The trusted source for
healthcare information and
HIPAA compliance becoming even harder
With the American Recovery and Reinvestment Act of 2009 (ARRA) expanding the Health Insurance Portability and Accountability Act's (HIPAA) patient health information privacy and security protections beyond what most already considered a compliance nightmare, some legal and privacy experts are saying the expansion may have taken compliance from merely difficult to nearly impossible to achieve.
HIPAA previously applied only to individually identifiable protected health information used by health care providers, health plans, and health care clearinghouses; vendors providing administrative services to those covered entities were not covered by HIPAA. But ARRA applies several of HIPAA's security and privacy requirements to business associates, while also expanding the definition of business associate. ARRA also changes data restrictions, disclosure, and reporting requirements.
In addition, the U.S. Department of Health and Human Services' Office of Inspector General has criticized lax enforcement of HIPAA, saying in a letter to CMS acting Administrator Kerry Weems that audits show "numerous, significant vulnerabilities" that put patient data "at high risk." (Editor's note: For more on that report, go to http://oig.hhs.gov/oas/reports/region4/40705064.pdf.)
The inspector general recommended that the CMS establish policies and procedures for conducting more HIPAA security-rule compliance reviews of covered entities.
Greg Scandlen, senior fellow and director of Consumers for Health Care Choices with the Heartland Institute, a think tank in Hagerstown, MD, was involved in formulating the new privacy provisions, but he still worries that HIPAA is growing too much. Scandlen would have preferred an entirely different approach to protecting patient privacy, but now that we have HIPAA, he says, fine-tuning and additional safeguards are necessary.
He says the new provisions will make compliance more difficult.
"I would argue that the federal government never should have gotten involved in health IT, and this is the consequence of its misadventure," he says. "Patient privacy is essential to the success of a health IT transformation, because otherwise we will never get patient buy-in. But privacy assurances would have been done better if health IT had been allowed to grow organically in the market."
With that method, various approaches could have been tried out on a small scale. The ones that best matched privacy and IT efficiency would have grown and the ones that didn't would have failed, Scandlen says.
"But once the feds start mandating and funding a new system, the regulatory process is the only safeguard available," he says. "This is a clumsy and inefficient way to do it, I grant you. But it was the result of overreaching by the feds."
Like many health care professionals, many people in the data industry think HIPAA was never really needed in the first place, says Jeff Kubik, president and CEO of Employee Benefit Risk Management Services Inc., a company based in Oak Brook, IL, that provides data management services to insurers.
"I have been in health insurance administration for decades, and HIPAA privacy has never been a health insurance industry problem," he says. "It was an unnecessary law from the get-go, and a huge waste of money. Furthermore, I never had a medical privacy issue raised and have never heard of an instance where medical privacy was voided."
Kubik says the recent changes to HIPAA are just an example of a federal law that is now entrenched and likely will be expanded again.
"They have created this impression that there is a big, serious problem involving people's privacy in health care, and I just don't think it's true," he says. "Nobody disagrees with keeping people's information private, but these burdensome laws just are not needed."
For more information on HIPAA, contact:
Jeff Kubik, president and CEO of Employee Benefit Risk Management Services Inc., Oak Brook, IL. Telephone: (630) 323-0600. Web site: www.ebrm.com.
Greg Scandlen, Senior Fellow and Director, Consumers for Health Care Choices, Heartland Institute, Hagerstown, MD. Telephone: (301) 606-7364. E-mail: firstname.lastname@example.org.