Cost of privacy rules could dwarf Y2K, experts say

One estimate puts the 5-year cost to hospitals at $43 billion, but true cost will go higher

The Y2K computer problem may have cost U.S. hospitals billion of dollars to fix, but many experts now claim hospitals haven’t seen anything yet. Looming on the horizon, and largely ignored by mainstream media and many hospital administrators, is a regulatory cost potentially many times larger than the Y2K bug.

The challenge: effectively implementing the provisions contained in the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Karen Milgate, senior associate director for policy development at the Chicago-based American Hospital Assoc i ation, says that although her organization hasn’t yet performed a detailed cost analysis of HIPAA, it’s apparent that the expense to hospitals could dwarf that of Y2K. Although no one’s yet set a price tag for all of HIPAA’s provisions, the Chicago-based Blue Cross and Blue Shield Association estimates that the HIPAA-mandated confidentiality regulations proposed by the Department of Health and Human Services will cost the industry $43 billion. Mean while, the Health Care Financing Administration (HCFA) has projected the massive industry effort to comply with HIPAA will generate government savings of $1.5 billion from HIPAA over the same time.

HIPAA encompasses three main areas: administrative simplification, security standards, and privacy standards. Administrative simplification includes standardization of transactions, including formats for claims and claims attachments; new, unique provider identifiers; and possible changes in CPT code sets. The security standards outline a lengthy list of administrative and technical safeguards that hospitals would have to put in place to ensure the security of information in their systems. The privacy standards — which experts say are likely to generate most of HIPAA’s enormous cost — go well beyond the security standards.

"The privacy standards as proposed basically establish rules for every single use and disclosure of information for hospitals," Milgate says. "It’s likely to be the most expensive piece, simply because it’s so broad. I mean, you’re talking about establishing new procedures for how much a physician can say to a nurse, for example. There’s another standard that says you can only use or disclose the minimum amount of information necessary to accomplish the purpose for which you’re using or disclosing the information, and they specifically state that they want it to apply in individual situations."

Because the privacy rules are so far-reaching, hospitals will likely have to perform an exhaustive and complicated analysis just to determine exactly which rules apply to them, Milgate says. Further complicating the issue is the fact that while HIPAA pre-empts state privacy laws, it does so on a limited basis. "It’s a fairly low pre-emption, meaning that a lot of state laws will still apply," she says. "So this really doesn’t create standardization across states. What it does is just add another layer of complexity, because you have to take into account the laws in all the states you work in, then throw the federal rules on top and see how they match up."

After figuring out exactly which laws apply specifically to your facility or system, you’ll need to decide which of your policies to change regarding disclosure and patient notification and what kinds of authorization forms you need to develop. For example, "there’s a requirement that you track your disclosures and that you make that record available to patients," Milgate says. "There are patients’ rights in terms of inspecting, copying, and amending those records. That may be new for some hospitals. There’s a whole host of new processes and procedures, so you can see why we don’t really know how to cost it out yet. But we know it’s a lot. It’s tremendous."

Gwen Hughes-Wright, RHIA, practice manager at the American Health Information Management Association in Chicago, agrees that the cost of HIPAA will likely vary among hospitals in different states, depending on how stringent their state privacy laws are. "For example, in Washington State, patients have access to their records, and there are notices posted. The state law has already defined how patients can access records and how to correct things. But in other states, particularly in the South, patients don’t yet have that right. So it kind of depends on what regulations you’ve been operating under as to how big a change this is, and therefore how much you’re going to have to spend making that change."

A major concern among HIPAA analysts is the fact that many hospitals haven’t even begun to devote resources to the problem. Hughes-Wright says that many facilities focused on Y2K over the past two years to the exclusion of HIPAA. Another reason why HIPAA has been relegated to the back burner at many facilities is that final rules for the various components of the law haven’t been published yet. (See HIPAA timetable, above.)

HIPAA Implementation Timetable


NPRM1 Published

Expected Final Rule Publication

Expected Date Compliance Required

Transactions and code sets




National provider identifier




National employer identifier












National health plan identifier

4/2000 (expected)



Claims attachments

3/2000 (expected)



1Notice of Proposed Rule Making.
Note that standards are required to be implemented within two years of the effective date of the final rule. The effective date is generally 60 days after the final rule's publication.

"It’s always hard for us to say exactly what people need to do when we don’t know exactly what the rules are," Milgate says. "We know that some of the proposed rules aren’t going to change very much, but the privacy one is relatively new. It came out in November [1999], and it’s massive. We’re just now talking to our members about what this means for them."

Even without a final rule, however, there are things you can do now to prepare for HIPAA — before the official clock starts running. Indeed, experts say if you haven’t started getting ready, you may already be playing catch-up. After the final rule is published, there’s likely to be a 60-day grace period before the effective date of the rule. After that, hospitals probably will have no more than two years to achieve full implementation.

If your hospital isn’t in compliance when time runs out, penalties can be steep. The civil monetary penalty for violating transaction standards is up to $100 per person per violation, up to $25,000 per person per violation of a single standard for a calendar year. The penalty for knowing misuse of health information can run up to $250,000 and imprisonment for up to 10 years.

Hughes-Wright emphasizes that many of the things included in the proposed rules "are good things to do anyway, like letting patients know what your information practices are. Those sorts of things you can do, and even if the final rule never came out, they would still be good things to do."

Hughes-Wright recommends that someone at the facility work to become a HIPAA expert. "That way, even if not all of the elements pass, you can move forward more quickly," she says. "You should also pick out the things you can do now as opposed to waiting, and decide what things you want to do anyway." She specifically advises that hospitals start taking action on issues such as patient access to records, establishing procedures for correction and amendment of records, and maintaining records of release.

Milgate recommends performing an assessment of where you currently stand with your security and privacy policies. That way, no matter what the final rule says, you’ll be able to move more quickly in adapting to the HIPAA requirements.

It’s also important to remember that wholesale changes in the HIPAA rules aren’t likely, although the AHA remains hopeful that it can force some revision or at least clarification regarding the privacy standards. The proposed rules "probably give the general direction things are going to go," Milgate says. "Like, [the proposed rules] say you have to have a privacy officer. Well, do you have an individual who is specifically identified with the responsibility for privacy policies? What kind of training do you already do? What kind of access do you give different levels of employees within the hospital? Those are the kinds of things you can already look at."

It’s important to note that, technically, the HIPAA provisions apply only to electronic records. But in practical terms, "it’s going to be too hard to separate out the information that falls under the law and the information that doesn’t," Hughes-Wright says. "So I imagine we’re going to find ourselves treating all information the same, whether it’s paper or electronic."