HIPAA Regulatory Alert

HIPAA should trump other privacy laws

Multiplicity of rules makes compliance difficult

The American Hospital Association says the multiplicity of privacy rules from local, state, and federal governments, accrediting bodies, and other organizations makes compliance difficult and can interfere with patient care. In testimony before the House Science and Technology Committee Sept. 26, HCA Inc. senior vice president Noel Williams said that simply identifying all the relevant rules can be a monumental task, let alone determining how to comply when the laws may conflict. "A single set of privacy rules is needed to facilitate the use of IT and ensure access by health care providers to needed information at the point of care," Williams said. "Specifically, federal privacy laws as laid out in the Health Information Portability and Accountability Act should preempt state and local privacy laws." The hearing was held to consider the need for interoperability and information security in health IT and HR 2406 sponsored by Rep. Barton Gordon (D-TN), the committee chairman. Williams reported that in a survey of 1,500 hospitals, more than two-thirds said they had either fully or partially implemented electronic health records. Large, urban, and teaching hospitals were more likely to have fully implemented electronic health record systems. She also said adoption of information technology and information sharing will increase when health information and IT applications are more standardized. Currently, she said, hospitals devote considerable staff and financial resources to creating interfaces between systems or other IT "workarounds." The problem, she testified, is a need to select a single set of standards and get consensus among health care stakeholders to use those standards. Also commenting on the need for generally accepted standards was American Health Information Management Association CEO Linda Kloss, who noted that throughout the United States, other industries are sharing data and cutting administrative costs because they are using uniform standards.

Health care has not followed other industries

"This has not been the case in the past in health care," she said. "For instance, today we use standards required by HIPAA. We, therefore, adopted an X12 standard for claims, the X12-837. Unfortunately . . . there are now over 1,000 different instructions for the use of the X12-837 in the health care industry. If we are to achieve interoperability and use standards like other industries, this should not happen or be allowed to happen. "The health care industry has over 1 million providers, thousands of health plans and payers, a potential consumer base of over 300 million individuals, and some 1.44 million employees offering some level of health care, along with numerous government agencies. Achieving consensus on complex standards and understanding of their uniform application is a monumental task even with shared vision." To date, according to Kloss, the U.S. health care system has had only limited success with adopting and using standards. She said the standards chosen to be included under HIPAA were reviewed by the National Committee for Vital and Health Statistics (NCVHS), which takes considerable public comment but is not a public/private entity that engages the industry and government. The result has been a limited adoption of several of the HIPAA standards and an inconsistent use of the more common claims standard and remittance standard.

Barriers to uniform standards

Kloss discussed several barriers to uniform standards adoption, including reimbursement issues as many physicians indicate they will not even consider adoption of health information technology and standards until the Medicare and Medicaid reimbursement formulas are corrected and they are paid adequately. Gordon opened the hearing by noting that the biggest barrier to broad implementation of health IT systems is the lack of technical standards to support interoperability while protecting data security. "It is wasteful to start investing in technology until we know it is interoperable, as the cost to upgrade to new systems would eat up any immediate cost savings," he said. Gordon's HR 2406 would authorize the National Institute of Standards and Technology (NIST) to increase its efforts to support the integration of the health care information enterprise in the United States. It instructs NIST to advance health IT integration while working with health care representatives and federal agencies to develop technical roadmaps for health IT standards. It also requires NIST to create or adopt existing technology-neutral guidelines and standards for federal agencies.