Let's hope it's worth it.
The medical privacy rules spelled out by HCFA last month will be an expensive and bureaucratic nightmare for physician groups attempting to process or update patient medical records. The rules, which are set to go into effect in two years, will govern virtually every doctor, hospital, pharmacy and health plan in the country.
But the plan to revamp regulation of medical information under the Health Insurance Portability and Accountability Act of 1996 contains requirements that aim to improve efficiency in the healthcare system by standardizing claims and payment forms for physicians. Achieving success in streamlining paperwork requirements alone could make the effort extremely valuable.
Overall, the effort to give patients the right to protect their medical records from disclosure without their consent is on target. Policymakers made a wise decision to protect all identifiable medical information, including paper records and oral communications, rather than just electronic information and paper-based information that previously existed in electronic form, as originally proposed.
On the negative side are concerns regarding compliance costs. The American Hospital Association commissioned First Consulting Group to analyze the cost of complying with HIPAA requirements. The group estimated the cost to hospitals alone could reach $22.5 billion over five years, far exceeding HHS estimates for compliance with the rules. Such estimates don't take into account the fact that many physician practices still use archaic manual billing systems and will be hard pressed to find the money to invest in the technology needed to generate up-to-date information.
Another concern is that despite restrictions on the use of identifiable medical information for marketing purposes, loopholes will allow virtually any type of marketing without patient consent. One problematic section of the rules permits marketing communications without authorization when they occur in face-to-face encounter with individuals or concern products or services of nominal value. Such vague language seems to leave the door open to abuses.
Others fear that existence of the rules will discourage health plans from gathering data gleaned from medical records to institute quality improvement efforts. Some experts worry that the chilling effect of the regulations will discourage health plans from disclosing anything but the most minimal data to other medical professionals.
Finally, without national standards to control the flow of sensitive patient information, HIPAA could amount to much ado about nothing. It's a challenge that Congress may yet have to face.
Still, anything that assures patients that the privacy of their medical records is a priority for caregivers and medical record keepers is welcome. HHS estimates that 400 different format standards are currently used to electronically exchange health claims information. Localized efforts to standardize forms have made limited progress, but the process needs to be pushed forward into the 21st century. With any luck, HIPAA can be the vehicle that both improves protection of patient data and boosts transactional efficiency.