[Congressional Record Volume 144, Number 102 (Monday, July 27, 1998)]
[Senate]
[Pages S9064-S9065]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




  PRIVATE HEALTH INSURANCE: HCFA CAUTIOUS IN ENFORCING FEDERAL HIPAA 
              STANDARDS IN STATES LACKING COMPARABLE LAWS

 Mr. JEFFORDS. Mr. President, today, I am releasing a new U.S. 
General Accounting Office (GAO) report entitled, ``Private Health 
Insurance: HCFA Cautious in Enforcing Federal HIPAA Standards in States 
Lacking Comparable Laws'' (GAO/HEHS-98-217R). The GAO report warns that 
Federal involvement in the role traditionally reserved for the States 
may complicate oversight of private health insurance.
  In 1945, Congress passed the McCarran-Ferguson Act, thereby endorsing 
the arrangement where States are responsible for the regulation of 
insurance. Federal regulation of health insurance in States establishes 
a new precedent. In light of current proposals that would establish 
additional Federal standards of health insurance, I believe we must 
carefully consider the appropriate role for Federal and State 
regulatory agencies in monitoring and enforcing compliance with 
insurance standards.
  As the Chairman of the Committee on Labor and Human Resources, I have 
closely monitored the implementation of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA) since its enactment 
in the last Congress. HIPAA set new Federal standards for access, 
portability, and renewability for group health plans under the Employee 
Retirement Income Security Act of 1974 (ERISA) and for health insurance 
issuers which have traditionally been regulated by the States. Under 
the HIPAA framework, in the event that a State does not enact the new 
Federal standards for health insurance issuers, the Health Care 
Financing Administration (HCFA) is required to enforce the provisions.
  As of June 30, 1998, officials in California, Rhode Island, and 
Missouri have voluntarily notified HCFA that they have failed to enact 
HIPAA standards in legislation. Two other States, Massachusetts and 
Michigan, are widely known to have not enacted conforming legislation, 
but the States have not notified HCFA, nor has HCFA initiated the 
formal process to determine if Federal regulation is necessary.
  In the case of the five States where HIPAA standards have not been 
adopted, HCFA must assume several functions normally reserved for State 
insurance regulators. These duties include (1) responding to consumer 
inquiries and complaints; (2) providing guidance to carriers about 
HIPAA requirements; (3) obtaining and reviewing carriers' product 
literature and policies for compliance with HIPAA standards; (4) 
monitoring carrier marketing practices for compliance; and (5) imposing 
civil monetary penalties on carriers who fail to comply with HIPAA 
requirements.
  HCFA officials have acknowledged that their agency has thus far taken 
a minimalist approach to regulating HIPAA, and they attribute the 
agency's limited involvement to a lack of experienced staff, as well as 
uncertainty about its actual regulatory authority. Originally assuming 
that States would adopt HIPAA legislation, HCFA reassigned only a small 
number of staff members to address enforcement issues. The reassigned 
staff generally came from other divisions and

[[Page S9065]]

had no previous experience in private health insurance.
  As of July, 1998, HCFA has authorized 40 full-time staff members to 
work on all HIPAA-related issues. HCFA officials acknowledge that these 
new staffers will likely focus on responding to consumer inquiries and 
complaints. Officials also have said that they will need additional 
staff to conduct any further enforcement activities. They are unable to 
state their precise staff needs, because they are inexperienced in the 
regulation of private health insurance and are uncertain of their long-
term responsibility. At a Labor Committee oversight hearing in March, 
HCFA Commissioner Nancy-Ann Min DeParle testified that HCFA may require 
an additional range of enforcement tools, beyond the already-
established civil monetary penalties.
  Without formal notification of noncompliance from Massachusetts and 
Michigan, HCFA must undertake a determination process to establish the 
States' nonconformance, officially providing the authority for HCFA to 
become involved. HCFA officials have not yet undertaken this effort, 
which they characterize as cumbersome.
  The GAO has found that HCFA's review of carriers' product literature 
and policy compliance would be restricted by the Paperwork Reduction 
Act. The Act establishes a process for approval of any collection 
information, defined as collecting information from 10 or more persons. 
HCFA would need to obtain approval from the Office of Management and 
Budget for anything other than obtaining information in response to 
specific consumer complaints. To fulfill its regulatory duties, HCFA 
would need OMB approval to collect information from all carriers on a 
regular basis, which most State insurance commissioners already do.
  In California, Missouri, and Rhode Island, oversight of health 
benefits is divided between State insurance regulators and the 
Department of Labor. The addition of HCFA to the array of regulatory 
bodies may further fragment and complicate the regulation of private 
health insurance. This framework may lead to duplication, yet none of 
these agencies will have complete authority for regulating health 
insurance products. Ms. DeParle herself has stated that this would be a 
challenging ``patchwork quilt of Federal and State enforcement.''
  One example is in Missouri, where the State's present small-group, 
guaranteed-issue requirement is applicable to groups of 3 to 25 
individuals. HIPAA's small-group guaranteed-issue standard applies to 
policies sold to groups of 2 to 50 individuals. Therefore, in Missouri, 
HCFA has the responsibility for ensuring that carriers guarantee 
products to groups the size of 2 individuals, and groups the size of 26 
to 50 individuals.
  The legislative history of HIPAA makes clear that the Congress 
intended that the effect of this legislation would be that all States 
would come quickly into compliance with the stated Federal standards, 
eliminating the need for active regulation by HCFA. We are now 
confronted by the fact that in at least five States HCFA must initiate 
enforcement with respect to group to individual market coverage.
  At a March 19, 1998, Labor Committee HIPAA oversight hearing, Don 
Moran of the Lewin Group testified: ``The lesson I take from HIPAA is 
that, in the complex world of health benefits regulation, the Federal 
government cannot tidily insert itself as a policy-setter in a 
predominantly State-administered regulatory regime.'' In establishing 
minimum Federal standards for health insurance, we may have to develop 
alternative approaches to the HIPAA framework so as to encourage States 
to meet Federal standards and retain enforcement responsibilities.
  Mr. President, the GAO report concludes that HCFA's regulatory role 
is likely to expand as it assumes enforcement responsibilities to 
ensure States' compliance with HIPAA. It is clear that HCFA's new 
regulatory responsibilities will increase the burden faced by health 
carriers and regulators, and will add to the confusion faced by 
consumers, who try to navigate through the intricate system of 
overlapping and duplicative regulatory jurisdiction.

                          ____________________