Last December, CVS Health and Aetna Inc. announced plans to merge—combining one of the nation’s largest health insurers with one of its biggest retail pharmacies. The companies’ hope is to leverage the massive data pool that would be created by the deal, which currently is under review by the U.S. Department of Justice, to deliver more personalized and efficient health care.
And last month, Amazon.com announced that it would be teaming up with Berkshire Hathaway Inc. and JPMorgan Chase & Co. to create an independent health care company for the companies’ employees. Around that same time, Amazon also posted a job listing for a professional experienced with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) to work on health care-related compliance matters.
(A privacy rule enacted in 2000 set national privacy standards for protection of personally identifiable health information. HIPAA is enforced by the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS).)
But anyone who has ever ordered a bottle of pain reliever or book about a particular disease from Amazon knows that the e-commerce giant already has medical-related information about its users that may not be covered by HIPAA, leading to questions about how personal health information is collected, used and stored.
(Related: Genworth, China Oceanwide Keep Deal Alive)
ALM talked with Peter Swire, senior counsel at Alston & Bird, former government official, and privacy and cybersecurity expert at the Georgia Institute of Technology’s Scheller College of Business, about some of the legal and data privacy issues surrounding these new, data-driven health care delivery systems. The interview has been edited for length and clarity.
How is HIPAA implicated in the proposed deal between CVS and Aetna?
Swire: Both [CVS and Aetna] are covered under HIPAA, but historically they were in two different categories of entities. So with the merger, the general rule is that the pharmacy data can be merged in the company’s databases with the insurance data subject to minimal rules. HIPAA says you should only collect and share the minimum necessary data that’s needed for the patient, but the rules there tend to be pretty flexible.
HIPAA also has rules about role-based access, because the janitors shouldn’t see the psychiatric records. The role of someone for health insurance might require different data than the role that’s needed for a health care provider. The merger doesn’t give every health insurance employee the right to see all of the medical records from the pharmacy.
Does this type of regulation have an effect on CVS and Aetna’s ability to implement this type of business model?
When they try to combine business operations, they’ll have to go step-by-step and document why it’s appropriate to share data with these new categories of recipients.
Are there other regulations that would govern the data?
The insurance companies are also regulated at the state level, so the rules for Aetna’s data may be restricted by state insurance laws.
Similarly, states can apply stricter versions of the HIPAA rules if they pass state laws to do that, and the pharmacy data would have to comply with those state law restrictions. For instance, some states have special rules for HIV patients, and the data for HIV medications would be subject to those stricter state rules.