HIPAA Privacy: Helping or Hurting Healthcare?Published: April 07, 2004 in Knowledge@Emory
Specifically, the HIPAA privacy rules prohibit healthcare organizations, insurance companies and healthcare plans from using or disclosing personally identifiable health information unless they have written consent from the patient. There are a few exceptions to this legislation—including but not limited to matters of public health, medical research, or an instance of abuse or some other crime. The security provisions require those dealing with medical data to protect the information from threat or hazard, through physical, administrative and technical safeguards.
Of course, medical practitioners, insurance brokers, and administrators for self-insured health plans complained when HIPAA was announced. They noted that they had already spent considerable time and money on complying with state regulatory requirements, Medicare and Medicaid reimbursement, private insurance demands, state licensing matters and more. But the additional needs spawned by HIPAA did not go unnoticed. Service providers in the medical informatics field were quick to offer up their services on HIPAA compliance. The medical informatics industry includes companies designed to facilitate analysis and management of healthcare information, generally through IT efforts. Some of these medical informatics companies are merely designing very straightforward systems and software to handle many of the HIPAA privacy and security concerns. Others are using more cutting edge technology to control access to medical information—including everything from biometrics (fingerprint scans) to smart card technology.
But just how well is this new industry responding? More importantly, how can healthcare professionals ferret out the good medical informatics firm from the bad? Much of it remains to be seen, says Chip Frame, managing director of the Center for Healthcare Leadership and a professor of marketing at Emory University’s Goizueta Business School. He suggests that the size of the medical organization will generally dictate whether or not they choose to outsource their HIPAA compliance. “If a hospital has an existing provider for other IT consulting, then HIPAA work will be just another engagement for them."
Frame adds that smaller medical practitioners and healthcare concerns that have never had a consulting relationship before will be behind the 8-ball, as they may have no idea what to expect or how to judge the quality of a medical informatics company. He notes, “HIPAA compliance could be a big undertaking, and then the concern will be what the appropriate pricing structure should be on this sort of consulting work. There are a lot of unknowns for the smaller medical provider.”
As well, much of HIPAA is left up to interpretation. Dan Rode, vice president of policy and government relations at the American Health Information Management Association (AHIMA) admits that “the privacy and security requirements are not necessarily the same from one business to another.” AHIMA is a non-profit trade group based in Chicago. Generally, those that have not used electronic means to file medical insurance claims and other transactions, usually smaller healthcare providers, are not subject to HIPAA if they plan to stay with a paper system. Surprisingly, says Rode, many medical providers are behind the rest of the corporate world when it comes to adopting technology. Written medical charts and filed medical tests are still very common, versus the newer computerized systems that allow doctors to save patient data in a centralized database or link medical devices to information systems.
Rode contends that the accounting aspect of HIPAA will probably become the most difficult part of the legislation. (The legislation requires that for at least six years a log of all shared information be maintained, so that a patient can see the trail of data transmission if requested.) With about two to three million providers of healthcare (including hospitals and individual practitioners), notes Rode, capturing and logging all of the data exchanges will be onerous. This is where medical informatics firms may find a growing niche.
Benn Konsynski, professor of decision and information analysis at the Goizueta Business School, believes that HIPAA may be just the bureaucratic straw to break the medical establishment’s back. And unfortunately, he notes that many patients are not even sure exactly what they are being handed when they receive the privacy notifications in their doctor’s office. Konsynski believes HIPAA compliance is difficult to implement, simply because there are so many other underlying problems in the system that would first need to be resolved. He adds that while many changes are needed, HIPAA is a mixed bag of benefits and bureaucracy.
Paul M. Davis III MD, CEO of the medical informatics firm Uniliance Health in Atlanta, adds, “The low reimbursement schedules for caring for Medicare patients is only one of many factors that are pushing private healthcare providers out of the system. Others include the complicated compliance issues with HIPAA as well as liability issues dealing with the Medicare system and the patient. All it takes are a few billing mistakes, and your practice could be under a federal investigation for Medicare fraud. For many physicians, these ‘hassle factors’ far outweigh the positives.” Konsynski agrees with Davis’s contention, noting that “many on the healthcare side are opting out of the industry because of the bureaucratic nature of the system and the costs going forward.”
Considering the flurry of activity in the medical informatics field regarding HIPAA, it would be safe to say that the industry is booming. Says Davis, “HIPAA is certainly a significant influence in the healthcare industry’s move to more sophisticated information systems. Another motivating factor is that as much as 30% of the healthcare expenditure in this country is due to administrative processes.”
Another medical informatics company, eMedicalFiles in Atlanta, uses smart card, biometric and Internet technologies to assist patients, providers, payors, employers and the government with privacy, fraud and HIPAA compliance. Says Wayne Singer, the company’s senior vice president of marketing, often the biggest concern in this new world of privacy matters is who will become the healthcare organization’s privacy officer—particularly since this role will continue to grow in responsibility. “Small to medium sized places will not hire a person for this role. They will simply reinforce the issue with employees, notify patients of the privacy issues, as they have to, and now they will have to deal with documenting their security actions and the information transmitted.”
Peter Cizik, managing director and co-founder of HIPAA Solutions Rx in Beaverton Oregon, believes that there are plenty of small healthcare providers interested in a vendor that concentrates solely on HIPAA compliance. Cizik views the benchmarks for security and privacy in the legislation as wise controls for a small business to adopt. For now, he notes that the weakest part of HIPAA appears to be the enforcement end of it. “There really are no large groups overseeing this—only the Centers for Medicaid and Medicare Services. The enforcement mechanism is complaint driven, and the patient can go to their site and submit a grievance to the Office of Civil Rights. But the onus is on the patient completely, and the patient may be unaware of when a violation has occurred.” Cizik adds that HIPAA doesn’t give the patient the right to sue, if there is a violation. But, the business that commits a privacy breech could be fined. (The enforcement end of it, of course, is subject to change.) As well, current privacy laws in many states already allow for prosecution and civil litigation when medical information is leaked.
HIPAA is set up to allow changes to the legislation once a year. Hopefully, says Konsynski, this will allow the legislation to respond to the needs and demands of the patient and the healthcare industry. Much of where this is all going, however, remains to be seen, as deadlines to comply with portions of HIPAA are staggered. Large medical organizations were supposed to meet many of the privacy rules by April 2003. However, health plans with smaller than $5 million in premiums collected or claims paid, as well as healthcare organizations with 1,500 or less employees, have until April 2004 to comply. The security part of HIPAA has a compliance date of April 2005, with small health plans and medical organizations having an additional year to resolve these issues. And as far as uniform electronic interchange formats, there is no deadline currently set, since the original date was pushed back a number of times when the industry balked over compliance.
However, even President Bush in his recent State of the Union address brought up the need for adoption of uniform data standards for patient medical record information (PMRI) to streamline the bureaucratic process. More healthcare organizations and related entities are moving to XML, or Extensible Markup Language, for their information systems to comply with the HIPAA mandates for transferring and sharing administrative data, notes Uniliance Health’s Davis. (It is likely XML will emerge as the standard language for sharing clinical data, though further government intervention may be necessary to expedite the standardization process, and to insure privacy and security.)
Says Benjamin G. Druss, MD, a chair in mental health and an associate professor in the department of health policy and management at the Rollins School of Public Health at Emory University, “HIPAA is at best a double-edged sword for medical informatics, quality improvement, and health services research. It does require moving toward a uniform dataset, which may eventually be helpful in standardization.” However, it also makes it much more challenging to obtain access to data, even when the goal is not to identify individual patients but to track patterns of diagnosis or service use over populations. “Whereas the main goal of HIPAA was to prevent individual patient data from being misused—for example, sold to private marketing companies—the negative effect on quality improvement and research may be an unintended and unanticipated consequence of the law.”
(This is the 3rd article in a series on Technology and Privacy)