in 2009, but that news is not allaying employers’ fears that they won’t offer health benefits in 10 years, according to the 14th annual National Business Group on Health/Watson Wyatt Employer Survey on Purchasing Value in Health Care.

The survey asked 489 large U.S. employers a host of health benefit questions and found cost increases will remain stable in 2009. (See Figure 1 on this page.)

The predicted 6% medical healthcare cost increase for 2009 is lower than the 14.7% increase of 2002, but is still nearly twice the rate of inflation. Ted Nussbaum, group and healthcare practice leader at Watson Wyatt in Stamford, CT, says employers and health insurers have been able to maintain the 6% annual increase because of consumerism efforts and infrastructure, which are helping individuals manage their health.

Although costs have increased at the same level in the past three years, Nussbaum says Watson Wyatt expects a spike soon because healthcare expenses work in cycles. “I don’t know if we will get to a 15% trend again, but this is a cycle like most other economic systems,” he says.

Large employers are reevaluating health plan strategies given the current financial crisis, Nussbaum says. Sixty-two percent of large employers in the survey are confident they will offer healthcare benefits in the next decade, which is a drop from 73% in 2007.

Employer confidence levels usually correlate with cost trends, so the higher the cost trend, the less comfort for companies. That’s what makes this year’s percentage surprising, he says.

“This is the first time in 14 years that confidence has dropped, and it’s not related to cost trends. It sort of tells you, given the economic climate that we are in, that companies are feeling less confident that they can [offer health benefits],” says Nussbaum.

Although companies are concerned, few are currently making major changes to healthcare benefits. (See Figure 2 on p. 6.) “I think companies are moving along a continuum and they are comfortable with where they are going and what they are doing. I am certain they are making contingency plans in other areas, not in healthcare,” says Nussbaum.

That short-term satisfaction is evident in the fact that most large employers are shying away from total replacement programs. Three percent of employers surveyed said they are planning a total replacement plan, such as a consumer-directed health plan (CDHP). If those employers follow through with their plans, that would increase the percentage of total replacement plans to 9%, according to the survey.

Most employers don’t implement total replacement because they are worried about employee backlash and eliminating choice, Nussbaum says, noting that in the early 1990s, some companies converted to point of service plans, and employees did not like losing choice.

“I would expect that there would be a much more aggressive posture relative to addressing healthcare programs. While choice is nice, choice doesn’t maximize your ability to control costs, to control patterns of use, so on and so forth. I was surprised that we did not have more total replacement consumer-directed health plans,” says Nussbaum.

Although most employers are not making large-scale changes, they are tweaking programs and strategies. For example, health plan eligibility and enrollment audits/reviews, personal health records, and lifestyle behavior change programs are on the rise. Additionally, fewer employers are using vendors’ estimates of savings and return on investment (ROI) and significantly increasing employee copays or coinsurance. (See Figure 3 on p. 7.)

Helen Darling, president of the National Business Group on Health in Washington, DC, says many of these programs are extra services health plans did not offer more than five years ago. “What that is saying is even in a time of severe financial stress, including a recession, employers are spending extra money in order to do these things to try to improve the health of their employees and dependents,” says Darling.

Nussbaum doesn’t expect radical changes. However, he thinks employers will adopt data initiatives, provide quality and price information, measure ROI on programs and remove those that aren’t producing positive ROI, and create new CDHPs with incentives to take part in those plans.

Best performers lead the way

The survey found that best-performing companies enjoyed a much smaller health cost increase between 2008 and 2009 compared to average and poor performers.

“The ability to keep cost increases low over an extended period of time is a critical factor in making companies sustained performers,” according to the survey.

About 275 companies participated in the survey in the past four years, and 53 of those have maintained healthcare cost trends at or below the median for each of those years. The survey researchers refer to them as “consistent performers” and found that, although the median increase for all companies was 6%, consistent performers saw their costs increase by 2.4% in 2008.

Best and consistent performers are facing smaller increases through programs and initiatives in five areas, according to the survey:

• Appropriate financial incentives
• Maximizing health and productivity
• Effective information delivery
• Metrics and evidence
• Quality care

“Companies that have maintained consistently lower healthcare cost trends over the last four years are clearly differentiating themselves from other companies, including the best performers. The consistent performers have made even greater strides, especially in their use of financial incentives and by providing employees with essential information to manage their health,” according to the survey.

The consistent and best performers in the survey drive healthy behavior through:

• Offering incentives for participating in smoking cessation programs and providing coverage for retail clinic use (see Figure 4 below)
• Offering health risk appraisals (see Figure 5 on p. 9)
• Offering Web-based programs to help enrollees reduce lifestyle risk factors or manage health conditions and providing education on healthcare costs and ways to help manage costs (see Figure 6 on p. 10)
• Requiring plans to provide complete extracts of claims data (see Figure 7 on p. 11)

“I think one of the most important conclusions from this year’s study is that it really is possible over a multi-year time period to sustain low-cost trends by doing a variety of things that we’re able to be very specific about. [Consistent performers] are not doing anything different than the best performers, but they do a little more of it and they do it more consistently,” says Nussbaum.

Health insurers should learn from the results that there is much work needed to fix healthcare, such as reducing waste and unneeded services. “I think the most important thing, and I think the president is saying very well, is ‘We will not be able to have a strong economy and strong country if we don’t have control of our healthcare costs,’ ” says Darling.

Top challenges for employers

The survey found agreement on the top challenge employers face to maintain affordable benefit coverage. About two-thirds of the large employers surveyed pointed to employees’ poor health habits as the No. 1 concern, with the underuse of preventive services a distant second. (See Figure 8 on p. 11.)

“[Employers] recognize that employees’ poor health habits are so important,” says Darling. In the past, employers focused on hospital and provider costs and didn’t think about employee health and prevention.

“They have really begun to connect the dots between costs and cost drivers, not just costs for providers. That’s a totally different framing of it,” says Darling.

Many employers are gauging ROI for population health programs. “Health improvement programs are the way the companies are confident in going, but they need to see ROI,” says Nussbaum.

Health management program participation and incentives

Companies are using incentives to spark population health program participation, but are seeing only modest success. Companies that offer annual financial incentives are reporting significantly higher program participation in wellness and population health programs.

More than 60% of employers surveyed said they provide financial incentives to employees who complete health risk appraisals. (See Figure 9 on p. 12.) Sixty-five percent of high-program-participation companies paid employees more than $150 to complete health risk appraisals, and 83% paid at least $150 to have employees complete biometric screenings. (See Figure 10 on p. 12.)

However, many employers are offering incentives that don’t involve financial incentives. For example, most high-program-participation companies use coverage and premium differentials as a way to encourage health risk appraisal completion. Ninety-six percent of high-program-participation programs offer premium differentials for employees who complete biometric screenings. (See Figure 11 on p. 13.)

Consistent and best performers are able to get more employees involved in health programs, such as weight management, smoking cessation, and disease management. (See Figure 12 on p. 13.) However, participation levels in health management programs across all of the survey respondents are still low. The lowest participation levels are in smoking cessation, weight management, and disease management programs, but those are programs that might not interest a large employee population.

Consumer-directed health plans become more popular

The survey found that about half of large employers offer CDHPs, and that number is expected to increase to 59% in 2010.

CDHPs aren’t just a way to shift costs onto employees, but a way to educate individuals to take better care of themselves and be better-educated healthcare consumers, Nussbaum says.

“This is more about getting an individual’s attention and getting them to be a partner in managing their own health than it is about shifting costs,” he says.

Enrollment rates, which have settled in the single digits since CDHPs were created earlier this decade, are on the rise. In fact, 43% of large employers surveyed said they have more than 20% employee enrollment in a CDHP, and the median enrollment level has increased to 14%.

Getting more employees enrolled in a CDHP correlates with lower costs. Companies that added 10% or more enrollments between 2007 and 2008 achieved two percentage points in lower cost trends than those with slower enrollment growth. Companies that added 10% or more enrollments between 2008 and 2009 enjoyed more than a three percentage point advantage over those with slower increases in enrollment, according to the survey.

Looking at cost trends and basic costs, Nussbaum says companies need 15% enrollment to begin seeing ROI that is required for building CDHP infrastructure. Companies with at least half of their employees enrolled in a CDHP have a two-year cost trend that is 25% lower than non-CDHP sponsors, according to the survey.

“We’re starting to reach that [15%] threshold. Companies are working very hard to address the health status of their population and get their employees to get involved in the process themselves,” Nussbaum says.

Health savings accounts (HSA) have grown more popular in the past three years, but health reimbursement arrangements (HRA) have remained steady. Employers view HSAs as a better way to spark patient activation. Whereas HRAs are funded by businesses, and their balances do not carry over into subsequent years or if the individual changes employers, HSAs can include employee and employer donations. HSAs also belong to the individual, so when he or she changes employers, the HSA account goes with the individual.

HSAs help employees feel that the accounts belong to them and not the company. “Employers feel they own the money,” Nussbaum says.

Member experience directly correlates to plan satisfaction

Health plan members list coverage, benefits, and provider choice as the top factors in whether they are satisfied with their health plans, but an insurer’s member outreach underlies those top issues and is a direct link to health plan satisfaction, according to J.D. Power and Associates’ 2009 National Health Insurance Plan Study.

This is especially true for members of individual and small group plans, in which members ranked plan satisfaction lower than large group plans, according to the survey. Individual plans are an option for Americans whose employers are cutting benefits or laying off employees. Nine percent of people covered by health plans are in individual plans.

“The most important factor in this study, in terms of the relationship with member experience, is how the member rates their coverage and benefits,” says David Stefan, executive director for healthcare at J.D. Power and Associates in Phoenix. “We have seen that that rating is highly connected with the information and communication and knowledge of the plan. So if the member understands the plan very well, they understand what’s covered and what’s not and understand how to use those services.” (To see how health plans performed in 13 areas, see Figures 13–25 beginning below.)

J.D. Power and Associates’ third study measured member satisfaction for about 33,000 Americans enrolled in 131 health plans in 17 regions by examining seven factors: coverage and benefits, provider choice, information and communication, claims processing, statements, customer service, and approval process.

In the survey, J.D. Power and Associates asked members questions about their health plans and gave a point value to each question. It tallied the results and scored them on a 1,000-point scale. Health plan members with individual coverage or who worked for small employers (50 employees or fewer) were less satisfied with their health plans than those who worked for large businesses (501–5,000 employees) and jumbo employers (more than 5,000 employees).

Smaller employer groups averaged a score of 692 points, lower than those enrolled in individual plans (694), large employers (717), and jumbo employers (725), according to J.D. Power and Associates. The survey also found that those working for large employers are more likely to re-enroll and recommend the plans to others, compared to those employed by small employers or covered through individual plans.

The survey found that most members simply don’t understand their plans, Stefan says. Although a small percentage fully comprehend the offerings, close to two-thirds of members are confused about how their plans work to one degree or another. “We see a very big difference between people who say they fully understand how it works and those who have some level of confusion,” he says.

Whether a member understands a plan has a direct correlation to costs, usage of preventive services, and plan satisfaction. For example, if a member doesn’t understand all of a plan’s benefits, he or she isn’t taking advantage of the offerings. One way to resolve this is to communicate effectively with new members through multiple channels (e.g., phone, mail, e-mail, and the Internet) and send welcome kits that engage members and educate them about the plan and offerings. “The newer members that get that stuff both understand the plan better and tend to be more satisfied than the new member who does not receive some of that,” Stefan says.

Members who understand their plans are less expensive than those who don’t comprehend the plans. Those who are knowledgeable are less apt to call the health plan with basic benefit questions and spend less time on the phone asking questions. They will also take advantage of preventive services, such as wellness and disease management.

That education not only helps the member, but also the health plan and employer, who reap the benefits of a healthier member. Employers are becoming more aware that an educated member accesses preventive services and focuses on managing his or her health. “I think they are increasingly becoming more sophisticated about that. I certainly see that big difference now when we talk to plans than five or eight years ago,” Stefan says. “I see that shift gradually emerging over time.”

New England tops satisfaction levels

J.D. Power and Associates found that satisfaction levels for health plans increased significantly from 2008 in the New England, South Atlantic, California, Arizona-Utah, and Illinois-Indiana regions, with New England, Michigan, Pennsylvania-Delaware, California, and South Atlantic achieving the highest satisfaction levels overall.

The health plans that ranked highest on the member satisfaction index were Kaiser Foundation Health Plan (aka Kaiser Permanente), Harvard Pilgrim Health Care, Humana, Highmark Blue Cross Blue Shield, Health Alliance Plan, BlueCross BlueShield of Arizona, and Dean Health Insurance.

Given the challenges in today’s economy, Stefan says the study is a “win for the industry.” In general, health plan satisfaction levels are pretty low to start, but they have increased slightly from last year.

“I think it’s always challenging for health plans to invest in the right initiatives and efforts with their members and balance that against all their economic realities,” Stefan says.

Kaiser Permanente reaches out

One of the highest ranked insurers in the survey, Kaiser Permanente, enjoys an advantage over those that are strictly health insurers. Christine Paige, senior vice president for marketing and Internet services at Kaiser Permanente in Oakland, CA, says the integrated healthcare system communicates with its members more on care delivery than coverage, which is not the case for an insurer without an integrated system.

The integrated model, coupled with Kaiser Permanente’s focus on total health, allows the company to connect with members in an environment that goes beyond coverage questions. “We tend to see the experience of the care driving the satisfaction rather than the experience of the coverage per se,” Paige says. “We’re very focused on connecting people with the services and making sure they have good access to [Kaiser programs], and those in turn drive satisfaction.”

To connect with new members, which J.D. Power and Associates stated is critical in its study, a Kaiser Permanente representative reaches out to explain offerings and benefits and promotes the importance of forging a strong relationship with primary care physicians. During that call, Kaiser Permanente helps the new member choose a physician depending on the individual’s preference and background.

Kaiser Permanente also sends the new member a guidebook with information about services and promotes the company’s Web site, which provides online coaching and the ability to schedule physician appointments and renew prescriptions. The integrated system also sends a quarterly newsletter to members, which highlights health issues, emerging health trends, and service enhancements in the member’s area.

Although much of its communication is about care delivery, Kaiser Permanente has also broadened its outreach to include education about recent health insurance benefit changes, such as the popularity of deductibles in HMOs. This outreach is especially important for long-standing Kaiser Permanente members who are not used to those terms.

Kaiser Permanente has typically focused on accessing care delivery through communication