Baylor Health Care System budgeted $7.5 million for the first five years of preparation for and implementation of HIPAA-related process changes and computerization--not just for the privacy provisions but all aspects of administrative simplification and standardized business practices addressed in the law.
Three years in, the Dallas-based system of 11 hospitals has spent about half of what it budgeted, said Donna Bowers, vice president of the system's Baylor University Medical Center, who has headed the compliance effort.
"Nobody had a clue what this was going to cost, and I'll bet a lot of people won't be able to tell you what they spent," she said.
A national survey by the American Health Information Management Association on the state of compliance with the Health Insurance Portability and Accountability Act of 1996 pointed to the same conclusion.
Though costs for new or upgraded software and physical changes to the work environment can be tracked, the bulk of the cost of compliance with HIPAA was buried in long, uncounted hours spent by hospital staff and managers to write or revise policies on privacy practices and information disclosure procedures and then educate masses of employees, the AHIMA report noted.
A third of all survey respondents said they had no formal current budget for ongoing compliance efforts, and another 32% weren't sure if they had a budget or not. Eight percent put the size of their budget at $100,000 or more.
Many organizations had predicted implementation and maintenance costs in the millions of dollars. Although AHIMA didn't ask for implementation costs leading up to the compliance deadline in April 2003, "Nothing in the responses to this survey and in previous surveys and questions from AHIMA would indicate that the costs came anywhere near these predicted amounts," the report said.
Some 55% of organizations in the survey upgraded computer software to manage privacy protection or meet the elevated demands for disclosing and distributing patient information. Of those, nearly three-fourths used their own information technology staff or worked with an existing vendor. Six percent chose a new vendor, and 21% used a combination.
Only one in four surveyed organizations implemented new software. Some 20% developed new computer capabilities internally and the rest did not add any new computer applications.
Erlanger Health System, Chattanooga, Tenn., spent about $300,000 on compliance preparations and will spend about $120,000 annually to maintain and improve compliance, "a never-ending process," said Chief Privacy Officer Rita Bowen. She estimated current compliance at 75%, which partly reflected the difficulty of accounting for information disclosures.
Erlanger's preparation costs for HIPAA included $30,000 to upgrade a system for release of information and train the healthcare information management staff. But much of the cost was in training time for 4,000 workers, Bowen said. At the average hourly wage, it cost Erlanger $163,500 for the two hours of formal training for each employee, she said.
At Baylor, a similar information system to track release of information was upgraded to account for disclosures at a cost of $200,000, Bowers said. Because not all hospital sites had the program module for tracking information releases, they first had to have that module installed at a total cost of $50,000 before the upgrade for accounting could be added, she said. Other expenses included $50,000 to install privacy screens on all computers in clinical areas.
"We spent at least three years on the privacy regulations to become compliant," Bowers said. "We put resources and a whole structure in place to do this."
For all that work and expense, the health system is about 95% compliant, she said. The remaining problems center on the difficulty of distributing patients' amendments of their records to all outside contractors and partners, known as business associates. "It's probably one of the most unrealistic components of HIPAA," she said.
Hospitals and other providers will be required by April 14 to have a signed confidentiality agreement with all business associates, one of the compliance tasks cited by healthcare representatives as time-consuming and burdensome. But in daily operation, dealings with business associates are complicated by another HIPAA requirement allowing patients to view their records and amend them to correct information or update missing details. Those changes have to be reflected not just in the provider's record but in all the information kept by outside billing agencies, medical databases and any other place where that information could bear on medical or insurance decisions.
It was a tedious enough process to identify all business associates, Bowers said. "But to tie those (amendments) back at a specific point in time to a specific patient, that's where the difficulty comes in." She said most hospitals are probably out of compliance because of the problem of distributing such amendments. "It's not because they want to be, it's because they don't know how to fix it."
In areas involving continual record-keeping and changes--such as accounting for disclosures of information and managing patient acknowledgments of notices of privacy practices--hospital organizations should look for ways to incorporate automated solutions into their current and future plans for computerization, said David Lindstrom, chief privacy officer at Penn State University, University Park.
For example, when the university health service decided it was time to change its practice management system, it designed HIPAA compliance into the new system. A registration employee can handle the notice of privacy practices as part of the intake process, including whether the patient received a current copy somewhere else in the health service at another time and doesn't need to be handed yet another one, Lindstrom said.
Computer software also can track when medical records have been queried and keep a log of them for accounting purposes, he said. The university has plans to build other types of HIPAA requirements into the registration and billing process, such as incorporating standards for HIPAA-mandated insurance, he added.
Just over half the respondents to the AHIMA survey said they had installed computer systems to account for disclosures electronically, either by buying new software or revising existing electronic medical-record systems. Such computer capability, though costing healthcare systems hundreds of thousands of dollars, can simplify and automate the labor-intensive manual challenge.
But some executives have taken a stand to "do it manually when they have to instead of setting up systems to do it routinely," said Jill Callahan Dennis, an adviser to AHIMA and president of Health Risk Advantage. Their hope is that by holding off on automating the process, they might not have to do it at all if healthcare industry advocates are successful in lobbying for relief, she said.
There's some precedent. Originally the HIPAA privacy regulations required providers to get patient consent to use their personal health information, a mandate that was withdrawn in a subsequent round of federal modifications but not before some hospitals had already spent money to automate the consent process in their resolve to "do it right," Dennis said.
"Sometimes there's a penalty for running right out there and getting compliant," she said.