Confidentiality mandate is next major health care hurdle

With Y2K tensions eased at last, the health care industry is turning its attention to a challenge expected to be larger and more costly than stamping out the millennium bug.

The issue at hand is coming into compliance with two sections of the federal Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA, that will mandate security measures to preserve the confidentiality of medical records and standardize electronic data interchange (EDI) among providers, insurers and government agencies.

One measure of the scale of this endeavor: Congress and the federal Office of Clinical Standards and Quality have been working on the detailed regulations necessary to implement the law since 1996, and while several drafts of the two sections have been released, the final versions are not yet ready. The first pieces, covering basic EDI transactions, are expected to take effect in June.

By government estimates, implementing the data standardization rules--Part 162 of HIPAA, officially aimed at administrative simplification--will cost health care providers and payers $5.8 billion between 1998 and 2002, more than offset by savings of $7.3 billion. Providers are predicted to come up a little short, however, with costs exceeding savings by $200 million.

Complying with the privacy regulation--Part 164--is projected to cost roughly $3.8 billion between 2000 and 2004.

"The legislation seems like it's huge, and it is," said Edward Rice, chief information officer for Ellis Hospital in Sche-nectady and Amsterdam Memorial Hospital in Amsterdam.

It's also well-timed for the industry, which is changing the way it handles information, increasingly turning to the Internet for data transfers, whether related to insurance claims, remote access to records, or telemedicine, he said. It reinforces the health care community's traditional emphasis on confidentiality and forces it to simplify its processes.

With the act, the government is giving the industry a road map to where the industry already wants to go, said Greg DeBor, a principal in the Boston-based health care consulting practice Computer Sciences Corp. and national director of its HIPAA initiative. Computer Sciences is an information technology and management consulting company, based in El Segundo, Calif.

To meet all the new requirements, health plans, data clearinghouses, physician practices, hospitals and the like will have to adapt their electronic records systems to a national standard, changing the format of nearly every data field in every system used to store, transmit or process health care information. They'll also have to protect all data that could be linked to an individual, allow patients to see and correct their records, and institute security measures to limit who can view any medical record and to track who has looked at each record, when and why.

Once the rules are issued, most members of the health care community will have two years to come into compliance, and there is some question whether that will be enough time. Small health plans will have an additional year to comply, and medical practices that don't file claims electronically will be held only to non-digital aspects of the regulations such as privacy rules.

Over the long term, the standardization rules are expected to yield tremendous savings for providers, said Arthur Gross, executive vice president and chief information officer for Albany Medical Center.

Currently, a hospital might file with 50 or more payers, each of which requires different data or a different format, forcing the hospital to invest staff time and money in keeping track of and complying with the myriad conflicting rules.

Universal standards will save them most of that trouble and expense.

Combining the data and privacy aspects of the law, HIPAA looks like a winner for patients, providers and payers, Gross said. But for it all to come true, the government must successfully walk a fine line, issuing, implementing and maintaining the complex systems necessary to achieve HIPAA's goals, without placing undue burdens on providers and payers, burdens that in the end would be shouldered by the patients.

The new rules won't cause total culture shock among providers, since federal and state laws already touch on some of the issues HIPAA is designed to address, and most providers have policies on privacy and security, he said.

Albany Med made an early start on compliance, assigning a senior manager to guide the effort and launching an assessment of its current systems and procedures, he said. The assessment is the first of four steps in the initial action plan, to be followed by a "gap analysis" of what the medical center has and what it will need, development of a detailed action plan and creation of a quality assurance program to ensure the plan is carried out properly.

Until recently, many providers were in deep denial of their need to get started on HIPAA compliance, said DeBor, who has been surveying them to gauge action and attitudes during seminars he's presenting in the nation's largest cities. They put off facing it, reasoning they had to handle Y2K first, and the regulations weren't even final, so there was little to be done anyway.

Insurers and clearinghouses had to begin earlier, since the regulations are certain to require them to conduct electronic commerce according to the new standards, DeBor said. Many, if not most, will have to revise or replace the lion's share of their records and claims processing systems.

"In my experience, the plans are taking this more seriously, saying, `We've got to get started now.' The providers cover the spectrum" from not even begun to well on their way, he said.

Gross said the picture appears brighter from Albany Med's perspective. "The industry's mobilized, and it's moving ahead smartly from what we can see," he said.

• Print
• Email

Reader Comments

• More News Headlines
• Popular News Stories