The Future of Risk Management 

Report: Hospitals can cope with HIPAA costs

Hospitals will be able to cope with the financial burden of complying with the Health Insur-ance Portability and Accountability Act (HIPAA) of 1996, according to a Moody’s Investors Service special report that flies in the face of many dire predictions from health care providers. About half of U.S. hospitals are well on their way to compliance, based on information from the American Hospital Association (AHA).

Chris White, a Moody’s analyst and co-author of the report, says most providers already have figured HIPAA compliance costs into their budgets. White says those costs may total between $2 billion and $5 billion nationwide, but he says providers should be able to absorb the costs just as they absorbed the $8 billion in Y2K compliance costs spent in 1999. The HIPAA costs may be more easily absorbed because providers have a long period over which to spread the costs, when compared to the short window in which most providers had to comply with Y2K updates.

Although the Department of Health and Human Services (HHS) issued the final HIPAA privacy regulations in December 2000, the rules were delayed in February when the Bush administration said it wanted to review the rules for 30 days and then have a longer implementation period. HHS estimates that the health care industry would spend $24.6 billion over 10 years to comply with the entire HIPAA regulation. Not-for-profit hospitals will have to spend $1.6 billion to comply with the privacy requirements.

According to the Moody’s report, HIPAA will require providers to invest between $2 billion and $5 billion over the next two years in new hardware and software technology, personnel, and training. Some leaders in the industry oppose the rule because of the cost, with the AHA calling the costs "overwhelming."

The report from Moody’s agrees with some industry critics who say the HIPAA rules’ costs are underestimated by HHS. But Moody’s goes on to say that "we also do not expect HIPAA expenditures to have the dire financial consequences many industry groups have predicted."

Billions and billions required to comply

A study by the AHA suggests that hospitals could spend $22 billion over five years just to comply with three key provisions of the privacy rule. "Every day, hospitals safeguard patients’ medical information and vigorously support efforts to protect patient privacy," AHA president Dick Davidson said in a statement. "Simply put, the current rules create barriers to care and are unworkable for patients and caregivers. We ought to get these rules right."

Despite the pervasive unhappiness with the HIPAA privacy rules, hospitals are proceeding with the necessary steps to comply. The AHA recently surveyed hospitals and found that half have taken some of the major steps required to comply with the rule. In late February, AHA members were surveyed about tasks they performed to comply with the HIPAA regs. The AHA now reports that the survey found that 37% of respondents had designated a security officer; 47% assigned a formal HIPAA committee; 12% have a HIPAA implementation plan; 10% have ranked HIPAA as a low priority for 2001; 24% have ranked HIPAA as a moderate priority for 2001; 39% have ranked HIPAA as a high priority for 2001; 45% will look for outside assistance on HIPAA; 27% will not look for outside assistance on HIPAA; and 18% have done a cost impact analysis on HIPAA.

Although the AHA is unhappy with much of the HIPAA rules, the organization says about half of U.S. hospitals already are taking significant steps to comply. The AHA called on the Bush administration to change the medical records privacy rule to make it less of a burden on patients, hospitals, physicians, and nurses, but ultimately failed in its efforts to block implementation of the rule. The AHA sent its request to HHS Secretary Tommy Thompson, who reopened the privacy rule for further comment and review, but then cleared the way for full implementation.

Among other problems, the AHA complained to Thompson that patients would have to fill out a 10-page consent form to give hospitals permission to use their medical information. It would be better to allow hospitals more leeway in determining how to obtain consent, the AHA says. The AHA also wanted Thompson to eliminate restrictions on the use of patient information within the hospital.

After the 60-day delay, Thompson said the administration would address some of the concerns that surfaced through guidelines or modifications. A timetable for making those changes has yet to be determined, but Thompson announced the department would make clear that physicians and hospitals could consult with other doctors and specialists about a patient’s care, pharmacists would be able to fill prescriptions over the phone, and parents could have access to information about the health of their children.

"The president considers this a tremendous victory for American consumers, who will continue to receive high-quality health care without sacrificing the confidentiality of their private health matters," Thompson said.

Many areas of the rule need strengthening

Donald J. Palmisano, MD, a trustee of the American Medical Association (AMA), says he will be eager to see how Thompson’s pledge works out. "Although Secretary Thompson has indicated that the privacy rule will be implemented with no delay, the AMA appreciates the secretary’s commitment to consider the comments received in response to the final rule, make necessary modifications to the rule, and issue guidelines to assist in its implementation," Palmisano says. "The AMA urges the secretary to quickly address those modifications and safeguards we called for in our earlier comments on the privacy rule. At a minimum, physicians need the full two-year compliance period to modify their practices in order to comply with the rule. It is imperative that any changes to the rule or implementation guidelines are provided as expeditiously as possible."

Palmisano says many areas of the rule still need strengthening. For example, he says law enforcement officials will have virtually unfettered access to protected health information without patient authorization and a court order. Also, in many instances, health plans are not required to obtain consent to use or disclose patient health records.

"Ironically, the rule does substantially increase the administrative burden for the physicians, the one sector of the health care system already ethically bound to safeguard patient privacy," he says. "The rule prescribes burdensome documentation and record-keeping provisions on physicians that are unlikely to provide any real added privacy protections for patients."

Similar concerns come from the American Association of Health Plans (AAHP), the largest national trade organization representing more than 1,000 health maintenance organizations (HMOs) and preferred provider organizations. AAHP president and CEO Karen Ignagni says the rule threatens quality health care.

"When the proposed medical privacy rule was issued in the final days of the Clinton administration, we joined consumers, physicians, hospital, and other providers and employers in calling for a more balanced approach that promotes quality while enforcing privacy," Ignagni said in a statement. "The proposed rule failed this principle by imposing new regulations that, in many cases, would inhibit the ability of health plans and providers to get patients the care they need when they need it. We hope the administration will continue to look at ways to improve this rule."