Private Health Insurance:
HCFA Cautious in Enforcing Federal HIPAA Standards in States Lacking Conforming Laws
HEHS-98-217R: Published: Jul 22, 1998. Publicly Released: Jul 27, 1998.
- Full Report:
Pursuant to a congressional request, GAO reviewed the Health Care Financing Administration's (HCFA) regulatory enforcement of federal Health Insurance Portability and Accountability Act (HIPAA) standards in states lacking conforming laws, focusing on the: (1) tasks required of HCFA to assume the role of insurance regulator for HIPAA provisions in states lacking conforming laws and the extent to which the agency has undertaken them; (2) factors that influence HCFA's ability to fulfill these duties; and (3) implications of this new federal regulatory role.
GAO noted that: (1) HCFA must undertake a variety of regulatory tasks, including responding to consumer inquiries and complaints, providing guidance to carriers about HIPAA requirements, reviewing carriers' policy forms and other relevant documents and practices, and imposing civil penalties on noncomplying carriers in states known not to have fully adopted conforming legislation; (2) HCFA's efforts in the five states thus far, however, have varied; (3) HCFA has also begun to review carriers' policies sold in Missouri to ensure HIPAA compliance; (4) however, HCFA has not initiated any direct regulatory activities beyond responding to consumer inquiries and complaints in Massachusetts and Michigan because neither state has formally notified the agency that it has not passed conforming legislation and HCFA has not formally established that the states have failed to conform; (5) in addition to its direct enforcement responsibilities, HCFA may also need to systematically review the laws, regulations, and state practices of the remaining 45 states to verify the extent to which they have adopted HIPAA standards, which it has yet to do; (6) HCFA officials attribute its limited regulatory efforts in these states to an insufficient staff capacity and issues surrounding its regulatory authority; (7) HCFA currently has 39 full-time equivalent staff allocated exclusively for HIPAA-related issues but anticipates needing additional and more specialized staff skilled in regulating private health insurance to be able to more fully undertake regulatory responsibility; (8) however, it has been difficult for HCFA to precisely quantify its staff needs because its long-term responsibilities remain unknown, and the agency lacks experience in regulating private health insurance; (9) in states where HCFA must enforce HIPAA standards, the responsibility for regulating private health coverage is shared among the agency and state insurance departments for insured health plans as well as the Department of Labor for self-funded health plans; and (10) since neither the state nor HCFA has complete regulatory authority over health insurance products sold in these states, HCFA's new regulatory responsibility adds to the potential for confusion for consumers and duplication in oversight.