The trusted source for
healthcare information and
The American Hospital Association (AHA) has taken two steps to garner government action with respect to the Health Insurance Portability and Accountability Act (HIPAA): It has asked Congress for support in implementing the final rule on HIPAA privacy while also asking the Department of Health and Human Services (HHS) to reopen the final rules.
During his testimony before the Health, Education, Labor, and Pensions Committee of the U.S. Senate on behalf of the AHA, John Houston, information services director, data security officer, and assistant counsel for the University of Pittsburgh’s UPMC Health System said: "Congress should examine the high costs associated with implementing the privacy regulation and take the necessary steps to ensure that implementation does not put hospitals in financial jeopardy by supplying the necessary funds."
In a separate action, AHA sent a letter to HHS Secretary Tommy Thompson, asking him to re-open the final rule implementing HIPAA privacy requirements. AHA asked that the following points be reviewed:
• The implementation schedule, because of the high cost associated with a health care organization making the extensive changes necessary to meet the new privacy rule.
• Requirements that could impede patient care or disrupt essential hospital operations, if state law on the issue of patient privacy is allowed to pre-empt federal regulations. Under the final rule, if a state law is contrary to and more stringent than the federal standard, it cannot be preempted. This translates to the need for hospitals and other health care organizations to know the state laws in every state in which they do business and then compare them to the federal law to determine which law they should follow.
• The cost involved with becoming compliant. According to HHS figures, the regulation will have a 10-year cost of $17.6 billion for the entire field, including hospitals, insurers, clearinghouses, and pharmacies and costs will be offset over the course of a decade by savings accrued as a result of HIPAA’s transactions standards. It is the opinion of the AHA that HHS has underestimated these costs. An AHA-commissioned study, looking at hospital costs alone, found that the cost of only three key provisions of the proposed rule (minimum necessary, business partners, and state law preemption) could be as much as $22.5 billion over five years. This estimate depended on whether hospitals could comply by simply modifying existing information systems, or if replacement or significant reconfiguration of those systems was required.
• Administrative requirements that will, according to Houston, create a host of new administrative duties, among them the creation of departments, which will coordinate consents, authorizations, and disclosures; evaluate and coordinate requested changes to patients’ medical records; and make significant changes to policies, procedures, and processes.
• A new provision on patient consent issued by HHS, which is required when protected health information is used or disclosed for purposes of treatment, payment, or health care operations. Patient consent forms must be separate from privacy notices, signed by the patient and retained by the hospital. If a patient subsequently revokes his/her consent, hospitals must discontinue using the protected health information and advise business associates to do the same. Since this provision was not included in the proposed rule, it was not subject to comment.