Hospitals could spend as much as $22.5 billion in the next five years complying with provisions of the Health Insurance Portability and Accountability Act of 1996, a new analysis paid for by the nation's largest hospital association has found.
That's nearly six times the cost estimate that HHS published in its proposed set of HIPAA regulations, which the agency began rolling out in 1998. HHS said complying with the law's privacy rules, which would safeguard electronic data and give patients rights concerning how their medical information is used, would cost hospitals $3.8 billion over five years after the rules become effective, most likely in 2002 or 2003.
But HHS' figure doesn't include the cost of complying with three HIPAA provisions the agency left out of its estimate, according to the analysis from Long Beach, Calif.-based First Consulting Group.
One provision ignored by HHS' estimate--which limits the information doctors can share with one another during treatment--could alone cost hospitals as much as $19.8 billion over five years. HHS may issue a final set of privacy rules by the end of the year.
"We support vigorous efforts to protect patients' records," said AHA President Richard Davidson in a written statement. "But this sweeping proposal has gone far beyond what Congress intended and has the potential to interfere with the treatment we provide patients."
The AHA, which declined to disclose what it paid for the study, released the analysis on the day that it urged the Medicare Payment Advisory Commission to consider HIPAA costs when it makes annual Medicare inpatient payment recommendations for 2002. The AHA said that to account for HIPAA costs, MedPAC should add 2 to 5.2 percentage points to its annual PPS update recommendation.
Some observers said hospitals should not focus on HIPAA's cost but on its potential.
"You can't look at HIPAA as a compliance activity," said Lisa Dahm, senior manager of HIPAA services and regulatory compliance for Deloitte & Touche. "You've got to look at it as an opportunity to move into electronic communication and do things more efficiently."
A day before the AHA released its report and made its case before MedPAC, an investment bank said hospitals are in fine shape to spend the extra money on HIPAA requirements.
After two years of Medicare payment relief, hospitals are now "more suited for (information technology) investment than at any time in the past eight quarters," said a report released last week by SG Cowen, a New York-based investment banking firm.
First Consulting said the five-year cost of complying with three HIPAA provisions--limits on information sharing by clinicians, ensuring compliance with HIPAA by business partners and reconciling HIPAA with state laws--could range between $4 billion and $22.5 billion "depending on the specific approach that organizations take and the effort required to bring their information systems into compliance."
Much of that spending could stem from a HIPAA provision called the "minimum necessary rule," a proposal that would limit medical communications among physicians and other caregivers to the minimum necessary required to deliver care.
The analysis by First Consulting estimates that compliance with that rule alone would cost hospitals at least $1.3 billion over five years, or as much as $19.8 billion if new information systems are required to achieve compliance.
"Right now HIPAA does have the ability to interfere with treatment, especially in relation to the minimum necessary standard," Dahm said.
In its final rule, she said, HHS is likely to relax the standard in response to criticisms fielded by the agency in public comments.