Confidentiality regs may cost industry $40 billion

Final HHS regulations may spawn a whole new industry unto itself, experts warn

The Department of Health and Human Services’ (HHS) latest estimate that patient confidentiality regulations will cost the health care industry a tidy $3.8 billion may be off by a factor of 10, according to the Blue Cross and Blue Shield Association (BCBSA) and other groups. They say the real cost may top $40 billion over five years.

According to the Washington, DC-based BCBSA, retraining and recertifying employees, hiring privacy officials, upgrading systems, and making other changes in infrastructure alone would cost $23 billion. The requirement to track all disclosures of information would add $9 billion while the provision to make providers liable for compliance of their business partners would tack on another $4 billion.

House Ways and Means Health Subcommittee Chairman Bill Thomas (R-CA) grilled HHS officials on the potential cost of the regualtions at a hearing before his subcommittee Feb. 16. He also warned HHS Assistant Secretary for Planning and Evaluation Margaret Hamburg not to let the confidentiality regulations go the route of the compensation portion of the physician self-referral regulations — otherwise known as Stark II — which have been in the drafting stage for nearly a decade. "We have been chasing that elusive butterfly for seven years now."

Healthcare Leadership Council president Mary Grealy, who testified at the hearing, says health care providers should brace themselves for precisely that scenario. By the time HHS gets the final rule out, Grealy says the health care system will have changed profoundly.

"You’re taking a snapshot of what the health care system looks like today, but you can’t possibly account for what technology is going to allow for tomorrow," she warns. "The more prescriptive you try to make the regulations, the more you restrict what may be valuable uses of patient data."

Worse yet, Grealy says the confidentiality regulations may spawn a whole new industry. "It reminds me of when the DRG system took effect and medical records suddenly had to be converted into proper codes. Then we moved to the fraud abuse compliance officer." She predicts these regulations represent a third wave.

Thomas and his colleagues may have little to say on the matter, however. Last year, Congress missed its deadline to pass confidentiality legislation mandated by the Health Insurance Portability and Accountability Act of 1996. That passed responsibility to HHS to write regulations that would cover medical records and health information maintained or transmitted electronically. The extended comment period for HHS’ proposed regulations ended last week.

From a provider standpoint, passing the torch to HHS has several major flaws.

The biggest one is that the HHS regulations will not pre-empt state laws. Only a law passed by Congress could have done that. Instead, HHS’ federal regulation will only pre-empt state law when the federal provision is more stringent.

Grealy and others say the result may be a nightmare for health care providers. Not only will providers have to master both state and federal confidentiality laws, they will have to master a patchwork of state and federal regulations to determine which law supercedes the other.

"You will still have health care providers and insurers and everyone else involved with having to comply with the existing 50 state laws and trying to figure out which are more strict or less strict, and also the federal laws, as well," warns Grealy.

Health care providers’ fears are probably well-founded. Hamburg is already on record as saying that a health care provider that knowingly obtains or uses health care information in violation of the standards will be subject to criminal felony penalties. Penalties should be higher when violations are for monetary gain, she added.

Alissa Fox, executive director of BCBSA, says the proposed rule has three major problems in addition to the pre-emption of state law. First, the partnership provisions of the regulation would require providers to enter into prescribed contracts with all of their business partners and would be subject to penalties if they "knew or reasonably should have known" about privacy violations committed by their business partners.

"The definition of business partner is so broad that physicians could be the business partners of independent laboratories, health plans could be the business partners of their lawyers and accountants, and hospitals could be the business partners of independent physicians that practice within their walls," Fox asserts.

Second, Fox says the proposed regulation instructs providers to use or disclose only the minimum information necessary to accomplish a given purpose and discourages the exchange of the entire medical record. "At first blush, this standard seems to be a perfectly reasonable, common-sense provision." Operationally, though, it would be a nightmare, she adds. It would be impossible to implement a legal standard that only the minimum information is used or disclosed. That’s because the standard applies to the use of information as well as disclosure, and that definition of disclosure includes broad terms, such as "provision of access to."

"This standard would require a massive reorganization of workflow as well as a possible redesign of physical office space, and would jeopardize the timeliness of patient care, benefit determinations, and other critical elements of the health care system," Fox warns.

Finally, Fox argues that the proposed rule includes a definition of "health care operations" that is exempt from the regulation and is far too narrow. "The current definition of health care operations misses important functions," she argues. "As a result, covered entities may have to solicit authorizations for certain functions or track disclosures as part of routine operations."

There is no shortage of other potential violations that could trip up hospitals and other providers. Here is a short list of requirements providers would be forced to meet:

- Obtain new authorization from consumers before using or disclosing information, except for purposes of treatment, payment, health care operations, and other limited circumstances.

- Allow individuals to inspect, copy, and amend much of their medical information.

- Track all disclosures made other than for treatment, payment, and health care operations.

- Recontract with all business partners to require them to use and disclose information according to the new privacy rules and assure that business partners are complying.

- Institute procedures to assure that only the minimum information necessary is used or disclosed for a given purpose.

- Designate a privacy official and train staff.

- Follow specific rules before using protected health information for research.

- Develop a host of new policies, procedures, and notices.

"Just on the face of it, you can see this isn’t going to work," concludes Grealy. "This will be a whole new industry by the time this regulation is final."