• Mission & Governance
• Services Overview
• How to Get Involved
• Standing Committees
• NCSL Foundation

• Issue Areas: A-Z
• State-Federal Relations
• NCSL Standing Committees
• News from D.C. and the States

• About State Legislatures
• Elections, Campaigns & Redistricting
• NCSL's StateConnect Directory
• Web Sites

• Online Guide to NCSL Services
• Staff Sections and Networks
• Meetings & Professional Development
• Staff Directories

• Meetings Calendar
• Online Registration
• Meetings Home Page
• Legislative Summit

• Bookstore
• State Legislatures Magazine
• NCSL's StateConnect Directory

Volume 27, Issue 461	February 20, 2006

IDAHO WAIVER WOULD PROVIDE DIFFERENT CARE FOR DIFFERENT FOLKS

In 1993, Idaho’s Medicaid expenditures were soaring up and state general revenues were down. Rather than cut eligibility categories or services, state policymakers instituted “Healthy Connections,” a mandatory primary-care case management program that produced savings and improved care for patients.

Today, Gov. Dirk Kempthorne is hoping to take that approach toward Medicaid management – of saving dollars while improving services – one step further. He’s proposed a program that would collapse Medicaid’s more than 50 eligibility categories into three, each of which would have its own benefit package or packages:

• low-income children and working-age adults, including federally “mandatory” pregnant women and children; services for children would emphasize preventive and primary care;
• individuals with disabilities or special health needs, who will be given increased assistance in seeking employment and will get greater freedom to manage their own care, in a program modeled after the National Cash and Counseling Demonstration program; and
• elders, for whom home- and community-based services would be increased.

“If we are truly going to solve the problems of the current Medicaid program, we must turn our focus away from an antiquated, regulation-based system and toward one that focuses on results,” Kempthorne said Jan. 26^th in testimony before the Federal Medicaid Commission.

People applying for Healthy Connections would for the first time be given a questionnaire that would assess their general health status and behaviors (asking questions about such subjects as weight and tobacco use). The resulting information would be used to provide customized health education, as well as to determine which benefit package the applicant should receive.

A “Good Start”

The recently enacted federal deficit reduction act – which takes effect Jan. 1, 2007 – allows states to make some of the changes called for in Kempthorne’s package through state plan amendments – rather than through waivers. The state plans to make those changes that it can through the state plan amendment process and obtain a waiver for the rest, said David Lehman, the governor’s policy director.

“We’re pleased to see more flexibility for states to manage the eligibility and benefits process for folks,” said Lehman. “It’s a good start; however, it doesn’t get us all the way to where we need to be to effectively manage the program, improving care while reducing costs.”

Kempthorne’s plan also calls for:

• instituting a pilot “pay-for-performance” program in community health centers;
• promoting the use of private financing options for long-term care, such as reverse mortgages and private long-term care insurance – Idaho passed a 100 percent tax deduction for long-term care insurance two years ago;
• selectively contracting with durable medical equipment and other vendors in order to increase purchasing power and produce savings;
• investing in health information technology such as disease registries and software for chronic disease management;
• establishing “personal health accounts” that would enable individuals who comply with recommended healthy behaviors to receive credits;
• allowing federally “mandatory” children and adults to voluntarily participate in the state’s premium assistance program, and
• instituting co-pays to ensure that care is delivered in the most cost-effective setting possible. “Cost-sharing will be implemented cautiously, due to the potential danger of introducing barriers to essential care and access to health-care coverage,” state documents say.

Idaho also plans to remove the asset test for all eligible children with family incomes under 185 percent of poverty, on grounds that such tests actually increase increase program administration costs, keep qualified individuals from applying for assistance, and act as a disincentive for savings and personal responsibility.

“The primary goal of course is improving care for the beneficiaries,” said Ross Mason, spokesman for the Idaho Department of Health. “But we’re also lucky that Idaho’s Medicaid program is fairly bare bones. We haven’t added a whole bunch of categories the way some states have. We’ve tried to be conservative because the state is conservative, and we’ve tried not to promise things we can’t deliver, so we haven’t had to cut back.”

For more on Idaho and other state Medicaid reforms, go to this NCSL Web page.

HEALTH INFORMATION AT RISK OF PIRACY, DESPITE FEDERAL LAW

On Feb. 15, 2006, the University of Washington’s UW Medicine system revealed that hackers had infiltrated its computer system beginning in 2004. For 18 months, the hackers had access to the medical and business records of at least four hospitals and a provider group. Fortunately for the patients and the university system, patient records do not appear to have been the target of that attack.

But the hacking of the computer system illustrates a growing concern in state legislatures: how to protect the privacy of medical records when more and more providers are dispensing with paper and going electronic? And it’s not just medical records that are at risk.  

Several companies are now engaged in the business of buying and reselling personal information, including such sensitive – and potentially profitable – information as Social Security numbers. 

“The last decade has seen a number of companies change their privacy policies to the detriment of consumers,” Chris Jay Hoofnagle, director of the Electronic Privacy Information Center’s west coast office, stated in testimony before the California Senate Finance and Insurance Committee. He noted that Choicepoint, the largest U.S. broker of personal information, has been known to provide information on employees to employers without knowing their reason for seeking it. Choicepoint also makes Social Security numbers available to the public through subscription services like Westlaw.

Even where information is legally protected or unavailable to data resellers, the threat of hackers remains. The Federal Trade Commission reports that in 2005 there were 685,000 reported cases of identity theft, of which roughly 1 percent had to do with health-care information. 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) included provisions to prevent the inadvertent or unauthorized disclosure of personal health information. Enforcement of those statutes falls to the Federal Bureau of Investigation, which was allotted $379 million between 2000 and 2003 to investigate and prosecute HIPAA violations. Not all of this money was spent on HIPAA; some cannot be accounted for by the FBI, while a portion was transferred to anti-terrorism efforts, according to the Government Accountability Office. Since HIPAA’s enactment in 1996 there has been only one criminal conviction for violation, in 2004. 

“It’s kind of a catch 22,” said Roldan Ramirez of Info-Tech Research Group, a private health-care information firm. “You have legislation under HIPAA, but it’s not being monitored as much as [other compliance laws].” Info-Tech has compiled several reports on HIPAA compliance and risk exposure for the health care industry.

Out of Sight, Out of Mind

One problem is that, in many cases, a computer infiltration will go unnoticed for some time. California’s 2003 Database Security Breach Notification Act (SB 1386) was the first law in the nation to require companies storing personal information to notify consumers when a data breach or error causes information to be leaked. The law was put to the test in 2005 when Choicepoint revealed the theft of 145,000 Californians’ personal information by a criminal entity. 

California’s law has been followed by similar laws in at least 23 states, and in 2006, 13 states are considering notification bills. A Missouri bill addresses health care specifically. The bill (SB 1041) before the General Assembly would make it a felony to obtain or sell personal health information without the consent of that person. Convicted felons could be fined up to $10,000 and imprisoned for no more than 10 years. Exceptions would be made for the transfer of such information by law enforcement officers or health-care providers who are acting in accordance with state or federal law.

In their paper, A Model Regime of Privacy Protection, authors Chris Jay Hoofnagle and Daniel Solove advocate that states take a more active role in protecting consumer information. A complete list of proposed and enacted security breach legislation can be found at this NCSL Web page.

By Paul deYoung, intern for NCSL’s Health Policy Leadership Forum

(printer-friendly version)

© Copyright 2006, State Health Notes