Jeremy Pierotti can envision a day when federal regulations will improve his health system's cash flow by some $68 million.
Instead of subscribing to the notion that the Health Insurance Portability and Accountability Act of 1996 represents an expensive administrative nightmare, Pierotti views it as an opportunity. And he's not alone.
As the HIPAA program director of Allina Health System in Minneapolis, Pierotti undertook a rigorous analysis of one part of the regulation--the one that requires standardized electronic transactions--and found that it will cost much less to implement than it will reap in hard savings.
Pierotti is part of a growing chorus singing the praises of HIPAA rather than wailing about its potential to divert funds from other important areas and disrupt normal operations. Those have been some of the many criticisms of the law, which was passed at the behest of the industry but has since become the whipping boy of providers and payers alike.
HHS estimates that the industry will spend $3.8 billion complying with the controversial privacy regulations, but an analysis paid for by the American Hospital Association pegs the cost at $22.5 billion, which does not cover all of HIPAA's privacy provisions.
One privacy provision left out of HHS' estimate, the AHA says, is the "minimum necessary" rule, which limits the patient information hospitals and staff members can share with one another as well as with outside organizations such as insurers. Complying with that provision alone could cost hospitals as much as $19.8 billion over five years, according to the AHA analysis.
Despite the naysayers, HIPAA may not be all that bad. From providers like Pierotti to patient-privacy advocates and compliance gurus, many in the industry are beginning to consider the law as much an opportunity as an obstacle.
"There has been this hysteria over the regulations (and) part of that is generated by people who will profit from generating the hysteria, such as lawyers and consultants," says Joy Pritts, senior counsel at the Health Privacy Project at Georgetown University's Institute for Healthcare Research and Policy in Washington.
Whether the concerns that have been raised are hysterical or valid is a matter for debate--a debate groups lobbying against various components of HIPAA have been eager to take up.
The AHA and the American Medical Association are fighting hard to scale back the privacy regulation, which is the most controversial provision, during a second public comment period that opened last month and ends March 30.
The privacy regulation controls how and when physicians and administrative staff can share protected patient information, calls for formal agreements to ensure business partners use confidential data appropriately and requires patient consent prior to using information even for the most routine clinical and administrative purposes.
Both the AHA and the AMA, and groups such as the American Association of Health Plans, have problems with the privacy regulations, believing them to be administratively burdensome and a possible threat to clinical care.
Loaded with opportunities
But even in the realm of patient privacy, say proponents of the regulation, there are opportunities to capitalize on the rules and to complement broader initiatives.
"Tremendous efforts have already been under way among providers all around the country to make sure that patient information is secure and that information is kept private and not disseminated inappropriately," says Roy Snell, chief executive officer of the Health Care Compliance Association, a Philadelphia-based group that represents compliance professionals. "More can be done, and that's what HIPAA is all about."
Snell and others argue that hospitals stand to benefit from aggressive implementation of the privacy regulations. By convincing patients that they're not just following the rules but placing a premium on protecting confidentiality, hospitals may be able to win over customers--and keep the ones they have.
"Even if you're not thinking you can market yourself as being more privacy protective, all you need is your name in the paper one time with one of these huge exposures of personal records and you will find yourself losing business," Pritts says. "I would think a hospital doesn't want to be the headline of the day for having its security system broken into."
Kaiser Permanente was the headline of the day last August, when the Oakland, Calif.-based managed-care plan sent more than 850 e-mail messages to the wrong members. Those messages included such confidential patient data as requests for prescription refills and responses to medical questions.
Kaiser apologized to the members for its error, which it blamed on a technological glitch. To prevent a media frenzy, Kaiser voluntarily went public with the story but the incident was widely reported and demonstrated the fragility of health information privacy in an electronic world (Aug. 14, 2000, p. 4).
Standardizing the light bulb
The only regulation under HIPAA that already is final is the one that sets standards for the exchange of administrative transactions and medical diagnostic codes (See chart, p. 38). The goal of that regulation is to make it as easy to process claim forms as it is to buy a light bulb at the store and know it will fit in your socket at home.
It may be one of the least glamorous of HIPAA's regulations, but it is also the one with the most potential to bring about real savings. Payers now use some 400 formats to submit and pay claims. HIPAA would bring that down to just a few universal formats that could facilitate savings by putting every organization in the industry on the same electronic page.
"The basic purpose of HIPAA is to improve the efficiency of the healthcare system in general by standardizing the exchange of administrative and financial data," says Bill Braithwaite, a lead architect of the legislation and senior adviser on health information policy at HHS. Broad-based adoption of consistent ways to exchange information, he says, will reduce administrative overhead by "hundreds of percents."
Other industries have capitalized on standard-setting efforts. In banking, for instance, standardized electronic transactions make it possible to get cash from any automated teller machine. Without such standards, consumers could get money only from their own bank's machines, and a transaction as simple as an electronic funds transfer would be far more complicated.
Allina Health System's Pierotti is the kind of guy Braithwaite and other standards cheerleaders would like.
Last year Pierotti and his group at Allina conducted an analysis to determine how much it would cost--and how much his organization could save--to adopt the standards HIPAA establishes.
The five-month study found that for an investment of approximately $11 million over five years, Allina would see cash flow improve by $79 million, or a net improvement of $68 million, for its entire system, which includes 17 hospitals, six nursing homes and 56 clinics. Pierotti points out that his projections are conservative.
HIPAA's standards for administrative transactions are only required of providers that send claims electronically. If they continue to process claims on paper, which would be virtually impossible for any large health system, they need not concern themselves with formatting any computerized information.
"If we were going to invest a bunch of money to create new transaction capabilities, (Allina's) HIPAA leadership wanted to make sure that we knew what we could anticipate in terms of benefit and have benchmarks to measure ourselves against," Pierotti says.
Based on the analysis Allina conducted, the system believes it will boost cash flow for its hospitals by $9 million over five years by improving the process for chasing down claims never received or acknowledged by the payer.
In a standardized electronic world, a request for information about such claims can be sent to the payer on a daily basis and a response returned the following day.
The knockout punch is delivered by moving the 30% of claims Allina's hospitals now generate on paper to an electronic format. That will bring another $26.7 million in improved cash flow over five years, according to Pierotti's estimates.
Having set a course based at least in part on Pierotti's work, Allina will soon bid him farewell. Pierotti recently resigned to work as a HIPAA consultant with Minneapolis-based Partners Healthcare Consulting.
The industry asked for it
Some aren't so sure Allina will achieve the savings it hopes for.
"(The estimates) sound awfully big," says Charles Emery Jr., senior vice president and chief information officer of Horizon Blue Cross and Blue Shield of New Jersey who also worked as a health system CIO for several years before joining Horizon.
Emery says the problem for hospitals is not the ability to send an electronic claim but "getting sufficient information for the payer to pay it." Payers like Horizon often need additional information not contained on the claim form before reimbursing the provider. To realize the advantages of digital exchange, that additional information would have to be captured and stored electronically, Emery says, which can be an expensive proposition involving electronic medical records and other technologies often not in place.
Although Allina doesn't expect savings to kick in for two years, its projections bolster the argument HHS made when it estimated that implementing the electronic standards will bring industrywide savings of approximately $16.6 billion over 10 years.
"It's very difficult to look a year or two down the line, but I think that's an attitude we have to get over or we're going to continue to waste (money) by not implementing these standards," says HHS' Braithwaite. "Every organization that has reported back to me said they've saved more money than they expected when they approached it from a long-term point of view."
Braithwaite says his office has fielded complaints from providers that consultants and lawyers "put the fear of the federal government in their heads when, in fact, it was the (healthcare) industry that came to Congress and said we can't adopt electronic data interchange standards unless you force us to do it."
Aiming to reduce the industry's staggering administrative overhead costs, the Workgroup for Electronic Data Interchange started promoting standards in 1991. With backing from HHS and some key political leaders in Congress, the WEDI and other advocates of the standards looked to Capitol Hill for an adoption mechanism with teeth. They got that five years later when HIPAA was passed.
What the industry did not explicitly request was the rest of HIPAA, namely the complex privacy and security requirements included in the law. Those mandates, both of which have yet to be completed as regulations, go well beyond standardization of data. They require significant changes on both the clinical and the business side of the house.
Under the proposed security regulation, for example, hospitals will be required to control access to patient records and authenticate the identity of a physician before the records can be viewed.
Estimates of how much it will cost to implement these regulations have fueled controversy. A study commissioned by the AHA last December said hospitals will spend from $4 billion to $22.5 billion over five years complying with three HIPAA provisions: limits on information sharing by clinicians, ensuring compliance with HIPAA by business partners and reconciling HIPAA with state laws.
HHS has declined to discuss the privacy regulations until the second round of public comment has concluded.
Making care safe and secure
Meanwhile, some in the industry are anxious to get the word out that despite the pleas of trade groups and hospital lobbyists, even the privacy regulations are not as onerous as they may seem.
"There is no question that organizations that stress their proclivity to security and privacy of the individual will have some kind of advantage," says Snell of the Health Care Compliance Association. "Everybody's so angry with the regulations that they just aren't looking at some of the benefits."
Among those benefits, many argue, is the ability to apply some of the technological progress required by HIPAA to the larger goal of improving patient care.
The Institute of Medicine's second report on patient safety, which was released earlier this month, focused substantial attention on the role information technology can play in making medicine safer (March 5, p. 4).
"The IOM agrees that through such relatively simple things as automation of pharmacy ordering we have an opportunity to make huge strides in error reduction," says Mark Lutes, a healthcare attorney at Washington-based Epstein, Becker & Green. "There are lots of incremental steps we can take which will lead to better clinical decisions, more efficient use of resources and fewer errors."
Georgetown's Pritts agrees, adding that the privacy and security regulations go hand in hand with the electronic data standards. As more private information is beamed through cyberspace, the argument goes, the more important it becomes to safeguard that information.
"You can't have the electronic format without the security and privacy regulations," Pritts says.
For some healthcare providers, "(the privacy) regulation should make their life a lot easier," she says. "Many health plans require psychotherapists to turn over the therapy notes of their patients. Therapists view this as an ethical violation to their patient. Under the regulation, the health plan can't ask for those notes."
Though it may not be known for some time the degree to which HIPAA's regulations help or hinder the care process and hospitals' bottom lines, one thing is fairly clear: When it comes to HIPAA compliance, there will be some hard work before any payoff.
"As always there is pain with the gain," Snell says. "Capitalism depends on the best rising to the top as opposed to the sneakiest rising to the top."