The question of who owns the data has always troubled me. In our world, the question has roots in the debate over who owns expiration data, which predates our industry tenure by decades.

I think, though, that that question effectively was whether or not the issuing carrier and the placing broker are both entitled to use the data for marketing purposes. And the historical industry answer was that only the broker could use the data for those purposes, and that practice was memorialized in some state laws and in contracts.

But, of course, the carriers could and did use that data for non-marketing internal purposes and in communications with brokers on renewals. And, of course, the policyholders always had the right to use their data for whatever purpose they wanted to irrespective of those statutes and contractual agreements.

The current “big data” world actually adheres to this historical practice: whoever has data in their possession can use it for any purpose whatsoever unless there is a regulatory or contractual prohibition on doing so.

There are, though, more and more regulatory impediments to using some data, especially data that relate to individuals and not commercial enterprises. The emerging view is that not only do individuals “own” their own data but they can also direct anyone who has certain data related to them to delete it under their “right to be forgotten” (see California and the European Union).

Some of these same laws may, however, actually offer tools for helping resolve the problems some businesses (and their brokers) have been confronting in terms of gaining access to and using their group plan data.

In other words, how can we make sure brokers and employers get the information the law permits them to receive? And once you have the data, what can you do with it?

Brokers have been agitating for greater access to meaningful health data for themselves and their employer clients. More access, we think, would allow brokers and employers to comparison shop, develop tailored benefits and tools for employees, and ultimately help control costs. The good news is that the Health Insurance Portability and Accountability Act’s Privacy Rule in place today, when properly leveraged through business arrangements, allows you and your clients to get the data and use it to satisfy these objectives.

The Privacy Rule restricts information flow from covered entities, like carriers, to non-covered entities, like brokers and employers. The Privacy Rule, however, also includes provisions that authorize permissible data sharing and mandate it under certain specified conditions.

First, the Privacy Rule allows (but, critically, does not require) a carrier to share plan data with the employer sponsor without employees’ consent or authorization, but there are limitations on what information may be disclosed and how it can be used. The rule, for instance, permits carriers to share summary health information with employer plan sponsors for purposes of getting premium bids from insurers or modifying, amending or terminating the group health plan.

Such summary information includes anonymized information on claims history and claims expenses. Going a step further, the Privacy Rule permits carriers to share more granular personal health information with employer sponsors for underwriting purposes and with other healthcare administration/operations, provided certain anti-discrimination safeguards are satisfied.

Second, the Privacy Rule requires carriers to share personal health information if it is directed to do so by an individual in accordance with its requirements. It appears that nothing in the Privacy Rule prohibits employers from conditioning plan participation on the providing of such designations by participating employees. Employees may extend their “right of access” to their own personal health information to their employer and/or the employer’s broker—as designee(s)—and plans must then provide the information as requested by the employee. This avenue does not place restrictions on how the recipient may use the data as long as HIPAA’s anti-discrimination rules are followed. But it is likely an easier sale to plan participants if the authorization limits recipients to using the data for purposes related to underwriting and quality/value of care.

HIPAA acts as a federal floor for privacy protections, so states are free to create their own data-sharing structures provided they do not conflict with any of the HIPAA protections. Some states, like Kentucky and Indiana, have given large-plan sponsors the right to obtain relatively robust data directly from plans. It may be well worth our while to encourage other states to move toward this model.

Despite what current law allows in terms of data sharing with employers, several Council members report having difficulty obtaining—for themselves and/or their clients—useful information from carriers. This may be more a matter of how you structure your business relationships than of legal obstacles.

Here are a few suggestions to help you make the most out of the tools we have under the law:

  • Turn the Privacy Rule’s “may share” approach for non-employee-authorized data into a “must share” by having the employer contractually require the carrier to share all information permitted by HIPAA (e.g., PHI for underwriting purposes).
  •  Encourage your clients to write employee HIPAA authorizations and/or designations into their employment contracts so that, as a general matter, the employer sponsor (and/or the broker) can receive health information.
  • To the extent you are interested in obtaining the health data, consider writing into your own client contracts requirements that the employer share the data and/or provide a way for you to get the data directly based on employees’ consent.

Sinder is The Council’s chief legal officer and Steptoe & Johnson partner.

Jensen is a senior associate in Steptoe & Johnson’s GAPP Group.

Gold is an associate in Steptoe & Johnson’s GAPP Group.