Master FIR (1988)

NOTE: As provided in LFC policy, this report is intended for use by the standing finance committees of the legislature. The Legislative Finance Committee does not assume responsibility for the accuracy of the information in this report when used in any other situation.

Only the most recent FIR version, excluding attachments, is available on the Intranet. Previously issued FIRs and attachments may be obtained from the LFC office in Suite 101 of the State Capitol Building North.

F I S C A L I M P A C T R E P O R T

SPONSOR:	SJC		DATE TYPED:	03/05/01		HB
SHORT TITLE:		Health Information Privacy Act				SB	676/SJCS
					ANALYST:		Wilson

APPROPRIATION

Appropriation Contained

Estimated Additional Impact

Recurring

or Non-Rec

Fund

Affected

FY01

FY02

FY01

FY02

See Narrative

(Parenthesis ( ) Indicate Expenditure Decreases)

SOURCES OF INFORMATION

Health Policy Commission (HPC)

Human Services Department (HSD)

SUMMARY

Synopsis of Bill

SB 676/SJCS protects health data and information by requiring that health information managers comply with the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA). SB 676/SJCS requires health information managers to establish and maintain privacy

procedures and provides for civil and criminal penalties. The Health Information Privacy Act now has an effective date of June 30, 2003.

Significant Issues

HSD has noted that SB 676/SJCS makes specific exceptions to federal law. Section 3 essentially specifies that Section 7 take precedence over the cited federal laws. Some provisions of Section 7 contradict the federal law.

The Human Services Department (HSD) is the New Mexico state agency charged under the Social Security and Food Stamp Acts with providing safeguards restricting the use and disclosure of information concerning applicants and recipients to purposes directly connected with the administration of programs under the Acts.

42 USC Section 1396 a(a)(7) is the relevant federal statute pertaining to the safeguarding of Medicaid information. Section 3 only refers to Part C of Title 11 of the Social Security Act. Thus, SB 676/SJCs would fall short of assuring that Medicaid information would be protected. Section 3 should be expanded to include the above statute.

FISCAL IMPLICATIONS

By generally following federal law and having an implementation date that approximates the new federal privacy requirements, the fiscal implications are no greater than will be required under federal law.

However, if HSD or any other state agency is in violation of state or federal statutes and regulations, it could face monetary penalties in accordance with Section 5 and criminal penalties in accordance with Section 6.

ADMINISTRATIVE IMPLICATIONS

By generally following federal law and having an implementation date that approximates the new federal privacy requirements, the administrative implications are no greater than will be required under federal law.

RELATIONSHIP

Relates to: HB 829, Health Information Privacy Act

TECHNICAL ISSUES

The HPC noted that in Section 3, the requirement to comply with the privacy requirements of HIPAA, Title 2, Subtitle F, Part C, Section 264, should be clarified to require compliance with any privacy regulations issued in accordance with this section in HIPAA.

OTHER SUBSTANTIVE ISSUES

The Health Information and Privacy Act would require health information managers to comply with the privacy requirements of HIPAA. These requirements have been outlined by the HPC and are as follows:

HIPAA defines various terms and impose requirements on HHS, health plans, health care clearinghouses, and health care providers who conduct identified transactions electronically.

HIPAA establishes definitions for code set, health care clearinghouse, health care provider, health information, health plan, individually identifiable health information, standard, and standard setting organization.

HIPAA makes any standard adopted applicable to health plans, health care clearinghouses, and health care providers who transmit health information in electronic form in connection with the specified transactions

HIPAA requires the Secretary of HHS to adopt standards for transactions, and data elements for these transactions, to enable health information to be exchanged electronically. Requirements are set out for the specific standards the Secretary is to adopt: unique health identifiers, code sets, security standards, electronic signatures, and transfer of information among health plans. The security standard authority applies to both the transmission and the maintenance of health information and requires covered entities to maintain reasonable and appropriate safeguards to ensure the integrity and confidentiality of the information, protect against reasonably anticipated threats or hazards to the security or integrity of the information or unauthorized uses or disclosures of the information, and to ensure compliance by the entity's officers and employees.

HIPAA prohibits health plans from refusing to process, or from delaying processing of, a transaction that is presented in standard format. It also establishes a timetable for compliance.

HIPAA establishes penalties for any person who knowingly uses a unique health identifier, or obtains or discloses individually identifiable health information .

HIPAA states that federal law preempts contrary state law. There are three exceptions to this general rule of preemption: state laws that the Secretary determines are necessary for certain purposes set forth in the statute; state laws that the Secretary determines address controlled substances; and state laws relating to the privacy of individually identifiable health information that are contrary to and more stringent than the federal requirements. There also are certain areas of state law (generally relating to public health and oversight of health plans) that are explicitly carved out of the general rule of preemption and addressed separately.

HIPAA makes the above provisions inapplicable to financial institutions or anyone acting on behalf of a financial institution when "authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution."

The Secretary has issued a final rule, "Standards for Privacy of Individually Identifiable Health Information," to illustrate the continued uncertainty of the fate of the rule, the official request for comments includes the following statement:

"The Privacy Rule affects over 600,000 entities and virtually every American. It is estimated to cost in excess of $17.6 billion over ten years. The Department received over 52,000 public comments in the public comment period on the proposed rule; in the period following publication of the final rule, HHS has received approximately a thousand inquiries about the impact and operation of the Privacy Rule on numerous sectors of the economy. Many comments exhibit substantial confusion over how the Rule will operate; others express great concern over the complexity and workability of the Rule. The significance of the Privacy Rule for the health care industry and for society as a whole, and the substantial nature of some concerns that have been raised have led us to conclude that an additional comment period on the Privacy Rule is warranted."

DW/ar