Now the hard work begins. With the first-ever federal medical privacy regulations officially on the books, providers need to get down to the business of understanding and implementing the sweeping mandates required by the Health Insurance Portability and Accountability Act of 1996.
Healthcare experts said the exhaustive rules -- with their strict patient consent requirements -- will require significant cultural and administrative changes on the part of healthcare providers.
"Providers will have to document that they've obtained consent and, more important, they will have to document all the releases of information they make and be able to produce audits or reports of those releases upon request by the patient," said John Knapp, a healthcare attorney with Cozen and O'Connor in Philadelphia.
But many providers are still in the early stages of digesting the new rules, which took 1,500 pages in the Dec. 28 Federal Register.
Centura Health, Englewood, Colo., is conducting an internal analysis to determine what the new regulations will mean for the nine-hospital not-for-profit system. The system recorded 87,346 inpatient cases and 656,222 outpatient visits in the fiscal year ended June 30, 2000.
In addition to looking at the design of its information systems, Centura also needs to examine how the regulations will affect how it shares medical information with outside parties, such as payers, said Joseph Swedish, Centura's president and chief executive officer.
"It's something that has to be done," Swedish said. "It is an imperative in the industry to assure confidentiality and protection of information for the patient."
HHS completed work on the final set of HIPAA privacy regulations last month and published them last week after a marathon of public comment.
The proposed rules generated more than 50,000 public comments after they were published in November 1999.
The final regulations greatly expand patient access to medical records.
For providers, compliance with Y2K conversion was a trial run for HIPAA, said Lee Norman, M.D., a senior vice president at St. Louis-based Carondelet Health System, which treated 94,270 inpatients for the fiscal year ended June 30, 2000.
Although Norman said preparing for Y2K was a "big, expensive, painful building block," providers became more aware of their information systems.
But the new privacy regulations are not without controversy. Among the most talked about provisions is what's known as the "minimum necessary" standard.
In the proposed version of the regulations, the provision would have required physicians to share with their practitioner colleagues only those portions of a patient's medical record -- or the minimum necessary -- that pertained to the reason the information was requested.
In the final set of regulations, that provision was relaxed, letting physicians share the entire medical record for treatment.
However, the minimum necessary provision still applies when patient data is exchanged for business purposes under the final regulations.
"To say that the goal should be to disclose only the minimum information necessary in a certain situation is laudable," Knapp said. "But to determine what that minimum amount is will take a great deal of time and experience."
The new privacy regulations mean the role of compliance officers will be expanded beyond fraud and abuse to encompass privacy issues, said attorney Ryan Meade, co-chairman of the health information and HIPAA compliance practice group at the Chicago law firm Katten Muchin Zavis.
Compliance with HIPAA's privacy regulations is required by February 2003, but attorneys said law enforcement officials may need more time to clarify the circumstances under which they will prosecute violations.
The final regulations created new criminal and civil penalties for improper use or disclosure of a patient's personal health information.
The penalties of noncompliance range from a fine of $50,000 and up to a year in prison to a $250,000 fine and up to 10 years in prison if the offender intends to sell or otherwise profit from the information.
Meade, who called the new privacy regulations "onerous," said providers might want to do certain business transactions now before the privacy regulations take effect in two years.
For instance, once the regulations are implemented, providers who want to sell physician practices will need written authorization from every patient to sell their medical records.
"That is going to make it very difficult for hospitals to sell off or spin off physician groups," Meade said.
Now, he said, such permission usually is not required; however, it can depend on individual state laws.
Meade said he is encouraging clients to incorporate HIPAA into their strategic planning when they are deciding what to do and when to do it.
Observers agree that even though the cost of compliance could be astronomical -- a recent study commissioned by the American Hospital Association pegged the cost at $22.5 billion over the next five years -- the administrative efficiency and patient privacy achieved by the regulations could justify the costs.
HHS estimated HIPAA's privacy regulations will cost the healthcare industry $17.6 billion over 10 years.
HHS also estimated that HIPAA's regulations requiring standardized electronic transactions and medical billing codes -- which were made final last August -- will save the industry $29.9 billion over the 10 years, creating a net savings of $12.3 billion.