Baseline Information for Evaluating the Implementation of the Health Insurance Portability and Accountability Act of 1996: Final Report. Question A. How effective is the HIPAA model of federal standards/state implementation?


A number of observers view HIPAA as a model for the new Federalism. Under this model, the federal government establishes minimum standards, but states have flexibility with respect to implementation and are charged with enforcement. The federal government serves as enforcer only if the state fails to act.

Before adopting this as a general model of federal/state cooperation, there are several implementation questions that policymakers will wish to answer. First, do the federal standards establish a floor, or do they become a ceiling? In the case of HIPAA, the question is whether states that had gone beyond the federal standards begin to roll back reforms. For example, Nevada had regulations on pre-existing conditions exclusions in small group insurance policies that exceeded the HIPAA minimums, but has recently passed legislation to match the HIPAA requirements.

A second important question related to this model is what enforcement techniques are effective? Little is currently known about what mechanisms states use for enforcement—for example, do states rely on the grievance process to detect non-compliance? Do they impose reporting requirements to monitor the extent to which the market is responding to reforms? What other techniques are employed? What enforcement mechanisms are most effective? Even less is know about the effects of federal enforcement activities and how states will respond.

Answers to the first question can be obtained by monitoring changes in state law over time. IHPS developed a database structure and abstracting procedures for summarizing key elements of state law over time related to insurance regulation in the small group and individual insurance markets. A baseline describing regulations in the pre-HIPAA period (1996 and 1997) is complete. Continuing this abstracting process over time would provide data to measure how states’ regulations have changed in response to the HIPAA legislation.

To study enforcement mechanisms to ensure access, we recommend a four-phase study. The first three phases would be conducted as part of the qualitative case studies described generically above. The first task would be to categorize the enforcement mechanisms used by states and HCFA(now known as CMS) to implement HIPAA. The second part of the task would construct a typology of the various enforcement models. Once this typology is constructed, the third part of the task would be to develop measures of effectiveness and compare selected state models and HCFA(now known as CMS) activities in states included in the case studies. The case study analysis would lead to a typology of state mechanisms, hypotheses about effectiveness, and a protocol for measurement that would then be applied on a national basis.

Phase One: Problem Identification. Recent articles in the trade press have identified certain problems that have limited employee access to HIPAA benefits, including reduced brokerage commissions for enrolling HIPAA beneficiaries, application delays, and large price increases for coverage similar to that which the employee formerly maintained. The case study protocol would include a module to address what steps have been taken within the selected states to identify these and other problems that limit access to HIPAA coverage. For example, the protocol would include the following questions to be covered in the site visit interviews. Has the state put in place routine compliance review mechanisms to identify how HIPAA is being implemented or do states wait for complaints? Has the state implemented a voluntary compliance regime that encourages firms to self-correct without sanctions? Once a problem limiting access to HIPAA is identified, what steps are taken to eliminate the barrier? Does the state maintain a grievance process for employee complaints? If so, has the state analyzed the grievance process data to determine the types of problems employees repeatedly face in seeking HIPAA benefits?

Phase Two: Typology. A second product of this task would be an enforcement typology. To develop the typology the site visit interview protocol would address the following types of questions in states with conforming legislation. Which state agency has primary responsibility for HIPAA enforcement? Has the agency issued regulations or guidelines to employers and employees? How does the enforcement process work within each state? What data are collected to observe changes over time? Have states experimented with different enforcement models? If so, what lessons have they learned from these experiments? Have state agencies experienced any problems with the implementing legislation that might limit its ability to ensure access to HIPAA benefits? Have states solicited advice and cooperation from HCFA(now known as CMS) on enforcement concerns? What sanctions are available for non-compliance with HIPAA? Have any sanctions been imposed?

In states without conforming legislation, the typology would address these additional types of questions. Does HCFA(now known as CMS) attempt to develop partnerships with state agencies, in effect delegating enforcement to the state? How similar are the processes adopted by HCFA(now known as CMS) to those in states with conforming legislation? Has HCFA(now known as CMS) adopted a particular state model for use in non-conforming states? Has HCFA(now known as CMS) developed a mechanism for communicating its approach to states with conforming legislation and vice versa?

Phase Three: Effectiveness Measures. The third product from this task would be a set of hypotheses about the effectiveness of the various enforcement regimes, including a set of defined and measurable outcomes. Measures of effectiveness of the enforcement model might include the numbers of HIPAA eligibles enrolled after enforcement measures are taken relative to pre-enforcement enrollment, and reductions in the average processing times for HIPAA applications. Other measures depend on what types of barriers to enrollment are identified in the first part of this task. The case study interviews would be used to determine what types of outcome measurements are available from states and to gather the data for the sites selected for case study.

Two types of data would be collected to measure effectiveness. The first type would address HIPAA marketing activities. Is the marketing effort directed at employees? How do the states involve the business community in marketing the program? How does the state measure its effectiveness in complying with HIPAA? The second type would include any state information on the number of HIPAA eligibles and enrollees, changes over time in participation rates, and whether the state meets or exceeds federal minimum standards. Additional data would be sought to understand the grievance and complaint processes. How many HIPAA-related complaints have been filed, for what issues, and with what results?

The hypotheses about effectiveness would be tested in the comparative case studies. The purpose of the comparative case studies would be to assess the effectiveness of the states’ HIPAA activities using the typology described above. The findings would be used to refine the typology and measurement procedures for a national survey of state enforcement.

Phase Four: National Survey of State Regulators. The case study development work would yield a set of measures to describe the different enforcement models that have been identified, a set of measures of effectiveness, and a set of hypotheses about the relationships among these measures. The case study efforts will have identified what types of measures can be reported by most states. With this development work, we suggest that a fourth phase of this task would be to develop and administer a survey of state regulators on a national basis in order to have a comprehensive picture of state enforcement practices and their effectiveness.