Physicians wanting to avoid the wrath of the government could find themselves spending thousands of dollars to comply with new privacy regulations.
But some caution against rushing to buy systems or software.
"These regulations will not go into effect for two years," says AMA trustee Donald Palmisano, M.D., a surgeon in New Orleans. "Congress has 60 days to comment on these regulations. We're encouraging physicians to not feel a need to rush out and buy some sort of software some vendor is saying puts them in better compliance. We need to let the dust settle."
The privacy regulations for the Health Insurance Portability and Accountability Act of 1996 are the second set of a three-pronged rule for handling patient information. Final regulations for transaction code sets were issued in August.
The security regulations are expected this month.
The regulations extend the privacy provision to oral and written communication instead of just covering electronic patient information and require patient consent before releasing any information, including that for billing or testing.
Penalties for violating privacy provisions include up to 10 years in prison for each violation.
"We certainly think it's appropriate that patients' medical information should be protected and protected thoroughly," says Aaron Krupp, government affairs representative for the Englewood, Colo.-based Medical Group Management Association. "That being said, we want to make sure there are not undue burdens being placed on providers."
Among the major negative aspects is the cost, says Robert Tennant, MGMA's government affairs manager. The Office of Management and Budget estimated doctors would spend $4,000 each, or around $2.4 billion overall, to become compliant with HIPAA regulations. That estimate, Tennant says, is totally unrealistic. Health plans' and analysts' estimates run upwards of $43 billion, he says.
"The bottom line is we don't have any specific numbers," Tennant says. "They are a lot higher than what was stated in the final rule."
The rule does have some positive aspects, Tennant says, including applying privacy standards to all forms of patient information. The final regulations also allow providers to get one authorization for billing, testing and consulting rather than requiring authorizations for individual transactions.
The final rule also reduced the liability that providers would have if a business partner violates HIPAA regulations.
The AMA will study the privacy regulations to determine whether they are consistent with their own standards for patient privacy. While the association agrees in principle with safeguarding patient information, physicians will need time to determine the real-cost benefit of the law, Palmisano says.
Providers aren't the only ones scrutinizing the regulations. Health plan officials are determining how they will get patient information they say they need to complete projects, such as accreditation, without violating the law.
The draft proposal allowed disclosure of patient information for routine purposes such as treatment and payment, says Kristen Stewart, director of private market issues for the American Association of Health Plans. Under the final regulation, health plans still don't have to get consent to release certain routine information.
However, providers must get consent to release that same information. Stewart says health plans generally rely on providers to transfer patient information for such projects as disease management, physician profiling and quality assurance. If the physicians' consent forms are too narrow, health plans may not be able to get the information they need, she says.