Marketplace records. Regulations governing marketplaces limit their ability to disclose “personally identifiable information” (PII) they either create or collect “for the purposes of determining eligibility for enrollment in a qualified health plan; determining eligibility for other insurance affordability programs…; or determining eligibility for exemptions from the individual responsibility” requirement.”22
In their 2012 version,23 these regulations forbade such disclosures except to accomplish marketplaces’ specifically assigned functions, which did not include helping human services programs determine eligibility. Had they remained in that form, human services programs would likely have been barred from receiving much if not all of the information used to determine Medicaid eligibility, which under the ACA will increasingly be under marketplaces’ control or obtained through eligibility services subject to marketplaces’ constraints. Much of that information includes data from the Federal Data Sharing Hub, which provides a single portal through which health programs can access information from multiple federal agencies as well as other entities with which the federal government contracts.
However, revised regulations published in March 2014 permitted marketplaces to disclose PII for other purposes, so long as applicable requirements are met. The most important of these requirements, for purposes of this paper, are the following:
- The individual who is the subject of the information consents to disclosure;
- HHS determines that the information will be used only for the purposes of and to the extent necessary to ensuring the efficient operation of the marketplace;
- Tax return information the IRS provided the marketplace may be used only to determine eligibility for insurance affordability programs (and thus not for other purposes, including the determination of eligibility for human services programs);24 and
- Privacy and security standards applicable to the recipient of the information are no less stringent than those that apply to the marketplace itself.
The relevant text from the applicable regulation—45 CFR 155.260—is included in Appendix A, along with the key provisions from a cross-referenced statute.
Applying this regulation to the current context, a human services program wishing to use information from a health coverage program to establish or verify eligibility should obtain consent from the person who is seeking to qualify for human services. Such consent might be obtained as part of the standard “boilerplate” contained in human services forms for application and renewal. However, the human services program may have a stronger case supporting its request for information from the exchange if it could demonstrate that it will obtain consumer consent that goes beyond the “pro forma” level.
Human services programs will also need to explain why providing them with access to PII will help marketplaces function more efficiently. At least two arguments seem reasonable on this count:
- If a marketplace does not provide the human services program with direct access to PII relevant to an applicant’s eligibility for human services, the human services program could ask the applicant for a written record, from the marketplace, showing the same information. In that case, the marketplace would be legally required to provide such a written record, upon the applicant’s request.25 That would be more costly to the marketplace than providing the human services program with direct access to PII via data matching.
- If the marketplace provides the human services program with direct access to PII that helps the program verify eligibility, the human services program could agree, in return, to provide the marketplace with access to the program’s own eligibility records to help the marketplace verify eligibility for insurance affordability programs. That exchange of information would help the marketplace carry out its core eligibility determination functions more effectively and efficiently.
Finally, human services programs will need to enter into agreements with marketplaces specifying the circumstances of data exchange, storage, and use, assuring that all relevant legal requirements will be satisfied. Federal officials could consider providing technical assistance to facilitate this process, perhaps including the development of model contractual terms. That assistance could also shape the disclosure to take into account any limitations that may be imposed by agreements between CMS and the source agencies that provide information to the Federal Data Sharing Hub.
Going beyond the legal documents, however, it may prove challenging for human services programs that operate outdated, legacy systems to meet 21st-century requirements for data security and confidentiality. Each program will need to carefully assess the roles it is able to assume and the steps it will need to take to safeguard the data it receives under these agreements.
Medicaid records. Human services programs could seek to obtain information from Medicaid programs directly, including final determinations of FPL and eligibility. In this context, several federal statutes could be helpful. First, Social Security Act §1137(a)(4)(A) provides that the state agencies administering Medicaid, TANF, SNAP, unemployment insurance, and various other programs listed in §1137(b), “will exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts under any other such program.” This appears to authorize a Medicaid program to provide information from a consumer’s Medicaid records, including information about the Medicaid eligibility determination and final conclusion about an individual’s FPL, to a state agency administering another program listed in Section 1137 if the latter agency believes the information may be of use in establishing or verifying the person’s eligibility or benefit amounts for such other program.
Section 1137(a)(4)(B) also requires Medicaid and the other listed programs to make information available to child support enforcement agencies. Other provisions of §1137 require safeguards to prevent unauthorized disclosure and to ensure that consumers receive notice of possible disclosure at the time of application and periodically thereafter.26
The second relevant statute is Social Security Act §1902(a)(7)(A), which requires Medicaid programs to “provide safeguards which restrict the use or disclosure of information concerning applicants and recipients to purposes directly connected with the administration of the plan.” Arguments like those discussed above in connection with the efficient operation of the marketplace might apply here. Namely, if a Medicaid program provides a human services program with direct access, via data exchange, to Medicaid eligibility information, that could allow more efficient operation of the Medicaid program, since it would eliminate the need for Medicaid to provide written print-outs of that same information to consumers upon their request, for the consumers to take to the human services program in documenting eligibility. And by offering data to help human services programs determine eligibility, Medicaid could obtain similar information from human services programs to help Medicaid determine eligibility.
These arguments may be considerably strengthened if the Medicaid program provides access to this information with the consent of the affected individual. In that case, disclosure serves the privacy interests of the individual by allowing the individual to determine what happens to his or her personal information.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not prevent health programs from sharing relevant eligibility-related information with human services programs. HIPAA regulations specify that protected health information, normally subjected to privacy controls under HIPAA, may be disclosed in the following circumstances:
“A covered entity that is a government agency administering a government program providing public benefits may disclose protected health information relating to the program to another covered entity that is a government agency administering a government program providing public benefits if the programs serve the same or similar populations and the disclosure of protected health information is necessary to coordinate the covered functions of such programs or to improve administration and management relating to the covered functions of such programs.”27
Accordingly, HIPAA should not bar a Medicaid program from disclosing information from a person’s Medicaid eligibility files, including information about a person’s Medicaid eligibility determination, to an agency administering a different program if (a) Medicaid and that other program serve overlapping populations; (b) the information demonstrates that the individual probably falls within the overlapping population; and (c) disclosure of the information would improve the coordination, administration, and management of one or both programs.