Health & Human Services

The HIPAA Headache

It's complex, costly and confusing. Most states are still trying to figure out what the law that standardizes electronic health data is all about.
by | March 2002
 

"Doctor HIPAA" has a remedy for those who are finding the Health Insurance Portability and Accountability Act to be a pain. "Get on with it, or you'll be left way behind," says Bill Braithwaite, who earned the nickname when he was in charge of writing HIPAA regulations for the U.S. Department of Health and Human Services.

For most state and local governments, as well as for private industry, that medicine is hard to swallow. In part, that's because HIPAA is enormously expensive to implement. But it's also because HIPAA is so far-reaching and complicated: a three-pronged federal mandate that covers rewriting transaction codes for health information, developing a policy for keeping that information private, and coming up with a security system to maintain the integrity of that data as it moves through cyberspace and myriad computer systems. "There's a tendency for those not really involved with HIPAA to look at it as a technology problem, as something like Y2K where you can just fix a database," says W. Holt Anderson, executive director of the North Carolina Healthcare Information and Communications Alliance, known as NCHICA. "But technology is only 25 percent of the challenge. The rest is changing policies, cultures and business practices. HIPAA is a major shift in the way we do health care."

Moreover, HIPAA's reach is more encompassing than anyone in the states thought it would be when the U.S. Congress passed the law in 1996. HIPAA applies to every health care provider, health plan or clearinghouse--in short, nearly anyone who bills or pays for a health service. The only ones excused are those who do not transfer any information electronically. In effect, that means that HIPAA covers just about any public program or private company dealing with health records.

On the government side, HIPAA clearly affects public hospitals, insurance programs for state and local employees and Medicaid. Less obviously, HIPAA extends to many agencies that one wouldn't intuitively put in the health care column. Corrections departments, for instance, can fall under HIPAA, depending on who runs prison health services and how. Education systems are likely to be HIPAA-impacted since most schools deal with student health records, and should they so much as fax a student's vaccination record, that would be an electronic transfer of health information.

When Washington State did an analysis of which departments would fall under HIPAA, it found that, in addition to corrections and schools, the Department of Labor and Industries was involved. Although workers' compensation programs are specifically excluded from HIPAA, the department has other programs that aren't, such as a program on occupational safety and health and one that provides benefits to victims of crimes. Beyond affected programs, the agency decided it didn't want its workers' comp program to be an island in a HIPAA-compliant sea. "We do 1.8 million electronic transactions a year in workers' comp," says Simone P. Stilson, the HIPAA project manager for business and policy at L & I. "If providers have to send electronic transactions to everybody else in a standard format, will they be willing to keep a separate system to submit electronically to us or willing to send us paper bills instead?"

In addition to its own agencies, Washington State is also concerned about its municipalities and the private vendors with whom its health care departments do business. If they aren't HIPAA-compliant, all the work the state does to meet HIPAA's streamlining requirements will not add up to the efficiencies that HIPAA promises. In order to get everyone moving forward together, the state has been sponsoring seminars and meetings within and across state agencies, as well as with localities and businesses, and setting up intranet and Internet Web sites for sharing information.

Officials who oversee state Medicaid programs are also worried that their trading partners will not be compliant and cause real problems. "If people are not ready, you'd have to take their paper claims," says Michelle Mickey, senior policy associate with the National Association of State Medicaid Directors.

One of the more pleasant HIPAA surprises--in a program that has more than a few nasty ones--is how collaborative the compliance efforts have been among states. "It's been one of the most amazing things about HIPAA," says Leah Hole-Curry, legal counsel to Washington State's Department of Health. "People all across health care have pitched in to work together."

There are national groups that work on HIPAA issues across state programs. State Medicaid programs, for instance, have a task force through the National Association of State Medical Directors that all 50 states belong to and are working with to solve mutual coding challenges. There are also organizations that provide HIPAA information and work groups for all state and local government departments and agencies, regardless of program.

HIPAA GIVES (Government Information Value Exchange System) is both a Web site for the exchange of information and a teleconferencing site for discussion of mutual problems. As a state creates, say, research on a comparison of its state laws to the federal regulations, GIVES puts that up on the Web site so that other states don't have to begin at square one.

CRACKING THE CODE

"HIPAA is the biggest upgrade of health care technology in the United States since we discovered bacteria," says Richard Varn, Iowa's chief information officer. It is a matter of rewriting hundreds of fields of health code, which can vary not only from state to state but from agency to agency, to say nothing of local governments or public versus private entities.

With the fragmented and customized coding systems now in effect, a provider's billing office often sends one form with health care information to Medicaid and another form to Blue Cross-Blue Shield and still another to a third insurance company. HIPAA standardizes all the coding; the data fields are redefined. When everyone's compliant, the same claim format can be used to send information from one payer to another.

The analogy that Sally Klein, HIPAA coordinator for Montana's Department of Public Health and Human Services, likes to use is an ATM card. She has one with her bank in Helena. If she goes to Italy on vacation, she can swipe the card at an ATM machine in Siena, put in her pin number and her bank in Helena tells the bank in Italy that she has enough money for the lira--now euros--that she wishes to withdraw. "All of that happens in a standardized, secure system." Klein says. "Health care can get to that point. It's just going to be a harder and more complex transaction."

The biggest complexity for the states is something called local codes. Beyond the accepted national health care codes that everyone will be conforming to under HIPAA, there are local codes that states and their agencies have, in effect, made up, mainly for services that Medicaid provides but the private health care sector doesn't.

There are some 30,000 local codes--different codes for similar services in different states and, sometimes, within different agencies in a state. Many are variations of one service--one code, for instance, might mean 15 minutes of a registered nurse's home visit to a developmentally disabled patient; another code might mean 30 minutes of the same service for the same type of patient; yet another code would mean the same type of visit and service for a different kind of patient.

Under HIPAA, local codes have to shrink to a few hundred that everyone can use. That's where the cooperative efforts come in. Representatives from all 50 states' Medicaid programs are working with the National Medicaid Electronic Data Interchange HIPAA workgroup to cross-reference, reduce and standardize the codes. In so doing, however, a lot of the specificity in a state's existing local code will be lost. So, when the new codes are available and ready to be put into use, the impact on a state's system will be enormous. "It means not just changing your computer system but your reimbursement structure, how you capture data and how you delineate differences if those differences are no longer captured in a code," Mickey says. "Whenever I think about it, I can't imagine being someone implementing it."

THE PRIVATE EYE

Complying with the privacy part of HIPAA--what health information can be shared and with whom--should be a little easier. Many states have passed and are implementing their own privacy laws or patients' rights laws that cover privacy. Washington State, for instance, passed a Patients' Bill of Rights in 2000, and the state is moving ahead in patient-privacy protections by doing a line-by-line comparison of its state laws with HIPAA requirements. "Wherever state law is less stringent, that will be overridden," says Vicki Hohner, Washington State's expert on HIPAA privacy issues. "Where the law is tighter or more protective, it will stay."

For the health care industry overall, adjustment to the privacy rules won't be a big stretch. After all, doctors and nurses have a long history of considering patient information confidential. The issue that HIPAA addresses is the modern extension of that idea from an era in which a patient's health information was safely ensconced in paper records in a doctor's filing cabinet. Today, that information gets transmitted to a much wider world--to employees who deal with insurance claims, to contractors at testing labs. Where states could run into privacy problems, for example, is with a private contractor whose job is to confirm that someone who applies for state assistance is pregnant. That's a piece of health information that ought to be treated confidentially. "In the past, that hasn't been a problem because it was on paper only and we could control that," says Jim Stevenson of Washington State's DHHS HIPAA office. "When that goes electronic, it becomes much more sensitive."

To protect the privacy of that information, states and localities will have to take a variety of steps. It could mean something as simple as buying a shredding machine for faxes that contain health care data. Or it might mean training staff to make sure that new procedures--such as shredding faxes--are understood and followed. Or printing new authorization and consent forms because HIPAA requires those to be separate documents.

It also involves appointing a privacy officer for a department or agency. A privacy officer's responsibility would encompass things HIPAA requires but the bailiwick also could be expanded beyond that.

THE SECURITY PIECE

Although the federal government is promulgating separate regulations regarding security, in theory much of privacy protection blends into security, which is the means by which information is protected. "Where privacy says you can't share information about Joe's health, security makes you lock the door," Hohner says. In part, security is about such things as bolting the doors of cabinets that contain health care information. But it's also about technology so that the infrastructure used for transmitting information has the necessary encryption or other mechanism to make it secure.

"HIPAA challenged us to take another view of all the different ways health information is processed through our agency and decide whether we needed to do more than we were already doing to protect it, and if so, what, who and how long would it take," says Washington State's Stilson. "The assessment process has been intensive. But health care information is health care information. Whether you cover 90 percent of the population or 10 percent, it's important to protect it."

LOOMING DEADLINES

For everyone involved, the compliance clock is ticking. Transaction codes are up first: All affected health systems--private physicians, hospitals, insurance companies, state and local agencies and programs--are supposed to have their databases recoded to the national standard by October 2002. Congress, however, recently passed a one-year extension. While that provides the possibility of a little breathing room, in order to win an extension, an entity has to apply for it and spell out in detail its plan for compliance.

The privacy deadline comes up in April 2003. Security awaits HHS's regulations; everyone is supposed to get 26 months from date of issuance of the regulations to comply.

Will the players cross the transaction-code finish line on time? In the private sector, that is looking highly to extremely doubtful, depending on which survey you read. According to the Healthcare Information and Management Systems Society, nearly 75 percent of the 925 hospitals, physicians and other providers surveyed in October (before the extension was granted) had yet to complete a HIPAA assessment of how they were affected and what they needed to do. Gartner Inc.'s survey of 99 providers found 85 percent had yet to complete assessments.

A survey by the Health Care Compliance Association that keyed in on privacy compliance was more hopeful. It found that 93 percent of the 237 health care providers surveyed--about half of them were hospitals--had established a HIPAA task force and that 77 percent had designated a privacy officer. Forty percent have developed organizational structures delineating responsibilities for privacy and security, and one-third have developed cost estimates for privacy, security and transaction requirements.

As to state and local governments, a Gartner survey taken just before the extension found the majority of state officials surveyed were unsure whether their jurisdiction would meet the deadlines; only 6 percent of chief information officers surveyed expected to meet the October 2002 deadline and 63 percent didn't know whether they would be able to comply.

ROUGH ROAD AHEAD

Part of the problem is simple denial--a deep-seated wish that HIPAA would just go away. Or confusion over whether HIPAA is for real. "The federal government missed so many deadlines for finalizing regulations, there was no sense of urgency," says Karen Tomczak, director of the North Carolina's HIPAA Program Management Office, whose state got an early start on HIPAA. "A lot of people were saying, 'They're not meeting deadlines, I'll worry about it when it happens.' It would have been great if HHS had stayed on schedule."

Meanwhile, the biggest barrier is the usual one: funding, and even more specifically, gaining visibility and winning support from those who hold the purse strings. On the state level, it's been hard in many states to get legislatures to comprehend what the fiscal challenge is, much less to fund it. But there's an even greater challenge on the local level. "I doubt if more than a very small percent of local governments even know what HIPAA is and how it will impact local health departments, emergency medical systems and medical records in the judicial system," says Anderson of North Carolina's health information alliance.

One argument that ought to carry legislative weight is the money HIPAA is expected to save--eventually. On average, 26 cents of every health care dollar is spent on administrative overhead. The standardized coding of all electronic health information is slated to cut those costs down to five cents on the dollar.

Unfortunately, the tab to get there is enormous. Compliance with HIPAA's coding and privacy pieces--since security rules haven't been released yet, costs are unknown--is upwards of $10 billion industry-wide. Estimates for the government share of that tab are around $3 billion. The money won't be easy to come by, especially since most states are stuck in a recession-budgeting mode: Legislators are more apt to cut money for HIPAA than to scale back on program benefits.

Iowa's Varn says he originally planned to put $3 million into HIPAA. Then the legislature cut his capital budget from $18 million to $9 million. When Varn apportioned money for mandatory programs that were already underway, he was left with $300,000 to spend on HIPAA.

Medicaid, which faces the biggest re-coding task, should be in the best fiscal position. The federal government's match for updating the Medicaid Management Information System's code is 90 federal dollars for every 10 in state funds; for regular operation changes, it's $75 federal to $25 state. When money's tight, however, even that generous a match doesn't help. Washington State's share for recoding the Medicaid database comes to $2 million. With the state mired in recession and legislators targeting health programs for cuts, HIPAA was "taken off the table," says Hole-Curry. "We're struggling with other ways to fund it."

Montana's Medicaid officials figured out that their best option was to buy a new computer system rather than try to jury-rig the legacy system into compliance. The tab: $25 million. "That means the state still has to come up with $2.5 million, so we have to look at what's the best thing to do, what we can afford and how we can marry those up," says Klein.

Funding notwithstanding, Braithwaite, who's now a consultant in the private sector, keeps his eye on the big picture. "Health care is probably the most complicated human endeavor in history. This will make communication easier and increase the efficiency and effectiveness of health care in general."

CUTTING TO THE CORE

Two years ago, North Carolina gave Karen Tomczak her first marching orders: Determine HIPAA's impact on the state's Department of Health and Human Services. Last year, those instructions were expanded to include all state departments and commissions, as well as college and university boards. That was the universe for the state's decision to do a thorough business analysis as the first step in complying with HIPAA.

What her office decided to do, says Tomczak, the state's HIPAA Program Management Office Director, is not to assume that everything in a department falls under HIPAA rules. "It's really important to analyze what's covered and what's not, because you don't have to comply where you're not covered. Everything you do needs to go back to that."

Tomczak found that if a department was not one of the three types of entities described by law as automatically covered by HIPAA--a health care provider, a clearinghouse or a health insurance plan--then she had to drill down to the division level to see if there were some programs that could fall under HIPAA's umbrella.

After conclusions were drawn about whether an agency, division or program was covered by HIPAA, Tomczak and her team then asked the Attorney General's office to check their findings. "That way," she says, "if your decisions had to be explained in court, they could be."

It's also important, Tomczak adds, to use the same method and team--including the lawyers--to review every agency and conclusion. "You want consistent review of all agencies across the state. If you have different people doing it, you won't go through the exact same steps.

Join the Discussion

After you comment, click Post. You can enter an anonymous Display Name or connect to a social profile.

More from Health & Human Services