Ten years ago this month, the Health Insurance Portability and Accountability Act dramatically changed the U.S. healthcare landscape, in some ways for the better and in some ways for the worse, industry experts contend.
"It's had a tremendous effect," says Chip Kahn, president of the Federation of American Hospitals. He echoes the comments of observers who believe the current pressure to expand information technology in healthcare stems in large part from the law that has come to be known as HIPAA.
"It assumed a world that we are slowly heading for now," Kahn adds.
HIPAA is most often recognized today for its three main provisions -- promoting electronic transmission standards for claims data, and regulating both the privacy of electronic medical records and the security of medical data storage and transmission. But HIPAA's roots, which grew into a Christmas tree of healthcare legislation, began in the U.S. Senate in 1995 as an insurance reform bill introduced by Sen. Edward Kennedy (D-Mass.) and Sen. Nancy Kassebaum (R-Kan.).
Kennedy-Kassebaum, as the bill became known, quickly gained what would be considered today an astonishing level of bipartisan support, particularly considering its main aim was to curb market distortions in the health insurance industry. Its supporters included liberals such as the late Sen. Paul Wellstone (D-Minn.) and conservatives such as Sen. Richard Lugar (R-Ind.) among its 66 eventual Senate co-sponsors. The final version, which emerged from the Senate-House conference committee, passed the Senate by unanimous consent, 98-0.
The Senate bill was an extension of insurance reforms passed a decade earlier in the Consolidated Omnibus Budget Reconciliation Act, according to Kahn, who, in those days, watched the HIPAA legislation take shape as staff director for the House Ways and Means Committee.
COBRA allows workers leaving a job to continue to purchase the same health insurance coverage they had under their employer-based plan. The Kennedy-Kassebaum bill constrained payers from limiting or excluding employees from coverage for pre-existing medical conditions, a particularly beneficial protection for workers in small group plans.
In the House, a bill containing what would become the "administrative simplification" provisions of HIPAA was introduced in March 1996. The House version reflected the recommendations of the Workgroup for Electronic Data Interchange, or WEDI, whose members were called together by the first Bush administration in 1991 to find ways to reduce healthcare administrative costs. HIPAA passed the House, 421-2. On Aug. 21, 1996, President Clinton signed HIPAA into law.
The advent of any federal legislation with the sweep of HIPAA is sure to cause disruption. In healthcare, cottage industries sprang up, peppered with HIPAA trade shows and peopled with HIPAA lawyers, HIPAA consultants and other forms of HIPAA privacy, security and IT cognoscenti. There was a fair share of panic peddling, too -- particularly in the early years -- as the law's first implementation dates and compliance deadlines came and went.
For Kenneth Ong, a physician and the director of medical informatics at St. Vincent Catholic Medical Centers, a three-hospital system in Manhattan and Westchester County, N.Y., HIPAA has brought change, but the question of value is less certain. "From my microscopic point of view, from within the hospital, it's certainly gotten people to focus on protection of patient privacy and confidentially more than they did," Ong says. "I'm not sure the benefit outweighs the cost here in our own hospitals or nationally."
Ong notes the costs of ongoing training and compliance are particularly onerous. "When you see the intent was to simplify the amount of paperwork in healthcare, it really hasn't. I haven't seen any efficiencies, at least not at my level."
On the financial side of the hospital, HIPAA data standards covering electronic claims transmissions and the ability to electronically check on a plan member's eligibility have proven a boon, according to Jim Whicker, director of electronic data interchange for accounts receivable management at the 20-hospital Intermountain Healthcare system based in Salt Lake City. Whicker also serves as chairman-elect of the WEDI, which HIPAA designated to serve as an adviser to the government on healthcare IT issues.
"We've seen a significant reduction in the denials of claims we send out because we've done an eligibility check," Whicker says. "Since about a third of our denials had been related to coverage issues, we've eliminated that. I can see correlations to implementing part of the HIPAA transactions (standards) and decreases in our accounts receivable."
One HIPAA "do over" Whicker recommends involves the creation of a national plan identifier, one of several identifiers HIPAA mandated that remain unimplemented Robert Tennant, senior policy adviser for the Medical Group Management Association, says HIPAA has been a mixed bag for physician groups, with benefits coming from a heightened awareness within the government of the need to promote electronic health-record systems for physician offices. Programs initiated by the Office of the National Coordinator for Health Information Technology, until just recently headed by a physician, David Brailer, have benefited from HIPAA, Tennant said.
"I'll make the argument and say we'd not be having what we're having with Dr. Brailer and the push for EHRs without HIPAA," he says. "For all its flaws, it was the catalyst that started the IT movement in this country. It opened the doors for a new relationship between providers and payers and trying to save money throughout the system."
A blueprint, not a mandate
Tennant also praised the HIPAA security rule as "one of the finest regulatory rules I've ever seen."
"It's not a heavy-handed mandate," Tennant says. "It's really a blueprint. It lays out a framework for how they (physicians) can protect their practice. It gets groups to think strategically. You don't have to break the bank to comply. That's what the strength of the rule is, that it tells the practice not to do it because the government mandates it, but because it makes good business sense."
Tennant says HIPAA left "loopholes" in standards under the section for transactions and code sets, which required payers and providers to comply by October 2003, but excluded IT system vendors from the mandate. Some vendors worked hard to bring their systems up to HIPAA standards, but most did not, forcing many practices to rely on claims clearinghouses as intermediaries, adding cost and another layer of bureaucracy to the payment process, he says.
Tennant says he hopes another important benefit will be derived from HIPAA: learning how not to implement a federal program.
Greg DeBor, a partner with the Global Health Solutions unit of IT systems integrator Computer Sciences Corp., agrees that HIPAA could have a medicinal effect on future government healthcare initiatives. "Nobody wants to do HIPAA again," DeBor says. "They don't want the government telling them how to do it, so it's led to much better public-private collaboration."
John Travis, director of regulatory and compliance strategy at hospital IT systems vendor Cerner Corp., says IT shoppers today "are expecting a good level of HIPAA compliance for every system that they are buying," but HIPAA compliance, while an "extremely high priority" between 2000 and 2004 for both customers and vendors, is becoming less of an issue for customers today.
The new area of interest in HIPAA is forming around the privacy implications of electronic health-records systems for healthcare consortia or communities, such as regional health information organizations, Travis said.
Jill Callahan Dennis, president of the American Health Information Management Association, an organization for medical records professionals, says that while privacy and confidentiality of patient data has always been important to AHIMA members, HIPAA "pushed it to the front of the brain on day-to-day issues.
"What it hasn't done for us yet, we haven't achieved some of the goals on the transaction simplification side of things," she says.
"We wish that we had achieved through HIPAA some standardization of the various state laws on privacy and confidentiality," Dennis says. Instead, HIPAA allows what she describes as "this weird patchwork" of state privacy laws. "The fact that HIPAA didn't deal with that has had some unfortunate payoffs in our (inability) to move forward on the interchange of information."
Even after 10 years, several of the lesser provisions of HIPAA have yet to be implemented, including the national plan identifier. The compliance deadline for a national provider identifier isn't until May 23, 2007. A unique patient identifier, though mandated by HIPAA, has become something of a third rail in healthcare IT. Yielding to pressure from privacy groups, Vice President Al Gore in July 1998 halted work at HHS on developing a unique patient identifier and a few months later, Congress banned the use of federal money on developing such an identifier. Private-sector efforts have reopened discussions on the controversial issue in recent months, however.
The thorniest HIPAA provision -- privacy -- also remains in play.
Last month, the U.S. House of Representatives debated, at times heatedly, a bill to promote healthcare IT. Earlier versions of the bill contained a provision that would have, in effect, modified HIPAA by authorizing the HHS secretary to pre-empt any state privacy laws deemed as barriers to interoperability. Under pressure from a coalition of privacy groups, the pre-emption provision was stripped from the final version of the bill that passed the House on June 27.
Still, privacy advocates are wary of other provisions that remain in the bill, including the requirement that HHS conduct a study of the variances between state and federal privacy laws and report to Congress regarding their impact on healthcare information exchange. The bill also contains language that HHS should make recommendations to Congress about proposed changes in these laws. The study, privacy advocates suggest, is already under way in the form of an HHS contract let last fall with the Research Triangle Institute.
HIPAA provided a floor under the states regarding privacy, but it did not impose a privacy ceiling. Rather, it specifically empowered states to keep or pass their own privacy laws if they contained more stringent privacy protections.
Many states have privacy statutes that single out certain classes of medical information for special handling, most commonly records of patient care involving treatment for mental health, drug and alcohol abuse and certain diseases such as HIV/AIDS.
A tussle could continue as conferees from the House and Senate, which passed its own IT bill in November, must meet to reconcile differences between the two versions. The Senate version relies on HIPAA for its privacy protections, but Democrats and Republicans are becoming more aware of the weakness of HIPAA regarding patient consent.
House Democrats had pushed for an amendment to the latest IT bill introduced by Reps. John Dingell (D-Mich.) and Charles Rangel (D-N.Y.) that would have restored patient consent before personal health information could be shared electronically. The proposal also would have expanded the scope of HIPAA beyond the narrow confines of "covered entities" as defined by the act -- providers, plans and claims clearinghouses -- and included all individuals and organizations possessing personal health information to comply with its privacy protections.
In addition to congressional action, the U.S. Supreme Court has been presented with a privacy case on appeal from lower federal courts in Philadelphia. The lawsuit was filed in April 2003 against former HHS Secretary Tommy Thompson by a host of professional medical societies and privacy groups. It challenges Thompson's 2003 revision of the privacy rule that eliminated patients' rights to control access to their medical records.
Under HIPAA, HHS was given the authority to draft a privacy rule if Congress failed to do so within three years of the bill's passage. Congress couldn't get a privacy bill out of committee, so the Clinton administration issued a first draft of a proposed rule in November 1999. That initial proposed rule called for elimination of a patient's right to consent. But the public comment period drew more than 54,000 responses. About 80% of the comments expressed concern about the loss of patient control over access to their medical records, which prompted HHS to reverse its position, according to Deborah Peel, plaintiff in the lawsuit against Thompson and director of the not-for-profit privacy advocacy group Patient Privacy Rights.
The result was a final rule, issued on Dec. 28, 2000 -- in the last days of the Clinton administration -- that restored patient control with the language that "a covered healthcare provider must obtain the individual's consent . . . prior to using or disclosing protected health information to carry out treatment, payment or healthcare operations."
In 2001, the incoming Bush administration gave the rule its own review and reopened it for an additional 30-day comment period that ended in March 2001, collecting more than 24,000 responses, according to an HHS statement at the time. Again, a majority of the comments favored patient consent, Peel says. Thompson let stand the consent provision as well as the effective date of the rule, April 14, 2001.
By March 2002, however, the Bush administration announced the privacy rule would be reworked. This time, more than 11,000 comments were received and, according to Peel, the majority supported consent.
On Aug. 14, 2002, HHS published the privacy rule now in effect. Language requiring a patient's permission prior to use and disclosure of healthcare information was replaced with a new provision "that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment (or) healthcare operations."
Jim Pyles, a privacy lawyer with the law firm Powers Pyles Sutter & Verville, noted the American Hospital Association, the Healthcare Leadership Council and several large Blues plans, lobbied hard for the final revisions. Pyles is the lawyer challenging the rule, saying it violates an individual's right to privacy under the Fourth and Fifth amendments to the Constitution.
According to Patrick Hadley, spokesman for the Office for Civil Rights at HHS, which is charged with enforcing the civil penalty provisions of HIPAA, as of June 30, there have been 20,847 privacy complaints filed with the office, and no civil penalties issued. Hadley said 332 complaints have been referred to the Justice Department for possible criminal prosecutions. So far, only two criminal cases have been prosecuted fully under HIPAA. Last summer, the Justice Department's office of legal counsel issued an opinion advising U.S. attorneys that only "covered entities," not their employees, could be criminally prosecuted under HIPAA.
Edgar Bueno, a senior associate of the law firm of Pillsbury Winthrop Shaw Pittman, who worked for six years in HHS' inspector general's office, criticizes the government's stand. "A fair reading of the statute indicates it does apply to individuals," Bueno says. "It's individuals who are doing the bad acts and selling people's information."
Civil penalties, up to $100 maximum per violation, "are not that significant to healthcare entities, and moreover, the enforcement isn't there. . . . I just know there are breaches of the law out there and nothing is being done about it, at least it seems so."
HIPAA HISTORY AT GLANCE
July 13, 1995 Health Insurance Reform Act of 1995 is introduced by Sens. Nancy Kassebaum (R-Kan.) and Edward Kennedy (D-Mass.)
March 18, 1996 Health Coverage Availability and Affordability Act of 1996 introduced in House by Rep. Bill Archer (R-Texas)
Aug. 1, 1996 House passes conference report on combined bill, renamed Health Insurance Portability and Accountability Act of 1996, by a 421-2 vote
Aug. 2, 1996 Senate passes conference report on HIPAA on a 98-0 vote
Aug. 21, 1996 President Clinton signs HIPAA into law
Aug. 21, 1999 Deadline passes for Congress to enact separate privacy legislation as specified under HIPAA
Nov. 3, 1999 In absence of congressional action, HHS issues proposed privacy rule in which patient consent is not required for disclosure of protected health information
Aug. 17, 2000 Transactions and code sets final rule implemented
Dec. 28, 2000 Responding to public comments, HHS implements amended final privacy rule that includes provision requiring patient consent for most disclosures
April 14, 2001 Privacy rule re-implemented after review by HHS Secretary Tommy Thompson; patient consent requirement is retained
Aug. 14, 2002 HHS implements revised privacy rule replacing patient consent with regulatory permission to disclose protected health information without patient permission
April 14, 2003 Privacy rule compliance deadline (except small health plans, which have until April 2004)
Oct. 16, 2003 Transactions and code sets compliance deadline
April 20, 2005 Security rule compliance deadline (except small health plans, which have until April 2006)
Aug. 1, 2005 National employer identifier compliance deadline (except small health plans, which have until August 2006)
May 23, 2007 National provider identifier compliance deadline (except small health plans, which have until May 2008)
This article originally appeared in the Aug. 7 edition of Modern Healthcare magazine.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.