About MDD - Subscription Info
December 2001
Vol. 4, No. 12, pp 49–51.
sites and software
Will e-standards save health care dollars?
Perhaps, but federal paperwork-reduction rules will initially cost billions.

opening artHospital administrators and providers are relieved. Instead of having to build soundproof rooms to safeguard privacy, it looks like they need to provide only simple screens or barriers to protect patient confidentiality. And friends and relatives will still be able to pick up a patient’s prescription at a pharmacy. But it is true that if you do not agree with something you read in your more easily accessible medical chart, you can request an amendment to tell your side of the story.

All these concerns are the result of a Health Insurance Portability and Accountability Act (HIPAA) regulation that was passed in 1996. The act mainly combats fraud and ensures insurance transfer when a person changes jobs. However, it is the 1996 law’s short and benign-sounding section called Administrative Simplification that has created so much worry with health plans and providers. “Most audiences are astounded by how detailed the regulations are and by how much impact they’ll have on internal operations,” says Kristen Rosati, general counsel for hospitals in Arizona. “The purpose of Administrative Simplification was to move the whole industry to a standard format for electronic claims submission, make it more efficient, and save the health care industry lots of money.”

The goal was a laudatory one, with the Department of Health and Human Services (DHHS) estimating that the industry will save $29.5 billion over 10 years. However, the industries affected are crying for help. The American Hospital Association (AHA) estimates that to comply with privacy standards alone will cost $22 billion over 5 years. And while the DHHS forecasted an average cost of $1 million per health plan, a Nolan Company survey projected a figure of $10 million per health plan to reprogram systems and retrain workers.

HIPAA primer
Public Law 104-191, 104th Congress, Health Insurance Portability and Accountability Act of 1996.
The Four Parts of Administrative Simplification
  • Standardization of electronic patient health, administrative, and financial data.
  • Unique health identifiers for individuals, employers, health plans, and providers.
  • Security standards protecting confidentiality.
  • Privacy and confidentiality standards.
Compliance: 24 months from the effective date of the rules. (Note: or 26 months from the publication of rules; the effective date occurs 2 months after publication.)

  • Civil: $100 for each failure-to-comply violation, and a maximum penalty of $25,000.
  • Criminal: Wrongful disclosure, $50,000 to 250,000.
Administrative Simplification contains four parts (see box, “HIPAA primer”), each requiring various rules and standards that are being released in stages through 2002. Health care organizations must comply two years after the release of each set of rules, and the penalties for noncompliance are stiff. Although many additional regulations sit in the proposal stage, the medical privacy standards released one year ago are creating the biggest fuss now for hospitals and health plans. Next in line are identifier standards, which whittle down the hundreds of ID numbers used by the various health care entities, and security standards.

Medical privacy
The privacy regulations, which protect information related to an individual’s health and payment history, were not well received by many in the industry. “The privacy regulations are so detailed, so prescriptive, and very expansive. They threaten to gobble up the savings realized through standard transactions,” Rosati says.

The Clinton administration squeezed out the 1500-page medical privacy regulations three days before Bush took over. And while the Bush administration surprised many by not extending the effective date of April 14, they promised that changes would be made.

DHHS Secretary Tommy Thompson is in the process of tweaking the most problematic regulations. For example, as the rules are now written, pharmacies and providers need written patient consent before giving treatment. This means that pharmacists cannot fill a prescription and hospitals cannot start an admission process until a patient fills out a consent form. However, in early July the DHHS released a guidance that eased some concerns. While avoiding specifics, the guidance did propose changes that allow pharmacists to fill phoned-in prescriptions without consent forms, and providers to engage in communication for quick, effective health care. The July guidance also soothed concerns about the minimum necessary standard, which deals with how much of a patient record that providers need to see. It had appeared that common practices, such as sign-up sheets and medical charts at bedside, would be prohibited. Not so, according to the guidance; these practices could continue.

Why did all this fuss begin? A hundred years ago, few people had insurance, so there were no insurance files. “A patient’s medical record typically existed only in the doctor’s memory. There was little ‘security’ because there was little to secure,” says Roy Rada of HIPAAdvisory. Because insurance is the norm today, records have supplanted face-to-face encounters and control has moved to the organization. Patients face major challenges in knowing what information exists.

Although most privacy advocates promote HIPAA’s medical privacy regulations, the Bush administration’s change that allows parents to access children’s records, including abortion and substance abuse information, has caused controversy. “They essentially say they are going to weaken the rights of minors,” says Ron Weisch, lobbyist for the American Civil Liberties Union. And although the events of September 11 should not affect HIPAA compliance, some privacy experts want to make sure that heightened security concerns do not overshadow privacy rights.

Potential problem
What is the pharmaceutical industry’s main concern with HIPAA? Because of upcoming changes in the disclosure of medical information, the practice of pharmaceutical companies obtaining patient information will change. According to Rosati, the pharmaceutical industry will be prohibited from getting lists of patients on medications unless patient authorization is obtained. Other affected areas include patient information used in clinical trials, and privacy concerns with equipment that stores patient information. The Pharmaceutical Research and Manufacturers of America (PhRMA) hopes that Secretary Thompson will fix some of the problems. “In order to develop safe and effective new medications for cancer, AIDS, heart disease, stroke, and other diseases, pharmaceutical researchers depend on information that physicians, hospitals, and health plans gather,” says PhRMA President Alan Holmer.

Hospital perspective
In language reminiscent of Y2K, many worry that hospitals are not doing enough to ready themselves for a slew of changes. Last February, an AHA survey on HIPAA readiness found that less than one-third of the 80 hospitals had a formal budget and less than 20% had a formal HIPAA implementation plan in place. Rick Holsclaw is Northern Arizona Healthcare’s designated expert on HIPAA. As chief information officer of a multihospital system in northern Arizona, he thinks that many people are trying to create panic. “Consultants are having a field day,” he says. “I get a call from a consultant every day who starts with ‘what’s your hospital doing for HIPAA?’” He says that consultants estimate that HIPAA will cost 2 to 3 times as much as Y2K, but he doesn’t buy it. “Y2K was real and took a lot of work, but the world didn’t end. I’m treating this like the Y2K project,” he says.

Although he admits that many of the policy changes will affect his system, Holsclaw views most of the changes as a software vendor problem. He has held numerous conference calls with his vendor, Shared Medical Systems, about HIPAA compliance. Holsclaw plans to implement the HIPAA changes with existing staff except for a consultant hired to perform a security analysis. Shared Medical, one of several top vendors, reports an increase in technical consulting, security, infrastructure analysis, and HIPAA seminars. “There’s definitely a heightened awareness for vendors and customers,” says Roger May, HIPAA program manager at Shared Medical, but he adds that many hospitals seem to take the upcoming changes in stride.

For Holsclaw, security standards offer the biggest challenge. His organization uses 80–100 separate systems that track who sees patient information—and these systems need to be consolidated. “No one knows how that’s going to be managed,” he admits. “We’ll have to merge all our sign-in logs together.”

To comply with HIPAA’s electronic standards, Holsclaw needs to move from a current 20% electronic submission of claims to 100%. By fall 2002, all electronic claims must use a standard format instead of the many formats used today. Most other hospitals are further along on electronic claims, with a national average of 85% for hospitals compared with 64% for all health care claims—hospital, physician, pharmacy, and dental. Any organization that submits electronically or has another company submit electronically on its behalf must comply. MaRiane Alva is the business manager of an eight-physician office in Flagstaff, AZ. Although she has witnessed an amazing difference with the portability part of HIPAA, as patients who change insurance can continue coverage for preexisting conditions, she does not foresee big changes with the privacy and security standards. “We already have strict confidentiality rules here, and I’m not worried about the security and transaction aspects,” she says. “In many offices, the software vendors will pick up the costs in their upgrades.”

Increased costs
At Blue Cross Blue Shield of Arizona, Vice President Gene Carruth says that his company’s biggest challenge is making the management of data that it receives compliant as it travels through 10–20 departments. “It’s internal infrastructure, not the movement of data—we’ve been doing that for years,” he says. Whereas some health plans have up to four or five systems to change, his organization’s concern is the adjudicative system that takes in claims and churns out checks. To do that, Carruth hired a full-time project leader and has 17 teams, involving 250 people. “We’re talking several million dollars invested in just the people time alone, and that doesn’t include system and computer changes.”

The Blue Cross Blue Shield Association, along with the American Medical Association and American Public Human Services Association, has legislation before Congress that extends the regulations until two years after all the rules under HIPAA have been published—which could mean 2004. Says Carruth, “Let’s do this right. Publish all the rules, clean up the ambiguities so we don’t have to rework our systems when each new regulation comes out—that gets very expensive.” However, it appears that legislative delays have been squashed by some powerful patient privacy advocates, who include Senator Edward Kennedy.

Carruth, who says that his organization has realized most of its projected savings with a high rate of 75% electronic claims, foresees increased costs with the myriad regulations. “Costs will go up and are paid through premiums and hospital bills,” he says. “Approximately 85% of insurance is health care costs, and 15% administrative costs. These regulations will reduce administrative costs. But are we really tackling the right problems?”

Linda Richards is a freelance writer living in Flagstaff, AZ. Send your comments or questions regarding this article to mdd@acs.org or the Editorial Office by fax at 202-776-8166 or by post at 1155 16th Street, NW; Washington, DC 20036.

Return to Top || Table of Contents

 CASChemPortchemistry.orgPubs Page