• Mental Health and Minors: Proceed With Caution!
• The Risk Corridors Program: Should the Government Pay?

Mental Health and Minors: Proceed With Caution!

By Carri Becker Maas, Partner, Healthcare Litigation | John M. LeBlanc, Partner, Healthcare Litigation

Imagine representing a party in a lawsuit concerning coverage for mental health services. The lawsuit was brought by the parents of a minor child. The client received a request for production of medical records concerning the child’s mental health treatment. Can the client produce the records?

In short: it depends.

The path to the correct answer is exceedingly complex. It requires an analysis of federal privacy rules, state privacy and minor consent laws, and applicable regulations. This article provides an overview of the type of analyses a lawyer should undertake to determine whether a minor’s medical records relating to mental health treatment may be produced.

HIPAA Privacy Rules

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes federally protected rights that permit individuals to control certain uses and disclosures of their protected health information, including their medical records.

Under HIPAA Privacy Rules, with certain exceptions, mental health records are generally treated the same as medical records. In the context of litigation, medical records can typically be disclosed by a covered entity (defined as providers, health plans and other entities specified under 45 C.F.R. 160.103) in any one of the following situations:

a) The patient provides written permission for the disclosure;
b) The covered entity is a party to the litigation and uses or discloses the records for purposes of the litigation, so long as the entity makes reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose;
c) The covered entity receives a court order; or
d) The covered entity receives a subpoena for the information, if the covered entity either:

i. Notifies the subject of the information about the request, so the person has a chance to object to the disclosure; or
ii. Seeks a qualified protective order from the court.

See 45 C.F.R. § 164.512(e).

Yet HIPAA Privacy Rules alone do not answer the question as to when and under what circumstances a minor’s mental health records may be disclosed. State privacy laws and state laws concerning consent and minors must also be considered.

State Privacy Laws

Many states have enacted privacy laws that are more stringent than HIPAA and place further protections on disclosure of medical records generally and mental health records specifically.

In California, mental health records may be subject to one of two state laws: (1) the Lanterman-Petris-Short Act, California Welfare and Institutions Code, Section 5328 et seq. (LPS Act); or (2) the California Confidentiality of Medical Information Act, California Civil Code Section 56 et seq. (CMIA). To determine whether mental health records may be disclosed under California law, the first inquiry to make is whether the records are subject to the LPS Act or CMIA.

The LPS Act concerns involuntary civil commitment to a mental health institution in the state of California, and it strictly prohibits the disclosure of medical records concerning involuntary commitments absent a court order. Cal. Welf. & Inst. Code § 5328(f). In contrast, the CMIA generally prohibits a healthcare provider, healthcare service plan or contractor from disclosing medical information regarding a patient without first obtaining a written authorization from the patient, with certain exceptions. Cal. Civ. Code § 56.10. Disclosures can be made without written authorization in certain circumstances, including but not limited to where compelled by:

1. Court order;
2. An administrative agency under its lawful authority; or
3. A party to a legal proceeding before a court or administrative agency by subpoena or other authorized discovery mechanism.

Cal. Civ. Code § 56.10.

Even if applicable state laws authorize disclosure of mental health records, that is unlikely to be the end of the inquiry where a minor’s medical records are involved.

Consent and Minors

When consent to release a minor’s records is required under federal or state law, who is authorized to provide that consent?

Under the HIPAA Privacy Rule, “personal representatives” are those persons who have authority, under applicable law, to make healthcare decisions for a patient. Typically, a parent, guardian or other person acting in loco parentis (collectively, Parent) is considered a personal representative of his or her minor child. As such, he or she has the authority to make healthcare decisions for the minor and may exercise the minor’s rights with respect to protected health information.

But there are several important exceptions to this rule. A Parent is not considered the “personal representative” of his or her minor child when:

1. A minor has consented to the healthcare services and the consent of the Parent is not required by federal or state law;
2. Someone other than a Parent is authorized under federal or state law to provide consent for the medical services to a minor and provides such consent (e.g., court-ordered healthcare services); or
3. A Parent consents to a confidential relationship between the minor and a healthcare provider with respect to the healthcare service.

In addition to these federal rules, many states have enacted more stringent privacy and informed-consent laws concerning minors. These laws generally fall into two categories: laws based on the status of the minor (e.g., minors who are emancipated) and laws based on the type of care sought (e.g., mental health or family planning).

For example, in California minors 12 years or older may consent to outpatient mental health treatment if, in the opinion of the treating provider, the minor is mature enough to participate intelligently in the mental health treatment. Cal. Health & Saf. Code § 124260. In such a case, a provider cannot share the minor’s medical records with his or her parents (or others) absent a signed authorization from the minor. Cal. Health & Saf. Code §§ 123110(a), 123115(a)(1); Cal. Civ. Code §§ 56.10, 56.11, 56.30.

Federal law also permits providers to refuse to produce medical records to a parent or person otherwise entitled to receive them if the provider believes that (a) the patient has been or may be subject to violence, abuse or neglect by that person; (b) the patient may be endangered if that person is treated as a personal representative; or (c) it is not in the best interests of the patient to treat the person as a personal representative. 45 C.F.R. § 164.502(g). California state laws similarly permit a provider to refuse to disclose records if the provider believes disclosure would negatively impact (a) the provider’s professional relationship with the minor or (b) the minor’s physical safety or psychological well-being. Cal. Health & Saf. Code § 123115(a)(2). 

Records Subject to Heightened Protections

Another critical inquiry is whether the specific type of records requested may be disclosed under any circumstances. Certain classes of medical records are subject to heightened protections; two examples are psychotherapy notes and medical records regarding substance use disorder (SUD) diagnoses and treatment.

1. Psychotherapy Notes

The HIPAA Privacy Rule distinguishes between mental health information that is contained within an individual’s medical record and psychotherapy notes. Psychotherapy notes are subject to heightened protections and, with limited exceptions, may be disclosed only if the patient signs an authorization permitting disclosure. See 45 C.F.R. § 164.508(a)(2). Similarly, a personal representative is precluded from obtaining psychotherapy notes regarding his or her minor child. Disclosure of psychotherapy notes is permitted only where certain federal exceptions apply, including where disclosure is required by law, such as mandatory reporting of abuse and duty to warn in cases of serious and imminent threats.

Even where disclosure is permitted under federal law, state laws should also be consulted. Where state laws conflict with federal laws, a pre-emption analysis will need to be undertaken to determine which law governs.

2. Substance Use Disorders

Another class of records afforded heightened protection relates to SUDs. The Confidentiality of Alcohol and Drug Abuse Patient Records regulation, 42 C.F.R. Part 2, applies to any individual or program that is federally assisted and holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment. This federal law restricts the disclosure and use of patient records that include information on substance use diagnoses or treatment information. 42 C.F.R.§ 2.11. Except in very limited circumstances, this law requires a patient’s written consent—with nine specified elements, including the precise recipient of the disclosed information and the purpose of the disclosure. 42 C.F.R. §§ 2.31(a), 2.51-2.53.

Where medical records contain SUD diagnoses or treatment information, disclosure should not be made absent specific written authorization from the patient—or the patient’s personal representative—unless an exception applies. See 42 C.F.R. §§ 2.51-2.53 (establishing exceptions for medical emergencies, research and audits).

Conclusion

Lawyers are well-advised to proceed with caution in the complex arena of mental health privacy laws, especially with regard to minors. While this article highlights some of the federal and state laws at play, a comprehensive review of all potentially applicable federal and state laws is strongly advised before disclosure in any case.

back to top

The Risk Corridors Program: Should the Government Pay?

By John M. LeBlanc, Partner, Healthcare Litigation | Samuel A. Canales, Associate, Litigation

The Patient Protection and Affordable Care Act (ACA) established health insurance exchanges where insurers can offer qualified health plans (QHPs) to individuals and certain employers. Because the exchanges made coverage available to people who previously were uninsured or underinsured, some QHP issuers may have lacked enough information to properly evaluate risk and anticipate costs. 

To encourage QHP issuers to set modest premiums during the early years of the exchanges, the ACA established a three-year risk corridors program (Program) that would reimburse QHP issuers certain excess benefit costs. However, by the end of the Program, the federal government had yet to reimburse QHP issuers more than $12 billion. The government has since refused to appropriate sufficient funds to pay the outstanding amounts. The article below provides a brief overview of the Program, two important cases on appeal concerning the federal government’s obligation to make the payments, and the recently passed omnibus spending bill.

The Risk Corridors Program

The Program started in 2014 and required QHP issuers to spend a certain portion of premium funds (target amount) on healthcare and quality improvement (allowable costs) each benefit year. See 42 U.S.C. § 18062. QHP issuers that spent less than 97% of the target amount had to pay a portion of their gains into the Program (Collected Amounts). 42 U.S.C. § 18062(b)(2); 45 C.F.R. § 153.510(c). QHP issuers that spent more than 103% of the target amount would be reimbursed a portion of their excess losses (Risk Corridors Payment). 42 U.S.C. § 18062(b)(1); 45 C.F.R. § 153.510(b). 

Through annual appropriations riders, Congress limited funding for the Risk Corridors Payments to the Collected Amounts. Risk Corridors Payments exceeding the Collected Amounts were transferred to the following year. However, by the end of the Program in 2016, more than $12 billion remained outstanding due to QHP issuers experiencing more significant losses than significant gains, resulting in inadequate Collected Amounts. The government has since refused to appropriate additional funding to cover the outstanding Risk Corridors Payments, prompting many QHP issuers to file suit.

Legal Actions Concerning the Outstanding Risk Corridors Payments

Two important cases addressing the outstanding Risk Corridors Payments are Land of Lincoln Mutual Health Insurance Company v. United States and Moda Health Plan, Inc. v. United States.

In Land of Lincoln Mutual Health Insurance Company, Judge Charles Lettow of the Court of Federal Claims held that “HHS’s decision not to make full payments annually cannot be considered contrary to law.” Land of Lincoln Mut. Health Ins. Co. v. United States, 129 Fed. Cl. 81, 108 (2016). The court found that the ACA was “ambiguous in terms of the ‘payments in’ and ‘payments out’ arrangement for risk-corridors payments because it does not contain an express authorization for appropriations to make up any shortfall in the ‘payments in’ to cover all of the ‘payments out’ that may be due. And, it does not explicitly require ‘payments out’ to be made on an annual basis, whether in full or not.” Id. at 106. Because of these ambiguities, the court deferred to “HHS’s interpretation [of the ACA, which] was reflected in its final rule on May 27, 2014, [where] it stated that it intended to administer risk corridors in a budget neutral way over the three-year life of the program, rather than annually.” Id. (internal quotation marks omitted). The court also found there was no contract between Land of Lincoln Mutual Health and the government concerning the Program. Id. at 108-113.

In contrast, in Moda Health Plan, Inc., Judge Thomas Wheeler of the Court of Federal Claims held that “the Government . . . unlawfully withheld risk corridors payments from Moda, and is therefore liable. The Court [found] that the ACA requires annual payments to insurers and that Congress did not design the risk corridors program to be budget-neutral. The Government is therefore liable for Moda’s full risk corridors payments under the ACA. In the alternative, the Court [found] that the ACA constituted an offer for a unilateral contract, and Moda accepted this offer by offering qualified health plans on the Health Benefit Exchanges.” Moda Health Plan, Inc. v. United States, 130 Fed. Cl. 436, 441 (2017). The “Government made a promise in the risk corridors program that it has yet to fulfill. [T]he Court [directed] the Government to fulfill that promise. After all, to say to [Moda], ‘The joke is on you. You shouldn’t have trusted us,’ is hardly worthy of our great government.” Id. at 466 (quoting Brandt v. Hickel, 427 F.2d 53, 57 (1970)).

Both cases are on appeal in the Federal Circuit, which heard oral argument in January 2018.

The Health & Human Services 2019 Budget

In an interesting turn of events, the Health & Human Services (HHS) 2019 proposed budget released on February 12, 2018, included $11.5 billion to fund the outstanding Risk Corridors Payments. Land of Lincoln Mutual Health Insurance Company and Moda Health Plan, Inc. alerted the Federal Circuit to the budget, and argued that it showed the federal government’s intent to fund the Program. However, on February 19, 2018, HHS posted a revised budget once again limiting outlays for the Program to the Collected Amounts. On March 23, 2018, President Trump signed into law a $1.3 trillion omnibus spending bill that did not appropriate additional funds to cover the outstanding Risk Corridors Payments.

Conclusion

In light of the federal government’s steadfast refusal to fully fund the Program, the Federal Circuit’s decisions in Land of Lincoln Mutual Health Insurance Company and Moda Health Plan, Inc. will have significant financial consequences in these cases and the numerous others just like them. The Federal Circuit’s decisions are expected any day now.

back to top

How Can All-Payer Claims Databases Support Insurance Regulation?

By Joel S. Ario, Managing Director, Manatt Health | Kevin McAvey, Senior Manager, Manatt Health

Editor’s Note: On March 24, 2018, Joel Ario, managing director at Manatt Health, and Kathy Hempstead, a senior advisor to the Robert Wood Johnson Foundation, delivered a presentation on All-Payer Claims Databases (APCDs) to the National Association of Insurance Commissioners (NAIC) Regulatory Framework Task Force. The presentation, summarized below, provided a detailed look at APCDs, including use cases and caveats. Sharing preliminary considerations, the presentation was the product of extensive research and nearly a dozen interviews with state APCD and insurance leaders. Click here to download the full presentation free.

The final presentation and report will be delivered at the next national NAIC meeting in August.

________________________________________

What Are APCDs?

All-Payer Claims Databases (APCDs) are centralized state data repositories for health insurance membership and claims records. States with APCDs typically require insurers operating in their markets to regularly submit medical, pharmacy and dental claim files for all members residing in and/or contracted in their state. Mature APCDs allow for cross-payer, marketwide enrollment, utilization and payment trend analyses and are an increasingly leveraged data resource by regulators, policymakers and researchers.

Maine was the first state to establish an APCD in 2003, and since that time, more than a dozen other states have either followed suit or are in the process of doing so. (Note: As shown on the map below, additional states have established voluntary “multi-payer” or partial APCDs.) 

According to results of Manatt Health’s first APCD Capacity Survey—co-administered with the National Association of Health Data Organizations—on average, APCDs include data for three-fifths of their states’ populations, with robust coverage of the private fully insured, Medicaid and even Medicare Advantage populations. This breadth and depth of coverage make APCDs a particularly attractive data resource for insurance departments.

Source: Manatt Health APCD Catalogue (accessed March 1, 2018)

Four APCD Use Cases for Insurance Regulators

Mature APCDs have the potential to inform insurance department policy and program goals across four areas:

1. Price Transparency: APCDs can provide a wealth of dynamic price data to inform the decisions of regulators, policymakers and even consumers. New Hampshire, Maine and Maryland, for example, have used data from their respective APCDs to populate consumer websites, where prospective patients can compare estimated costs for procedures and services across providers. Frequently complementing insurer-developed, plan-specific patient cost calculators, state consumer websites are often part of broader strategies to promote consumer empowerment and market competition. Other states have leveraged their APCDs to produce statewide cost-driver reporting and to identify, investigate, and respond to unexplained price variations between payers, providers and services.
2. Rate Review: APCDs include data that insurance regulators can use to enhance their understanding of insurance markets for rate review purposes. Mature APCDs have the potential to generate useful trend reports on most claims categories of interest to insurance regulators, highlighting member experience differences by geography, demographic characteristics and time period. Mature APCDs also can allow for impact monitoring of delivery system reforms, quality initiatives and other ad hoc analyses (e.g., frequency and severity of claims for 1332 waiver reinsurance program proposals). The Maryland Insurance Administration uses its state’s APCD, the MD Medical Care Database, for example, to check payer submissions and run deeper analyses. Oregon’s Department of Consumer and Business Services uses its APCD (APAC) data in its review of premiums for individual and small group health plans, while Massachusetts’ Center for Health Information and Analysis has worked in partnership with its Division of Insurance to reduce the statewide payer reporting burden by directly sourcing several insurance reports from its APCD (supporting “administrative simplification”).
3. Network Adequacy: APCDs have the potential to be a significant resource in helping insurance regulators set and monitor network adequacy standards. The New Hampshire Insurance Department, for example, views its APCD, the New Hampshire Comprehensive Healthcare Information System (CHIS), as a prime resource to help it monitor the impact of its new network adequacy regulation (IR 2701), which measures adequacy by service category rather than provider type. Mature APCDs have the potential to help insurance regulators answer critical questions about payers’ networks, including: Which providers deliver what services? Where are certain services scarce? And how much do prices differ between in- and out-of-network services by plan?¹ APCDs may also be able to help inform specific policy questions, such as the prevalence of out-of-network charges at in-network facilities (i.e., surprise billing).
4. Responding to the Opioid Crisis: APCDs have helped states to monitor and develop strategies for combating public health crises, including the opioid epidemic. APCDs can provide information on prescribing patterns at regional and physician levels, as well as the availability of treatment (e.g., medication-assisted treatment (MAT), naloxone or residential programs). APCDs also allow states to look at an issue in the broader context of how substance use disorders change over time as drug availability changes. Massachusetts’ APCD served as the data-backbone of the state’s new “Promote Prevent” plan to promote mental, emotional and behavioral health. The Massachusetts APCD was linked to more than a dozen other health and social service data sets to provide policymakers with a comprehensive depiction of the Commonwealth’s most vulnerable populations and potential root causes (e.g., access) for their behavioral health issues. Virginia’s APCD was similarly used to identify trends in opioid prescription volume, refills and dispensing habits, while Colorado’s APCD was used to identify prescription fill anomalies by matching drug users with reported clinical conditions.

APCD Cautions

While APCDs have the potential to substantively inform numerous insurance agency programs and priorities, most APCDs nationally are not yet mature enough and/or do not have the staff capacity that would allow for simple report request fulfillment. When approaching interagency collaboration, it is essential for insurance leadership to keep the following considerations in mind:

• Long-Term Partnership: Work with APCD agencies should be viewed as part of a long-term partnership, ideally fueled by small, shorter-term goals (and, hopefully, “wins”). Insurance and APCD leadership should work together to develop realistic goals and milestones jointly. (Also, keep in mind, the more APCDs are used, the more valuable they become: Use is the best data quality check, and it establishes foundational agency functions, processes and knowledge that will better support efficiencies in future collaborative efforts.)
• Communications: APCD and insurance department staff may not always speak the same language. For example, when referring to “membership,” one agency’s staff may intend to convey “a member months average for state residents”; another, however, may interpret “a point-in-time count by state situs.” Developing clear, shared business specifications is foundational to any successful project partnership. Business specifications are the road map by which technical specifications (i.e., programming logic and code) will be developed.
• Completeness, Timeliness and Accuracy: Though APCDs are significant data assets, they are not always the best data assets to answer every question. Depending upon the state and use case, APCDs may not have data that is relevant (e.g., clinical records), timely enough (e.g., claims lag) or complete enough (e.g., payer data submission anomalies) for use. Further, depending upon the “hosting agency” for a given APCD, various APCD data fields may have been emphasized for integrity. For example, when APCDs are hosted within Medicaid or health departments, critical foundational fields for insurance use—such as Situs or License Type— may not be as thoroughly tested and vetted as others, such as diagnosis codes (also important). Regardless of whether there is an imminent opportunity for APCD agency collaboration, insurance departments should be active and engaged stakeholders in their continuing development.
• Staffing (and Funding): APCD agencies are financially lean, with limited staff. Clearly delineating project roles, timelines and committed resource needs for any collaboration is an important step, as is identifying where external counsel would be critical (i.e., don’t reinvent the wheel). Joint agency collaborations may also be able to identify and leverage additional state and federal funding, especially where new funds may be available to address public priorities (e.g., opioids) or where long-term value propositions can be presented (e.g., administrative simplification).

APCDs can be—and are already, for some state insurance departments—tremendous and dynamic data assets. Their value will only continue to increase as use improves data quality and uncovers new use cases.

_{¹Where in-network APCD flag is available and tested}

back to top