Medicaid and health information: current and emerging legal issues.

Legal questions are an inevitable byproduct ofsignificant technology change in health care such as that underway as a result of health information technology (HIT). This article examines several important existing and emerging legal questions in a Medicaid context. First, do the Centers for Medicare & Medicaid Services (CMS) and State Medicaid agencies, have a fiduciary obligation to adopt and fully use health information technology given its potential to improve health care quality while reducing racial, ethnic, and socioeconomic disparities in health and health care? Second, how can Medicaid privacy standards be reconciled with the Health Insurance Portability and Accountability Act (HIPAA) privacy rule? Third, what actual or perceived legal barriers exist to ensuring that Medicaid information is interoperable with data produced under critical health care, educational, and social programs from which beneficiaries are simultaneously receiving care?

Introduction

In a multipayer, market-oriented health care system with shared Federal/State oversight responsibilities, technology advances that transform the system can raise complex legal questions. When the transformation involves HIT, the legal questions can be particularly complex, because of the central and historic role played by patient information in clinical quality and system accountability (Rosenblatt, Law, Rosenbaum, 2001; Furrow, et al., 2005).

Many of these legal questions arise within the body of Federal and State law that directly governs the collection, storage, use, and disclosure of patient information. But the legal questions extend beyond information law, reaching the body of laws that collectively authorize public and private health care financing.

This article focuses on several of the health information-related legal questions that arise under Federal Medicaid law. How these legal questions are resolved will determine in large part the extent to which the anticipated benefits of health information reach millions of Medicaid beneficiaries.

HIT

HIT advances are essential under Medicaid because of the program's size, structure, and importance. The largest of all Federal health care programs, Medicaid covered more than 55 million persons in 2005, financing nearly 20 percent of all personal health care (Kaiser Commission on Medicaid and the Uninsured, 2006). Medicaid's presence is especially pronounced among children (covering one in four younger children), as well as among children and adults with serious and chronic health conditions. Medicaid's coverage is relatively comprehensive in recognition of the financial and health status characteristics of its beneficiaries. Indeed, Medicaid is characterized by eligibility, enrollment, and coverage features that set it apart from other health care third party payers, whether commercial insurers, employee health benefit plans, or Medicare (Weil, 2003; Rosenbaum, 2002; 2006). Federal eligibility categories span many groups who would be excluded from commercial plans; indeed, even Medicaid enrollees resembling the privately insured population (e.g., working age adults and children) experience significantly poorer health status. Medicaid enrollment occurs at the point of need, and is not structured to avert adverse selection.

Medicaid beneficiaries are overwhelmingly financially or medically impoverished, and are disproportionately members of racial or ethnic minority groups. (Rosenbaum, 2002) In light of who its beneficiaries are, Medicaid finances a broad array of services and benefits with limited cost sharing. Provider participation is more limited and concentrated, with smaller numbers of providers (frequently health care providers characterized as members of the health care safety net) accounting for a higher proportion of care. Moreover, their combined health and social risks mean that beneficiaries frequently receive services across a range of publicly financed health, educational, and social programs. Finally, as States begin to experiment with beneficiary enrollment into alternative benefit arrangements as a result of the coverage flexibility features of the 2005 Deficit Reduction Act (DRA), which give States broadened discretion to alter traditional Medicaid coverage requirements for certain classes of children and adults (Centers for Medicare & Medicaid Services, 2006), Medicaid's need to function seamlessly both with other health care payers and public programs will intensify.

Despite the importance of HIT to Medicaid's ability to advance patient safety and quality, Medicaid spending on this technology is low. In 2005, total Federal and State Medicaid financing stood at an estimated $316.5 billion (Urban Institute and Kaiser Commission on Medicaid and the Uninsured, 2006); of this amount, expenditures related to HIT amounted to approximately 2.6 billion, less than 1 percent of total program spending that year (Friedman, 2006). Medicaid beneficiaries and their health care providers have been identified as at special risk for exclusion from HIT advances despite the potential of technology to make a significant difference in their care (Blumenthal et al., 2006). Thus, while many of the legal questions raised by HIT transformation confront the health system, those specific to Medicaid take on special urgency.

Despite the importance of identifying and resolving actual or perceived legal barriers to HIT adoption in the case of Medicaid, President Bush's August 2006 Executive order, which aims to use the power of the Federal Government to speed HIT adoption under Federal health care programs, exempts both Medicaid and its smaller companion, the State Children's Health Insurance Program (The White House, 2006). The Executive order does not elaborate on the basis for this exemption; what is clear however, is that Medicaid raises important legal issues in its own right, which must be resolved in order to integrate Medicaid-financed health services into transparent, interoperable electronic health information systems that effectively utilize electronic health records as well as other tools and features designed to improve patient safety and health care quality (Blumenthal et al., 2006).

HIT Adoption-Related Medicaid Legal Issues

Medicaid's Fiduciary Duty

Since its enactment more than 40 years ago, Medicaid has contained a fiduciary duty standard that governs the relationship of State programs to beneficiaries and likewise establishes the legal frame through which Federal program administration takes place. Specifically, the statutory State plan requirements specify that State plans for medical assistance must:

“Provide such safeguards as may be necessary to assure that eligibility for care and services under the plan will be determined and such care and services will be provided in a manner consistent with simplicity of administration and the best interests of the recipients” (42 U.S.C. §1396a (a) (19), 2006.)

This best interest provision is analogous to the fiduciary duty standard governing plan administrators under the Employee Retirement Income Security Act. It obligates State programs, like entities that administer these plans, to act with regard to beneficiary interest in all phases of program operations (Rosenbaum and Borzi, 2006). Because it is the responsibility of the Secretary of Health and Human Services to ensure that State programs are operated in accordance with State plan requirements, this obligation to act in the best interest of beneficiaries can be thought of as extending to Federal program stewardship as well. In the context of advances in technology that carry the potential to increase the quality and safety of care through the creation of more and better information about health care processes and outcomes, the best interests requirement serves as a broad legal directive to incorporate such advances into State plan administration. Furthermore, because Medicaid's structural and financial underpinnings contemplate the extensive use of electronic information collected and stored in management information systems, the program is positioned to adapt to advances in HIT.

Medicaid Management information Systems (MMIS)

Health information creation, management, and transmission have been a central feature of the Medicaid Program for more than 30 years. Since 1972, the statute has required States to have MMIS capable of paying claims and retrieving health information and delegates to the Secretary of Health and Human Services the authority to determine the standards by which compliance will be measured. Special Federal rates apply to initial and ongoing expenditures to support system installation, modernization, and operations (42 U.S.C. §1396b (a), 2004). Federal financial participation is set at preferred rates for design, development, and operation of these systems. Federal policies specify MMIS requirements and performance standards, and the Federal policy interest in the capability of these systems is reflected in the preferred rate of Federal financial participation that is provided. As health systems technology has changed, so have Federal standards for MMIS functions in areas such as claim simplification, fraud and abuse, and financial performance (Smith, 2002).

As electronic health record (EHR) standards emerge, modification of Federal MMIS standards, in accordance with applicable standards governing the safety and security of protected personal health information (PHI) (Certification Commission on Healthcare Information Technology, 2007), will be necessary to ensure both the appropriate interface with, and support for, electronic patient health records. Such modifications also will be essential if the program and its participating providers and beneficiaries are to be able to benefit from the advances that EHRs can be expected to yield where health care quality, health information transparency, and patient safety are concerned.

State-level interest upgrading MMIS to conform to all aspects of HIT evolution can be expected to intensify as a result of developments such as the growing participation of State Medicaid Programs in Regional Health Information Organizations and other health information exchange networks. Thus, the growing use of health information for both Medicaid management and operations and cross-payer review and analysis can be expected to pave the way for the development of new MMIS capability standards as a condition of Federal funding.

In this regard, a series of Federal standards are needed that specify several matters with clarity. The first is the development of MMIS specifications regarding HIT capabilities and functions in relation to health care quality, health expenditure efficiency, and patient safety. The second issue is the establishment of Federal payment standards for both HIT adoption and ongoing operations. The third area relates to State plan options with respect to provider compensation. Federal standards in this area would help incentivize HIT adoption among providers as part of a pay-for-performance initiative in both managed care and fee-for-service aspects of the program. In each of these areas, existing law would appear to give the Secretary of Health and Human Services ample authority to revise and transform MMIS-related conditions of participation.

Accountability for Quality

The best interest standard described earlier provides legal leverage for HIT adoption within Medicaid as a means of advancing the timeliness and quality of health care. In a health information age, this best interest standard could be understood as encompassing a duty to adopt modern information technologies that in turn pave the way for quality improvement in medical care practice and service integration across a range of health, educational, and social programs.

The theme of health care quality in Medicaid is deeply embedded within the statute. As a general matter, State agencies must utilize methods of administration that ensure that payments are consistent with efficiency, economy, and quality of care (42 U.S.C. §1396a (a) (30), 2006). State Medicaid Programs that utilize the services of managed care entities in program administration must ensure the quality of care (42 U.S.C. §1396u, 2004). Assurance of health care quality is a specific aspect of State agency oversight of institutional health care services and prescription drug use; assuring the timeliness and quality of care for children receiving early and periodic screening, diagnostic, and treatment is a similarly longstanding State obligation (42 U.S.C. §§1396a (a) (43), 1396r (f) and 1396r-8(g), 2006). Indeed, in the case of nursing facility services, the statute makes assurance of quality an express duty of the Secretary of Health and Human Services (42 U.S.C. §1396r (f) (1), 2006). Similarly, States that offer home and community-based services either through Federal waivers or as a State plan option must assure the quality of care (42 U.S.C. §1396n (d)-(e), 2006).

The best interest standard powerfully combines with the embedded expectation of quality oversight that permeates the statute and runs as a recurrent theme through Federal interpretive rules and guidelines. This expectation of quality management, when combined with Federal information management expectations, suggests the appropriateness of a new set of legal standards that establish EHRs and related HIT as a long-term and fundamental expectation of participating States. HIT capabilities, combined with new reporting requirements designed to capture basic information about the process and outcomes of care, would appear to be part and parcel of reconceptualizing the best interest standard in a health information age.

Adapting Medicaid Provider Practices to EHR and HIT

As HIT adoption proceeds within States and throughout the general provider community, a significant legal question that can be expected to emerge is whether health professionals and institutions should be expected to adopt HIT functionalities, including EHRs, as a Medicaid condition of participation. Particularly important would be possession and use EHRs that are capable of storing and transmitting a minimum level of health information, as well as the use of certain other HIT functions, such as decision support, participation in registries, and e-prescribing.

To date, no State has established EHRs as a basic condition of licensure for either health professionals or health care institutions, but the relationship between patient safety and HIT ultimately be perceived as so basic (Annas, 2005) that it is conceivable that such a licensure condition could evolve, particularly with respect to health care institutions. Even if HIT adoption did not become a licensure matter, State Medicaid Programs certainly could specify a minimum level of adoption as part of their basic power to delineate qualification standards for participating providers (42 U.S.C. §1396a(a)(23), 2006). This power is bolstered by the best interest standard as well as by the obligation to assure payment for services of adequate quality.

To the extent that EHRs become a condition of participation in Medicaid, a related and important legal question emerges: the extent to which Medicaid law permits States to take into account the costs associated with the adoption and ongoing operation of HIT. The relationship between Medicaid payment rules and provider participation standards in the area of health information is particularly important in the case of safety net providers such as federally qualified health centers (FQHCs), rural health clinics, nursing and intermediate care facilities, public and children's hospitals, and Medicaid-specialized managed care systems. For these providers, Medicaid is such a dominant purchaser that their capacity to upgrade their practices in response to heightened participation standards will depend heavily on the extent to which Medicaid agencies recognize the cost of adapting and operating information systems. The Federal payment standards that apply to FQHCs and rural health clinics appear to offer ample legal authority to recognize and pay costs associated with HIT adoption and operations (42 U.S.C. §1396a(bb), 2004), thus it would not appear that legislation is needed to adapt Medicaid payment standards to take into account HIT adoption by FQHCs and rural health clinics. At the same time, clarification of the permissibility of such payment reforms would appear to be critical to progress.

Establishing Minimum Health Information Reporting Standards

Just as the health information revolution leads to questions regarding minimum State MMIS capabilities, it also refocuses attention on the question of whether provider conditions of participation should include reporting of health care process and outcome measures under a minimum data set. States increasingly require such reporting among their managed care entities. But most Medicaid expenditures occur in the fee-for-service dimension of the program where few measures exist and performance measurement and reporting is far less well developed. Whether States and the Secretary of Health and Human Services move toward a minimum performance data set for all aspects of Medicaid-financed care represents a critical policy issue; what is relatively clear is that the broad quality and best interest standards of the statute permit such an evolution.

Adapting Medicaid Privacy Standards

Data security is a basic requirement of all Medicaid Programs. Furthermore, since its original enactment, Medicaid has contained provisions whose purpose is to ensure the safeguarding of beneficiary and patient information. An emerging and critical legal question is whether the Medicaid privacy statute should be interpreted in a fashion that parallels the HIPAA privacy rule in order to ensure seamlessness in privacy standards as a matter of Federal law.

There is no definitive Federal ruling on the relationship between the Medicaid and HIPAA privacy standards. In recent years CMS has established a Medicaid Information Technology Architecture initiative, one of whose purposes is to assure the availability of health information to those who need to know without compromising principles of privacy and patient/provider confidentiality (Centers for Medicare & Medicaid Services, 2003). The Medicaid Information Technology Architecture materials to date do not appear to include a careful review of the two bodies of law, their structure and purpose, and the extent to which the older Medicaid law should be subsumed under the HIPAA privacy standards. Although CMS recognizes the relationship between Medicaid and HIPAA privacy standards (Centers for Medicare & Medicaid Services, 2001), the extent to which the two sets of standards mirror one another does not appear to have been definitively addressed in either Medicaid or HIPAA law. This lack of conformance carries enormous consequences for health care providers, State Medicaid Programs, and the health system as a whole. To the extent that the standards that guide Medicaid privacy safeguards are viewed as different from those that govern all payers generally under HIPAA, the ability to integrate Medicaid-financed patients and services and those financed by other payers into fully interoperable information arrangements may be seriously hindered.

In its structure the Federal Medicaid privacy statute (42 U.S.C. §1396a(a)(7), 2004) is strikingly similar to HIPAA. The statute specifies that State plans for medical assistance must “…provide safeguards which restrict the use or disclosure of information concerning applicants and recipients to purposes directly connected with administration of the plan.” Implementing regulations (42 C.F.R. §431.300, 2004) define the term “…purposes directly related to State plan administration…” to cover: (1) establishing eligibility; (2) determining the amount of medical assistance; (3) providing services for recipients; and (4) conducting or assisting an investigation, prosecution, or civil or criminal proceeding related to the administration of a plan.

A simple reading of these regulations in the context of the HIPAA Privacy Rule reveals striking similarities to the treatment, payment, and health care operations standard that lies at the heart of the HIPAA disclosure rule. Thus, for example, in the absence of a stricter State law requiring informed patient consent, the Medicaid rules appear to permit Medicaid providers seamless access to patient treatment information just as they could in the case of their privately insured patients under HIPAA.

The adoption of the HIPAA standard for disclosure appear to be consistent with both the all-payer nature of HIPAA as well as the language of the Medicaid privacy statute itself; indeed, the concept of safeguarding beneficiary privacy would appear to be a striking precursor of the HIPAA privacy rule. A fundamental purpose of HIPAA, grounded in concepts of both safety and quality, is to ensure that treating providers have access to patient medical records in order to guide treatment decisions. Nothing in the Medicaid privacy statute would appear to compel a contrary result, since the assurance of health quality—a basic State plan requirement applicable to all Medicaid Programs—is a function directly related to Medicaid Program administration, and the impact of health information on health quality is well documented (Institute of Medicine, 2001).

At the same time that the pressure increases for Medicaid concordance with HIPAA in the context of patients and their health care providers, important considerations also argue for the continuation of stricter preemptive standards in the area of law enforcement, where Federal Medicaid privacy standards continue to play a vital role. Thus, for example, Federal courts, citing Federal Medicaid privacy considerations and a strict interpretation of the directly related standard have barred the U.S. Attorney General from seizing records regarding abortions furnished to Medicaid enrollees in order to determine whether Federal laws prohibiting certain types of abortions have been violated (Open Society Institute, 2004). At the same time, it seems evident that CMS could require the disclosure for patient safety, quality, or provider fraud purposes, of patient-specific data regarding Medicaid-financed abortions or other controversial treatments.

Medicaid's Interaction

Another set of legal questions concerns Medicaid's informational interaction with other public programs. The complex needs of Medicaid beneficiaries mean that individuals may participate in multiple programs that must function seamlessly. More than other insurers, Medicaid agencies and participating providers need ongoing interactions with health, educational, and social services, such as the child welfare system, special education, and adult social services. Data exchange standards that honor patient privacy and security while also permitting exchange of critical information have never been more critical.

A review of all laws that relate to health information privacy is of course beyond the scope of this article; certain programs are offered as illustrative examples. In some cases, the Federal Medicaid statute and interpretive rules contemplate operational links, particularly in the case of children as a function of early and periodic screening, diagnostic, and treatment and Medicaid's interaction with the Title V Maternal and Child Health Services Block Grant (42 U.S.C. §§1396a(a)(11) and 1396a(a)(43), 2004). Other key programs whose missions overlap with Medicaid are the Federal family planning program (42 U.S.C. §§300, 2004), the Federal health centers programs (42 U.S.C. §§254c, 2004), Federal mental health and substance abuse programs (42 U.S.C. §§290bb, 2004), programs funding immunizations, sexually transmitted disease, and tuberculosis detection and treatment (42 U.S.C. §§247b, 2004), the Ryan White CARE Act (42 U.S.C. §§300cc-1, 2004), the Individuals with Disabilities Education Act, and the Supplemental Feeding Program for Women, Infants and Children.

Federal Medicaid law requires the development of cooperative agreements between Medicaid agencies and State health agencies that cover data exchange among other matters (42 U.S.C. §§1396a, 2006), but these provisions have not received attention in recent years. Addressing information exchange in a best interests context represents a pressing legal matter.

Title X illustrates the complex issues that can arise in an effort to address the mutual exchange of patient data related to treatment, payment, and health care operations. Since 1970 Congress has authorized grants to support the provision of confidential family planning services. A key issue related to reproductive health care access and quality thus becomes the conditions under which Medicaid Programs and Title X agencies should be expected to exchange data critical to the management of reproductive health care. Should the Title X confidentiality rule bar Medicaid Programs from securing data needed to measure the quality of care furnished by Title X grantees? Conversely, should Title X grantees be able to have secure, online access to a beneficiary's complete prescribed drug history when the purpose is patient treatment?

Services related to the prevention, treatment, and management of alcohol and substance abuse (Public Health Service Act, 42 U.S.C. §§290dd-3(b), 2004) raise similar issues. Federal substance abuse law prohibits the disclosure of information related to identification, diagnosis, prognosis, or patient treatment without the express consent of the patient. (42 U.S.C. §§290dd-3, 2004). Should this bar to disclosure supersede Federal Medicaid best interest standards? Can this bar to disclosure be reconciled with the more modern HIPAA disclosure standard, which permits disclosure for treatment, payment and health care operations without consent?

Beyond data exchange related to treatment, payment, and health care operations lie data exchanges for public health or broad social purposes. Examples are legal disclosures of notifiable conditions, and the provision, or receipt, of information between Medicaid agencies and public education and child welfare systems. This very basic question, regarding whether the current patchwork of Federal information laws should give way to broad and unifying legal standards that govern the exchange of information in a post-HIPAA world in the throes of an information technology revolution, begs for close study, especially in the case of Medicaid.

Conclusion

Medicaid law contemplates a program driven by health information, administered in the best interests of beneficiaries, and possessed of a fiduciary duty to ensure quality. Reinterpreting and applying these enduring principles in a health information age represents a major legal step forward in program stewardship. In recent years, CMS has devoted time and attention to developing the basic health information architecture. Now it is time to make this architecture meaningful and functional by developing the standards and guidelines that will spur adoption. The partners in this Medicaid modernization quest include the Federal Government, State agencies, health professionals, health care institutions and providers, and informed patients. Information technology makes major advances in quality, safety, and health care disparities reduction possible; it is advances in legal standards that will in part, determine if these advances reach beneficiaries and the broader health care system.