January 03, 2013

The MIB Of Health Care

No not the Men In Black the Medical Insurance Bureau or (MIB)

By Melvin J. Howard

Privacy in the information age is a bit of a misnomer and not likely that's because, as with everything else, it's long gone even in health care. You’re very personal chat with your doctor is now in a file that gets tracked by an industry that has built up around paying for the problem you were talking with him or her about. Medical records are routinely shared with companies called clearing- houses whose sole function is to facilitate the process of getting payment. These companies, staffed by lawyers and accountants as well as data entry clerks, all see your records before they share them with the insurers, health plans, HMOs, and government agencies that end up paying for it. A privacy consultant whom I know estimates that by the time you account for laboratories, x-ray facilities, and pharmacies playing their part, hospitalization for a treatment that is paid by a third party routinely allows between one and ten thousand people access to your "confidential" medical information.


The one company that warehouses information for medical insurance providers is a nonprofit trade association called the Medical Insurance Bureau (MIB). Unlike commercial enterprises such as FICO, Experian, Equifax, TransUnion, Innovis the MIB has no competition and no profit motive that encourages very aggressive reporting. Finally, the medical information that is tracked is, by and large, gathered directly from you. Instead of relying on regular reports by third parties, insurers ask each of us what they want to know about. The function of the MIB is really to retain information that you give one company and compare it to what you tell the next one on the insurance application. Here's how medical reporting works: The seven hundred insurance providers that belong to the MIB association agree to share information with one another using the MIB as a central repository. If you've ever submitted an individual or small-group application for any kind of medical insurance, the insurance company probably translated key pieces of information about conditions that affect your health or longevity into numerical codes. They transmitted those codes to the MIB database. The next time you apply for coverage, your new insurance company will send a query to the MIB database to verify that the information you're submitting is in line with what you've told other insurance companies in the past. This method of fraud protection for the medical insurance industry has been in place since 1902. Despite its long standing, I can only assume that computers have made the MIB more efficient at tracking.


An MIB report will contain the inevitable identifying information like your name, date and place of birth, your address, and any other names you might have used in the past. In a truly refreshing break with most medical insurance practices, it is optional for an insurance company to submit your Social Security number. This information may actually not be in an MIB report on you! The other information contained in your report is a series of codes that correspond to any medical conditions or hazardous activities that might affect your health or longevity. There are approximately three hundred and ten codes that the MIB system uses. While most are for medical conditions, a handful do capture so called dangerous hobbies, one exists to note the fact that you have a bad driving record, and two indicate family history (one for cardiac problems; the other for any kind of hereditary disease). It's difficult to say which conditions are considered important enough to report to the MIB. There appears to be some bit of discretion afforded each insurer about what they deem worth storing in the database. From your perspective, you should probably consider anything you've disclosed on an insurance application or allowed a doctor to tell the insurance company in the past seven years as fair game. The time limit on most information is seven years from the time it gets communicated to the MIB. If an application reports that a condition is still going on, the date of that report resets the seven-year clock. In other words, a condition that started ten years ago but that you still have today is still listed. The final bit of information contained in an MIB report is how many times an insurance company has requested your record in the past two years. These days, asking for information has become almost as important as the information itself. 


All of the companies that I have been discussing are consumer reporting agencies and are regulated by the Fair Credit Reporting Act. That means that you have the right to know if they have a file on you and what that file contains. It also means that your neighbor does not have the right-without being able to demonstrate a reasonable business relationship to order an insurance report on you. When it comes to medical information, there are a few additional safeguards. The FCRA explicitly restricts dissemination of any medical data on you without your written permission. The only problem with this is the fine print of absolutely every insurance application I've ever read includes waiver language that not only gives the insurance company the right to see your report, but do everything up to interviewing your grade school principal if they feel like it. But there is a law that came into effect that further restricts what can be done with medical information.

The Health Insurance Portability and Accountability Act (HIPAA), was designed to provide federal-level privacy restrictions on medical information collected by health care providers, pharmacists, and insurers. Although many states had effected protective legislation, this was the first time the issue was addressed at the federal level. In a nutshell, HIPAA requires that you be able to see, copy, and add to any of your medical records and that you be informed of the privacy practices adopted by your health care provider. Surprising as it sounds, you had no legal right in some states to see your own medical records before HIPAA. HIPAA also limits the use of your medical information. Before a doctor, pharmacist, hospital or insurer can release any medical information to companies that aren't directly involved in offering you health care, such as a life insurer, a bank, or a marketing firm, they have to get your signed permission. Even before the global financial melt-down many state legislatures took to privatization of their social programs including most of their health care services. But going to the lowest bidder has not come without controversy there have been reported cases of abuses of privacy issues, discrimination, fraud and corruption. The one most important role of government is to look out for the welfare of the population it serves.

Making money and creating jobs is one goal of capitalism insofar as it supports economic strength and therefore stability nothing wrong with that. But it is a far cry from looking out for the welfare of a population. Corporations’ legal obligation is to make money. That is to reduce costs to increased revenues = Profit. Generally, in an economy which has been defined by growth, stagnation (not growing) is failure (in the red). So, it makes plenty of good business sense that companies are not investing in growth at a time when savings and stagnation could be more easily construed as success. That’s good common business sense. The problem is that these good common sense business practices do not necessarily translate into social public good. 

Getting Your MIB Report

If you decide that you do want to check for an MIB report, you must submit your report request in writing because of the extra sensitivity of medical information. You can get the request form online at www.mib.com. The information you need to provide is: name, date of birth, and state of birth. The MIB does ask for other information but indicates that it's optional. This is because they will verify your contact information with your current insurer before releasing your report to you. The final part of the form consists of directions for how you'd like the information sent to you. Just as with all of the other information trackers, the MIB is subject to the FCRA and FACTA. This means that they will ask for a fee for the record search, but that fee may be waived if you can prove that an MIB report was used in a decision to deny you insurance, or lowered if you live in a state that requires this. In addition in 2005, you are now able to request a free report once a year (check the FTC Web site for info on this). The written request form with a check should be mailed to:

• The names of the MIB member companies that reported information to the MIB.

• The names of the MIB member companies that have requested a copy of your MIB record in the past.

• The type of information that MIB has on you, i.e., files from MIB (life), DIRS (Disability Insurance Record System), and HCI (Health Claims)

• And the contents of your record itself, containing your name,
your date of birth, your occupation, and a list of the codes that
have been submitted about you. When you get your report, you will also receive a plain English description of the codes that apply to you. You'll need it. A sample
code taken from an MIB example looks like this: 705GZN

• The first three numbers represent a condition code.

• The first letter indicates the degree of severity.

• The second letter identifies the info source.

• The final letter denotes the time of condition (i.e., within one
year of the application). If you have any questions about the process you can call the MIB.

If the MIB doesn't have a file on you, they will send you a simple letter saying so. If they do have a file, you will really need your CIA decoder ring. The MIB reports have the most "interesting" format. Unlike other reports, these try to protect your private information. They have actually been designed to be difficult to read so that a clerk can't tell you've got a heart condition from a quick glance. But errors do crop up because of typos-looking at the bizarre code above. They also happen when labs mix up test results. And they can happen because sometimes even well-trained and well-meaning doctors don't get the diagnosis right. If a doctor made a judgment call that exaggerated a problem or perhaps missed the mark entirely, that information might still be sitting in your file, even though you got it sorted

Correcting Your MIB Report

Honest errors need to be corrected. But if the error is because your file is out of date, don't waste time trying to update it. According to the MIB, if you sky-dived in 2005, and this was reported, the information that you sky-dived in 2005 is correct. Remember that condition codes come with dates attached to them. Even if you give up sky-diving in 2006 they will not remove this info from your file, because the report that you sky-dived in 2005 is correct. Since there is no code for "doesn't sky-dive anymore," there is no way to add to your file to indicate that you once did something that might affect your longevity but that you don't do it anymore. If you submit an application to an insurance company and don't mention that you sky-dive, the insurance company will either assume that you no longer sky-dive or ask you about it. If they don't, your best defense is to be aware that an incomplete record exists and to make sure that the vendors using it are using it appropriately. If you don't plan on applying for insurance in the near term, there really isn't a need to do anything. It may be better to wait. If the information in your record is close to seven years old, your entire file will soon be expunged as a matter of course. The MIB is pretty careful about keeping around any information that can't be justified. 


The Patient Protection and Affordable Care Act of 2010 and the Hub. Aside from medical privacy, this legislation changes everything about what I have just mentioned thus far. The draft Data Services Hub Statement of Work (July 2011) says the HUB "will act as a single interface point for Exchanges to all federal agency partners..." It must be implemented by September 1st, 2013 and must include "Data models for maintaining individual data, transaction audit data, federal agency partner data, etc." The federal government say the HUB will be able to verify Social Security Numbers, citizenship, imprisonment, income information, tax credit eligibility and eligibility for public subsidies in real time. How much data? The Affordable Care Act (ACA) requires government-issued "individualized risk scores." One particular controversial contractor building an exchange has access to: private data, non-public data, confidential data, medical data, federal tax information, welfare data, protected health information, chemical health records (drug and alcohol use), electronic health records, any "record" as defined by the Privacy Act of 1974, and "other data."

Here is the big problem I see happening if the head of the CIA could not maintain his own privacy and secrecy of a brief love affair. What are the chances our privacy will be abused as ordinary citizens? Will the HUB just stop with health care?