Confusion, fear’ reported as HIPAA deadline nears
It’s understandable, access leaders say
Confusion and fear are the name of the game with a broad range of people and organizations as the April 14 compliance date for the Health Insurance Portability and Accountability Act (HIPAA) privacy rule nears.
That’s according to the National Committee on Vital and Health Statistics, a statutory public advisory body to the secretary of Health and Human Services (HHS) in the area of health data and statistics.
Access professionals tell Hospital Access Management the emotions described in the committee’s findings are more than understandable.
"This legislation is extremely cumbersome," says Beth Ingram, CHAM, director of patient business services for Touro Infirmary in New Orleans. "Combine that with some ambiguity and the absence of clear, concise answers from the oversight agencies and we are virtually on our own to implement as we interpret the requirements."
That ambiguity, she points out, "leads to the fear of enforcement and the potential for frivolous lawsuits that plague us in so many other areas."
A delicate, sensitive balance
Pete Kraus, CHAM, business analyst for patient accounts services at Emory University Hospital in Atlanta, wryly notes, "It’s our bureaucratic federal government trying to direct the proceedings. So implementation guidelines are unclear and communications garbled. What else would you expect?"
Kraus adds that the HIPAA rules are, "probably out of necessity, very complicated, and the balance between privacy and business efficiency/viability is both delicate and sensitive."
Several witnesses told the committee that less than half of all small providers had made any effort to comply with the privacy rule and that some have no intention of trying to comply.
"One witness reported that some rural providers have given up on compliance and adopted the position that I can’t do this — let them catch me,’" the committee reported in a letter to HHS Secretary Tommy Thompson after three public hearings it held to learn about implementation activities of entities covered by HIPAA.
Ingram says she "can certainly understand how the smaller facilities who do not have in-house legal expertise to dedicate to this would be struggling to understand and implement as required. We can only hope that enforcement is fair and recognizes the complexity of issues each organization is confronted with."
She notes, however, that she is aware of a number of organizations that are developing training and implementation packages designed specifically to help these smaller facilities. "Of course," Ingram adds, "this doesn’t begin to deal with all the vendor relationships, changes to information release procedures, storage of required data, etc., that remain specific to each organization and its own processes and systems."
"Even more troubling are the potential adverse effects on the health care system," the committee’s letter to Thompson continued. "Some witnesses said that some Medicaid and other safety net providers may drop out of the system of providing care to indigent patients because they cannot afford to absorb the costs of complying with the privacy rule, and there is no way to pass along the costs."
Improve education and outreach
The 18 private-sector individuals on the committee have, according to HHS, distinguished themselves in the fields of health statistics, electronic interchange of health care information, privacy and security of electronic information, population-based health research, purchasing or financing health care services, integrated computerized health information systems, health services research, consumer interests in health information, health data standards, epidemiology, and the provision of health services.
The group said in the letter to Thompson that despite widespread support for the goals of HIPAA and the privacy rule, there are many problems still to be resolved and not much time in which to address them.
The letter suggested that the HHS Office of Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS) improve their coordination of education, outreach, and technical assistance, by working more closely with different industries, states, and federal health care programs.
In particular, it said, OCR should improve its responses to HIPAA-related questions and enhance its web site to help explain the compliance process. And, it said, HHS should recommend that Congress provide financial assistance, through grants, increased reimbursements, and incentives for providers struggling to comply with HIPAA.
OCR guidance faulted
The committee reported that many witnesses at the hearings said they viewed OCR as not providing adequate guidance and technical assistance. In particular, they "lamented the lack of model notices of privacy practices, acknowledgments, authorizations, and other forms.
"Many witnesses also complained that general guidance was of limited value because of their special industry or professional circumstances. Witnesses conveyed a great sense of frustration that they could not obtain any clarifications from OCR or answers to the questions they submitted via OCR’s web site."
Many witnesses indicated to the committee that issues of preemption made compliance much more difficult, costly, and complicated. To determine whether state privacy laws or the HIPAA privacy rule applies to many health privacy issues, covered entities have to obtain a comprehensive pre-emption analysis detailing whether state or federal laws apply.
The committee said the analyses often are lengthy documents that are expensive to research, highly technical, and not binding on any enforcement agency or the courts. Large, multistate covered entities need to have an analysis for every jurisdiction in which they do business, and there is no national coordination on the issue of pre-emption, and state and local efforts vary widely in their degree of completion and the cost to obtain copies. A related issue, the committee said, involves conflicts and overlaps between HIPAA and other federal laws dealing with privacy.
Based on testimony at the hearings, the committee declared that "the lack of clarity on compliance responsibilities, the unavailability of free and authoritative model forms, and the absence of widely available training materials have left many covered entities lacking the wherewithal to come into compliance."
The committee also cited fears of witnesses surrounding HIPAA. Many expressed concern about the possibility of overzealous enforcement by OCR and private lawsuits, both of which were expected to be costly to defend.
Other witnesses said that fear of violating HIPAA has resulted in negative health outcomes, including providers refusing to share patient medical information that would be helpful in treating another patient, and a decline in mandatory or permissive reporting of essential health data to public health agencies, tumor registries, and other entities.
Another key area in the remaining months will be training, the committee said. "Millions of health care workers will need to be trained in the next few months, but there is a shortage of expertise, materials, and funding."
Overwhelmingly, witnesses said that generic training will not work. To be successful, they say, it must be customized by industry, entity, and job description.
"In addition, consumers have received virtually no information about HIPAA, and it will be difficult for them to understand the basis or context for the myriad notifications, authorizations, and other forms with which they will soon be presented. Public education is complicated by consumers’ varying levels of education, cognition, and language proficiency."
The committee said it is aware of the limited resources available to the department, and urged that as much as possible be given to OCR so it can accomplish the massive technical assistance, outreach, and education efforts needed in the coming months to ensure successful privacy rule compliance efforts.
(Editor’s note: Hearing testimony and other materials may be downloaded from the committee’s web site at www.ncvhs.hhs.gov.)