Confidentiality legislation likely to exact huge cost on providers
Confidentiality legislation likely to exact huge cost on providers
By MATTHEW HAY
HHBR Washington Correspondent
WASHINGTON The Department of Health and Human Services (HHS; Washington) estimates that patient confidentiality regulations will impose a cost of $3.8 billion on the healthcare industry. But according to the National Blue Cross and Blue Shield Association (BCBS) and other groups that have poured through the proposed rule the agency issued last November, the cost may be much higher.
In fact, House Ways and Means Health Subcommittee Chairman Bill Thomas (R-CA) cited estimates at a hearing before his subcommittee last week that the final cost may be six, seven, or even 10 times that amount. BCBS’s outside consulting firm pegs the cost at more than $40 billion over five years.
Retraining and recertifying employees, hiring privacy officials, upgrading systems, and making other changes in infrastructure would alone cost $23 billion, according to that estimate. The requirement to track all disclosures of information would add another $9 billion while the provision to make providers liable for compliance of their business partners would tack on another $4 billion.
Thomas also warned HHS Assistant Secretary for Planning and Evaluation Margaret Hamburg not to let the confidentiality regulations go the route of the compensation portion of the physician self-referral regulations otherwise known as Stark II which have now been in the drafting stage for seven years.
Mary Grealy, president of the Healthcare Leadership Council (Washington), who testified at the hearing, said healthcare providers should brace themselves for precisely that scenario. By the time HHS gets the final rule out, Grealy said, the healthcare system will have changed profoundly.
"You are taking a snapshot of what the healthcare system looks like today, but you can’t possibly account for what technology is going to allow for tomorrow," she warned. "The more prescriptive you try to make the regulations, the more you restrict what may be very valuable uses of patient data."
But Thomas and his colleagues in Congress may have little to say about the matter. Last year, Congress missed its deadline to pass medical record confidentiality legislation mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). That passed responsibility to HHS to write regulations that would cover medical records and health information maintained or transmitted electronically. The comment period for HHS’ proposed regulations ended last week.
From a provider standpoint, passing the torch to HHS has two major flaws, according to Doug Peticord of Washington Health Advocates (Washington). First, he estimates that roughly 70% of all records are still on paper.
However, Peticord said, the even bigger problem is that the HHS regulations will not preempt state laws. Only a law passed by Congress could have done that, he said. Instead, HHS’ federal regulation will only preempt state law when the specific provision is more stringent.
Peticord and others say the result may be a veritable nightmare for healthcare providers. Not only will providers have to master both state and federal confidentiality laws, they will have to determine which law supercedes the other.
The fears harbored by healthcare providers are probably well founded. Hamburg is already on record saying that a healthcare provider that knowingly obtains or uses healthcare information in violation of the standards will be subject to criminal felony penalties. Penalties should be higher when violations are for monetary gain, she added.
Meanwhile, there is no shortage of potential violations that could trip up home health agencies and other providers. Alissa Fox, executive director of BCBS, said the proposed rule has three major problems in addition to the preemption of state law. First, she said, the partnership provisions of the regulation would require providers to enter into prescribed contracts with all of their business partners and would be subject to penalties if they "knew or reasonably should have known" about privacy violations of their business partners.
"The definition of business partner is so broad that physicians could be the business partners of independent laboratories, health plans could be the business partners of their lawyers and accountants, and hospitals could be the business partners of independent physicians that practice within their walls," she said.
Second, Fox said, the proposed regulation instructs providers to use or disclose only the minimum information necessary to accomplish a given purpose and discourages the exchange of the entire medical record.
"At first blush, this standard seems to be a perfectly reasonable, common-sense provision," she said. But operationally, she added, it would be a nightmare. Simply put, she said, it would be impossible to implement a legal standard in which only the minimum information is used or disclosed because the standard applies to the use of information, as well as disclosure, and that definition of disclosure includes broad terms like provision of access to.’
"This standard would require a massive reorganization of workflow, as well as a possible redesign of physical office space and would jeopardize the timeliness of patient care, benefit determinations, and other critical elements of the healthcare system," she warned.
Finally, Fox argued that the proposed rule includes a definition of healthcare operations, which are exempt from the regulation, that is far too narrow. "The current definition of healthcare operations misses important functions," she argued. "As a result, covered entities may have to solicit authorizations for certain functions or track disclosures as part of routine operations."
There is no shortage of other potential violations that could trip up hospitals and other providers. The following is a list of requirements providers would be forced to meet.
• Obtain new authorization from consumers before using or disclosing information, except for purposes of treatment, payment, healthcare operations, and other limited circumstances.
• Allow individuals to inspect, copy, and amend much of their medical information.
• Track all disclosures made other than for treatment, payment, and healthcare operations.
• Designate a privacy official and train staff.
• Follow specific rules before using protected health information for research.
• Develop a host of new policies, procedures and notices.
In it’s comments submitted last week, the National Association for Home Care (NAHC; Washington) said it favors HHS’ decision to create a floor, but not a ceiling, on privacy protections afforded by the states because it will allow states to enact stronger privacy protections in an ever-changing environment. But NAHC urged HHS to begin by capturing the costs associated with the rule and ensuring that home health agencies will have the resources necessary to comply.
NAHC also urged HHS to exclude healthcare treatment from the minimum necessary standard included in the proposed rule. It argued that it is not unusual for a patient’s condition to change and said that it is unreasonable for an intervention to be delayed because the complete record is not available. The association also argued that the proposed rule would expose providers to civil liability when they unknowingly performed interventions without the benefit of a full medical record.
NAHC also urged HHS to eliminate the provision that creates private right of action for patients to bring civil actions against providers and their business partners.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.