Fifteen years ago, the Health Insurance Portability and Accountability Act breezed through Congress and, on Aug. 21, 1996, President Bill Clinton signed it into law.
HIPAA at 15
Some provisions still a work in progress
The law remains vital, despite its age, with several key HIPAA compliance deadlines looming. They include Jan. 1, 2012, for use of the ASC X12 Version 5010 data transmission standards, as well as two standards for retail pharmacies and Medicaid pharmacy subrogation, and Oct. 1, 2013, for use of ICD-10 diagnosis and procedure codes.
The once popular and subsequently oft-bemoaned law has its share of measured defenders.
“It all depends on your definition of success,” said Robert Tennant, senior policy adviser for the Medical Group Management Association.
The aim of one major section of HIPAA, “administrative simplification,” was to control rising healthcare costs through computerization and data standardization. “By stimulating the industry to move more toward standardization and thinking more about standardization, it was very successful,” Tennant said, but, “Did it succeed in driving out costs? No.”
Introduced in the Senate by co-sponsors Sens. Edward Kennedy (D-Mass.) and Nancy Kassebaum (R-Kan.), the wildly popular bill passed by votes of 98-0 in the Senate and 421-2 in the House. It targeted a then-widespread payer practice of excluding coverage to people for their pre-existing medical conditions. Group plans offered to small employers as well as individual health plans were exempt, however. Thus, it will be left to the Patient Protection and Affordable Care Act of 2010 to eliminate exclusions for pre-existing conditions entirely, and not until 2014, 18 years after HIPAA became law.
“From an insurance perspective, I think it’s had a significant impact, because it did change the way we looked at health insurance and made it transferable,” said Dan Rode, vice president for advocacy and policy at the American Health Information Management Association. People with medical conditions were no longer locked into a job over fear of losing healthcare coverage. “I think it realized a lot of benefit from that standpoint.”
And while administrative simplification remains a work in progress, Rode said, “I think we’re finally recognizing the importance of data in healthcare, and that’s exciting. And that’s certainly what HIPAA was supposed to do. I think in another 15 years or so, we’ll really have something to pat ourselves on the back about.”
Lawrence Hughes, assistant general counsel for the American Hospital Association and its expert on HIPAA privacy and security, noted that the law created a first set of nationwide standards in that arena and that the AHA and its members “support a lot of things that have occurred with privacy and security with regards to HIPAA.” The AHA, nevertheless, recently submitted a somewhat critical response to a proposed rule broadening hospitals’ responsibilities to provide patients with an accounting of disclosures of their medical records, one of several HIPAA-tightening provisions of the American Recovery and Reinvestment Act of 2009.
From the perspective of a technologist in the healthcare trenches, HIPAA has been a swing and a miss, says Stephen Stewart, the chief information officer for the Henry County Health Center, which runs a 25-bed critical-access hospital and a 49-bed nursing home in Mount Pleasant, Iowa. “It was a fabulous idea that’s been miserably executed,” he said.
Take, for example, the tolerance for variability in HIPAA standards for claims (837) and remittance advice transmissions (835), Stewart said. “There is a problem with 837 in that a payer could require something to be put in this or that place to satisfy their own needs.” he said. Plans could—and did—modify the contents of these “standardized” transactions, re-introducing variability to the claims stream that humbugs the industry to this day.
“Kind of think if it as looking at a monthly calendar,” Stewart said. “There is a day for every month, but I can put something on every day and so could you. I’ve got to tweak it for everybody I do business with.” HIPAA has failed to mandate away the IT cacophony, he said. “In healthcare, the only time anybody does things is if there is a mandate.”
Given the explosive grown of technology since 1996, much of it unforeseeable to HIPAA’s authors, “You can’t help but say it’s way behind the times,” said Deven McGraw, a lawyer who heads the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank.
HIPAA was written to apply to “covered entities”: providers, insurance companies and other payers, and claims clearinghouses. “Data sharing has expanded way beyond the HIPAA bubble,” said McGraw, co-chair of the privacy and security tiger team of a committee advising HHS’ Office of the National Coordinator for Health Information Technology. “Eighty percent of people do searches about healthcare on the Internet, and every time they do, that data is collected about them and there is no regulation for that.”
But she doesn’t consider HIPAA a privacy and security failure. “I wouldn’t give it an A or a B, but I wouldn’t give it failing grades. It changed the way people think about privacy. Most of the public is aware of HIPAA, and they think it protects privacy more than it does, but they know there is this law called HIPAA. And the providers and the plans know their obligations.”
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.