Mercy Hip to Internet Privacy Changes
On April 12, President George W. Bush allowed the second of three rules developed to implement the Health Insurance Portability Accountability Act of 1996 (HIPAA) to move forward.
The health care industry says the major, new privacy rules for personal health records will cost them billions.
The new rules say a patient will need to give consent for the doctor or hospital to release his medical information. And the health organization will have to keep records on who received the information.
The first HIPAA rule was released in October and dealt with standard billing and diagnostic forms for health care organizations. The last rule, dealing with security, is expected to be released this summer. The security regulations will deal with how medical groups keep information confidential.
While some hospitals are moving toward compliance, others in the industry are procrastinating in hopes that the rule is changed because the regulation is too costly and burdensome.
As it stands now, health care organizations have until April 14, 2003 to comply with the privacy rule.
“Our goal is to be HIPAA compliant on time,” said Steve Voyak, public relations director for Mercy Health System of Northwest Arkansas Inc. in Rogers.
“We have interdisciplinary teams in information systems, patient access, medical records, nursing and any department where patient care is given. Our teams are putting together plans to make sure no details are forgotten and there is continuity between hospital departments.
“Protecting the privacy and confidentiality of our patients has always been a top priority and the new regulations will make an excellent system even better.”
Mercy owns St. Mary’s Hospital in Rogers. Voyak was among a handful of local hospital spokesmen who recently attended the Arkansas Health Care Marketing Professionals spring meeting in Little Rock.
At the convention, Lawyer Lynda Johnson of Friday, Eldridge & Clark in Little Rock, was the featured speaker on HIPPA. For the last 15 years, her practice has been limited to all types of health care providers, and she is advising her clients to prepare for the changes.
“I don’t see HIPPA going away,” Johnson said. “Figures [for becoming compliant] have bounced around like four to five times what providers spent getting ready for Y2K. But unlike Y2K, it’s not a one-time expense and penalties could apply if you aren’t compliant.
“If the government finds out you’re not, then provisional and even criminal penalties could apply. HIPPA has a lot more teeth than Y2K.”
But because of concern from the health care industry, some modifications could still be made.
Secretary of Health and Human Services Tommy Thompson has up to a year to modify the rules, which he may do, said Dan Rode, vice president for policy and governmental relations at the American Health Information Management Association (AHIMA) in Washington, D.C.
“We don’t know what areas he would consider modifying, but one would think that he would try to go after the areas that were most expensive,” Rode said.
The health care industry paints a disastrous picture if the rules are allowed to go into effect.
“The possible result for hospital patients: a roadblock to care when the patient’s condition changes and care- givers need quick access to medical information to save a life,” said American Hospital Association president Dick Davidson in a news release.
And the problems are worse for hospital administrators, he said.
“These rules could create a bureaucratic nightmare, getting in the way of timely and effective patient care and needlessly adding billions to the nation’s medical bills,” Davidson said.
There are no estimates yet on what the rules will cost Arkansas hospitals, said Paul Cunningham, senior vice president of the Arkansas Hospital Association.
But some in the health care industry have estimated the cost to implement HIPAA nationally will be $42 billion. The savings to health care organizations, however, would be $30 billion over the next 10 years, said Don Asmonga, government relations manager for AHIMA.
Asmonga said it would be difficult to determine a dollar figure due to variables in the health care industry.
A lot of the cost is going to depend on the size of the organization, Rode said.
He also said the organizations will have to hire “an army of lawyers” to write the release forms. To save money, some of the larger organizations already have someone on staff to handle the implementation of the privacy rules.
But for smaller doctor’s offices, the rule becomes fairly simple to implement, he said.
“As long as they keep track on who they provide information to in the records …they got most of the rule taken care of,” Rode said. “So we’re not talking rocket science.”
The HIPAA privacy rule was a reaction to widely publicized stories of other organizations getting access to mailing lists of hospital patients, said David Wroten, assistant vice president for the Arkansas Medical Society.
But instead of a rule addressing that problem, “now we have one that’s going to affect everything from the minute you walk in the doctor’s office or the hospital,” Wroten said. “It’s going to require more record-keeping. It’s going to create hassles for both patients and their doctors.”
He said it’s not even going to guarantee the safety and confidentiality of the patient’s records.
But the real sting came from the first HIPAA rule, which went into effect Oct. 16. It deals with the transaction and code rules, which require health care providers, insurers and researchers to use the same codes in treatment, billing and information compilation.
That rule could also cost billions, Wroten said.
Hospitals have hundreds of thousands of dollars tied up in billing equipment, a lot of which is going to have to be changed, Wroten said.
“You can image the enormous task,” he said. “It makes Y2K look like a ripple on the ocean.”
The smaller doctors’ offices have it easier because they typically have a service that does the billing for them. But the third-party billing company would have to comply with the rule as well.
“There will be a tremendous amount of cost involved in getting everybody on this national standard,” Wroten said. “But once it’s done, it will drastically simplify the whole system — from processing health care claims to enrolling your business for health insurance. But it’s going to take a while, and it’s going to take a lot of money.”
Wroten said most organizations still are gathering information about the rules.
The Arkansas Medical Society and the Arkansas Hospital Association will host seminars so their members can learn about the rules, some parts of which fill several hundred pages.
At St. Vincent Health System, about 12 people have been working on HIPAA regulations since September, said Rick Bearden, senior quality analyst for the hospital.
Bearden said more people will be added to work on HIPAA as the deadline for implementation approaches, but more can be done now that the rules have been finalized.
“Everyone is concerned about their privacy,” he said. “The patient’s health record contains more elements that need to be protected than just about any other single record.”
The biggest concern, however, is having time to implement systems.
St. Vincent has already met a lot of the privacy regulations, but a complete policy review will be necessary to be sure everything is in compliance.
The University of Arkansas for Medical Sciences has been working on complying with the rules for nearly three years, said Kari Cassel, who is the co-chair of the hospital’s HIPAA Task Force.
She said the hospital is considering hiring a privacy officer to be involved in the privacy aspects of the regulation.
“There are pieces of it that are pretty daunting,” Cassel said.
Being a teaching hospital complicates compliance.
“The intent of HIPAA was not to make it impossible to deliver care or to stop education of our students or to prevent research,” she said. “The intent was to protect our privacy as patients; none of us argue with that.”