The trusted source for
healthcare information and
Outlays are just tip of the iceberg, the AHA says
The $8 billion that hospitals spent preparing for the Y2K transition once seemed like a lot of money. It was, but consider this: A recent study requested by the American Hospital Association (AHA) in Chicago shows that hospitals’ cost of complying with just a few of the federal government’s proposed medical privacy rules could be as high as $22.5 billion over five years. In contrast, the Department of Health and Human Services (HHS) has estimated that the entire health care field will spend about $3.8 billion to comply with privacy rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Unfortunately, the provisions included in the AHA study were not calculated into the HHS estimate.
"It was HHS’ decision to include or not include certain elements in its estimate," explains Keith MacDonald, senior manager with emerging practices group, First Consulting Group (FCG), Boston. FCG, a multinational pharmaceutical/life sciences and health information technology services firm, prepared the report. One challenge HHS might have encountered in its analysis is a lack of industry benchmarks, he explains.
Evaluating the provisions
For this report, the AHA chose three relatively high-impact items that HHS had omitted in its calculation and asked FCG to evaluate the costs, MacDonald says. These items were:
• "Minimum necessary use" of information.
Hospitals must make every reasonable effort not to use or disclose — internally or externally — more patient information than is necessary to accomplish an intended purpose, the report explains. Hospitals will need to conduct a comprehensive audit of all patient data created and maintained throughout the hospital, change all internal computer systems to limit access to information, train staff in appropriate uses of patient information, and use costly audits to check compliance.
FCG estimates the five-year cost to hospitals for this provision is a minimum of $1.3 billion. If hospitals must invest in new information systems or substantially upgrade existing systems to come into compliance, these costs could rise to $19.8 billion, according to the report.
This item is complicated, MacDonald says. He wishes the report could have given more guidance on where providers should draw the line on the minimum necessary use requirement. FCG interpreted the requirement rather strictly.
"If you interpret it as we did, you have to look at all of the folks that are accessing any clinical information electronically throughout your organization, and you have to be able to restrict their access to just the information they need to use to do their jobs," he says.
Many of the information systems can’t do that kind of detailed access restricting, he adds. "Under that circumstance, many of the vendors will likely have to reconfigure some of their systems, which means that the hospitals are going to have to install upgrades." Even if hospitals do not have to pay for the actual upgrades, the time and effort needed to install them are costly too.
"It’s a little early to tell how prepared the vendors will be because the final rule isn’t out, but even based on this preliminary rule, it’s clear to us that they have some work to do if we interpret those rules strictly," MacDonald says.
• Requirements for contracting with and monitoring business partners.
Hospitals must identify all business partners who use or access the organization’s patient- identifiable information, such as physicians, insurers, clergy or state licensing boards, the report says. Hospitals must hold these business partners accountable, by written contract, for the appropriate use of that information under the privacy requirements. Hospitals estimate that they may have between 50 to 750 business partners, making monitoring compliance a hugely burdensome undertaking. The estimated five-year cost of this provision to hospitals is $2.3 billion.
• No pre-emption of contrary and more stringent state laws.
Since HIPAA privacy requirements will not preempt state laws that conflict with the proposed federal rule and provide greater privacy protections, hospitals must implement policies and procedure that reflect these differences, the report says. The five-year cost to hospitals is estimated to be $372 million.
According to FCG, the overall cost for achieving compliance with these three elements could range from $4 billion to $22.5 billion over five years, depending on the specific approach that organizations take and the effort required to bring their information systems into compliance. Ongoing costs are expected to exceed $500 million a year.
"There is still some ambiguity in the proposed rule about what is likely going to be required and how organizations are going to interpret it — that is the [reason for the wide range]," MacDonald says. "Organizations interpret that rule differently, and as a result, offer different approaches to what they think is going to be required. There is no clear industry consensus because the rule is not as clear as it might otherwise be. We had to model a whole range of approaches."
The details behind the numbers
The hospitals included in this study represent a broad cross-section of the industry: small, large, rural, urban, teaching, nonteaching, single hospitals, and multi-hospital systems, says MacDonald. To reach its conclusions, FCG conducted focus groups and in-depth telephone interviews with the 19 hospital organizations to ascertain the likely impacts of the three components of the proposed privacy rule; determined critical tasks that a hospital is likely to undertake to achieve compliance; and built a financial model that projected the privacy rule’s expected impact on each organization. FCG took an average of the organizations’ costs to try to hit the median of the industry.
Through conversations with clients over the last several years, MacDonald knew that providers see the HIPAA requirements as a large burden. The authors of the study, however, were surprised by the magnitude of the results. "The [providers] that are leading the industry are doing assessments with us to try and understand what the costs will be for their organizations. Those costs look substantial," he says. "But it wasn’t clear to me until we put it all together for the 6,000 or so hospitals across the industry how big [the figure] is in aggregate."
The report shows that this "sweeping proposal" has gone too far, says AHA President Dick Davidson. "These costs are just the tip of the iceberg — the proposal’s total impact on hospitals hasn’t been fully considered. With one-third of the nation’s hospitals operating in the red and hospitals still reeling from $8 billion in Y2K costs, we need to make sure that the law’s important objectives are met while making the best use of our health care resources."