Accessibility vs. privacy: Health care battle heats up
HIPAA is Y2K on steroids’
(Editor’s note: This month, Hospital Access Management suggests strategies for dealing with some of the key regulatory challenges facing access managers and their organizations, including the Health Insurance Portability and Accountability Act, the advent of ambulatory patient classifications, and the new probe of Medicare same-day readmissions. In the next issue, look for information on Medicare secondary payer dilemmas, the challenge of keeping advance beneficiary notices up-to-date, and the latest on that cumbersome new discharge appeal form.)
Here’s a modern health care dilemma of epic proportions: At the same time the ability to move patient information quickly from place to place is skyrocketing, the privacy watchdogs are saying, "Not so fast."
As providers enter the electronic world of access, with patients self-registering or calling up their medical records over the Internet, the process is being reviewed through the confidentiality challenges presented by the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
"It’s a national debate," says Jack Duffy, FHFMA, corporate director of patient financial services for ScrippsHealth in San Diego. "Some of the things the government has been writing regulations for in the past four years are starting to come down the pike. [Access managers] will live with this for the next two years."
Looking at the situation as "point, counterpoint," he says, "point’ will be the potential advantages of e-commerce, flexibility, and creating choices for patients in how to interact with administrative functions. Counterpoint’ will be HIPAA and the overhead associated with [protecting] confidentiality."
There are systems to be developed and people to be trained to get health care providers where they need to be, adds Duffy, who says preparing for the ramifications of HIPAA "will take twice the effort of Y2K. It’s Y2K on steroids." With that in mind, he suggests, "40% of the consultants in America have reinvented themselves from Y2K consultants to HIPAA consultants."
In addition to the insurance portability provision that gives HIPAA its name, the broad-based legislation includes several initiatives, points out Sandi Coen, MBA, senior manager in the Harrisburg, PA, office of PricewaterhouseCoopers. "The [health care] administrative simplification piece, which requires one standard format for electronic billing, is what people are comparing to Y2K," she says. "The benefit to providers is that it will eliminate the need to have a separate set of transactions for each insurance payer."
Those regulations are expected to become final in July 2000, Coen adds, and the industry will have two years to implement them. "For providers, this will be wonderful because they can get rid of the different formats they’ve been using [for electronic data interchange]. Insurers will have to set up and change all of their systems to accept the new standard."
The accompanying dictates for protecting patient privacy will cause the greatest change for hospitals, Coen says. "The proposed rules create certain standards related to the protection of health information. They generally assume information will be used for payment and treatment purposes. Any time it’s used for something other than that, the hospital needs to get written authorization from the patient. Hospitals need to come up with new authorization forms, and they need to train all employees on when information can be disclosed and when it cannot be. There is an obligation to restrict the use of information. If the patient doesn’t sign the form, it has to be noted in the file that [the information] cannot be disclosed."
At present, patients can ask to see their medical records, but there is no requirement that the provider let them see the record, Coen says. HIPAA, however, gives patients the right to view the record and recommend changes, she points out. "That would have to be noted in the file — what the patient has recommended and why."
Hospitals need to set up a system that keeps track of every time a patient’s medical information is disclosed, to whom it was disclosed, and why, Coen advises. "For example, if a patient applies for life insurance, and the insurance company sends the form to the physician to sign off on, the patient must be notified that the request was made and must authorize it."
Under HIPAA, she adds, patients have the right at any time to see this "audit trail" kept by hospitals.
To allow the best protection, audit trails must record every instance of access to patient information, including read-only access, notes Mary D. Brandt, MBA, RHIA, CHE, vice president of professional services for San Rafael, CA-based QuadraMed Corp. "Many current audit trails record only additions or deletions to electronic information," she says. "Look for audit trail technologies that can analyze the large amount of information generated and flag suspicious patterns for further evaluation."
The broad authorization statements that access personnel now ask patients to sign basically say the hospital can use the information any way it sees fit, Coen points out. With the advent of HIPAA, hospitals no longer can use patient records for research or marketing purposes without specific permission, she says.
The proposed privacy regulations issued in November 1999 by the U.S. Department of Health and Human Services drew some 50,000 comments by the time the comment period closed on Feb. 17, 2000, Brandt says. "Those privacy regulations are pretty controversial. The most controversy from the hospital standpoint is caused by the [requirement that] patient data cannot be used for marketing and fundraising."
That means a hospital opening a new cardiac wellness center could not go to its database and send information about the new center — and perhaps a fundraising letter — to patients who’ve been treated for cardiac problems, she points out. "The hospital would have to contact each patient and say, We would like to send you information about our wellness center. Is that OK?’"
Most hospitals are not very well prepared for HIPAA, Brandt says. "It’s just not anything they have put a lot of emphasis on. Unless they’ve had a security breach, most have assumed that people knew how to protect confidentiality and privacy." (See related story, below.) Most hospitals were so focused on year 2000 preparation that they are "just starting to wake up and say, My gosh, there’s something else out there,’" she adds.
What they’ll discover, Brandt says, is that Y2K was just an information technology issue, while "HIPAA is much broader than that. There are legal, regulatory, and process issues that go across the entire organization. How much it will cost to comply, nobody really knows." The American Hospital Association predicts hospitals will spend up to 10% of their operating budgets on HIPAA, she adds, while other estimates say the cost will be two to three times that spent on Y2K.
Government estimates place the five-year conservative cost of the privacy regulations alone at $3.8 billion, she says.
The biggest part of HIPAA compliance, Brandt says, will go well beyond information technology (IT). "People say, Our vendors will take care of that [from the IT side],’ but there is a lot of work to do with policy and procedures."
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.