A year ago, health insurers, health plans, providers, hospitals and clearinghouses collectively were heaving a sigh of relief.That's because they were granted the option of applying for a one-year extension to comply with the standardized transactions and code set rules of the Health Insurance Portability and Accountability Act (HIPAA).
With that compliance date essentially delayed until October 2003, many health insurers switched gears. Instead of focusing primarily on the significant IT challenges associated with standardized transactions, they also began pumping more resources into their HIPAA privacy activities-since that was the next deadline set by the 1996 federal law.
Specifically, on April 14, 2003, the majority of health care organizations must comply with HIPAA's privacy rules. According to the final rules-issued last August-health care organizations, including health insurers, must:
* Establish policies and procedures and train the workforce to protect medical records and personal health information.
* Distribute notices describing their privacy practices and individual privacy rights.
* Enable people to access their health records and amend errors.
* Provide upon request an accounting of disclosures of personal health information not used for treatment, payment and healthcare operations.
* Establish a complaint process for people who believe their health information has been compromised.
Despite the broad reach of the privacy regulations, the industry is in much better shape with privacy than it is with standardized transactions and code sets, says Matt Duncan, director of the HIPAA practice for New York-based PricewaterhouseCoopers. (See "Ready or Not, Here Comes HIPAA," April 2002) In part, privacy is less problematic because the overriding theme of the privacy regulations is "reasonableness," he says.
Although privacy compliance will require some technical changes, most of the work on privacy is procedural. In addition, health insurers generally operate in a centralized environment, according to Duncan. As a result, it's fairly easy for them to control how personal health information is used.
"They can take a common-sense approach," Duncan says. "They don't need to go overboard in implementing new technologies to address privacy. It's much more of an educational and policy issue for them."
Voice of reason
In fact, that's the approach that Blue Cross Blue Shield of Massachusetts has taken. "I like to think of my role as bringing a voice of reason to the process," says Ron Romano, ombudsman, privacy officer and vice president of consumer affairs for the Boston-based Blues plan.
With 2.4 million members, Blue Cross Blue Shield of Massachusetts typically receives only four or five confidentiality complaints per year, says Romano. Since the company already has a well-established grievance process and a custom-designed database for handling complaints, the technical impact of tracking complaints for HIPAA is not significant, he says.
Providing personal health information and accountings of disclosures to members who request them also won't be technically challenging, Romano says. "People are making a couple of mountains out of mole hills. The bottom line is: When a customer calls and says, 'I'd like a copy of my claims summary; I'm trying to reconcile my income tax records,' we used to give (that information) to them and we'll continue to give it to them. Nothing changes because of HIPAA," he says.
Similarly, Blue Cross Blue Shield of Massachusetts is taking a prudent approach to the accounting of disclosures of personal health information. If a customer requests an accounting, HIPAA allows the company to remove from the list any disclosures that were authorized or released to support treatment, payment and healthcare operations, Romano notes. "What's left are subpoenas and some accreditation activities with the state," he says.
Prior to HIPAA, people in 16 states already had the right to access personal health information and request an accounting of disclosures, notes Dana Bradfield, information systems manager, corporate privacy project team, at Mutual of Omaha Insurance Co., Omaha, Neb. "Most of our systems support that capability," he says. "So there wasn't a lot of system enhancement associated with that activity."
Blue Cross Blue Shield of South Carolina established a new tracking database to centrally track disclosures, says Jim Daley, HIPAA program director at the Columbia, S.C.-based Blues plan. And, the company set up an alternate address location along with an on-screen flag for confidential communications, which indicates if a member has asked the company not to share information with family members. "For the most part, however, our workflow hasn't change significantly," Daley says.
No. 1 priority
Despite the consensus that HIPAA privacy rules haven't burdened insurers with excessive IT issues, the regulations have forced them to reassess their privacy policies and practices-and to address workforce training.
"About a year ago we saw an uptick in demand for off-the-shelf products to help companies define and customize policies for improving patient confidentiality," says PwC's Duncan. Typically, those products included computer-based training modules.
In fact, training has been the No. 1 priority for both payers and providers, he says. "How do we train our workforce? So if we have an accidental breach of privacy, we can point to where we've educated the employees and they've signed agreements and they've scored passing grades on the competency tests." (See "A Hipper Way To Conduct HIPAA Training," below.)
According to several people interviewed for this article, the U.S. Health and Human Services' Office of Civil Rights (OCR)-which will enforce HIPAA privacy-is not expected to be aggressive, at least initially. Still, slight infractions can cost $100 apiece, and egregious violations-such as disclosing identifiable health information for commercial gain-can result in fines up to $250,000 and 10 years in prison.
As a result, centralized oversight and accountability for privacy is critical. And most health insurers have assigned a high-level officer or task force to ensure compliance. Typically, that person or team has corporatewide responsibility for the following:
* Reviewing and revising privacy policies within an organization and as well as with it business associates.
* Consulting with business areas to determine if workflow changes are necessary.
* Managing a centralized complaint process for people who believe the privacy has been violated.
* Overseeing workforce privacy training, contract modifications with third-party service providers, and the distribution of privacy notices.
For Mutual of Omaha, developing and distributing its privacy notices has been a time-consuming and costly endeavor, says Bradfield. The company operates in 50 states and four territories. Because state laws preempt HIPAA if the state laws are more stringent, Mutual of Omaha enlisted the help of an outside law firm and undertook an exhaustive preemption analysis of all pertinent state privacy laws.
With approximately 30 different line-of-business processing systems and 54 different privacy notices, implementation costs escalated. "Our total HIPAA and (Gramm-Leach-Bliley) compliance efforts are in the $7 million to $10 million range," Bradfield says.
"That does not include the training that's being delivered to our entire workforce. It comes to $13 million if you include those additional costs."
Mutual of Omaha's HIPAA costs are typical. Payers responding to a Gartner survey last August indicated that their total HIPAA costs likely would reach at least $14 million on average.
And, although one of the main objectives of the HIPAA legislation was to reduce health care costs by simplifying administrative and financial transactions across the industry, few insurers are expecting a return on their investment.
When asked if they expected ROI to equal or exceed their HIPAA costs, only 21% of payers surveyed by Gartner said "yes," half said "no," and 29% said they didn't know. In addition, nearly half (49%) of payers responding to the August survey had cancelled their plans to conduct a cost/benefit analysis. In November 2001, only 25% of payers were not planning such an analysis.
Indeed, Gartner concludes that payers have abandoned treating HIPAA as a strategic opportunity in favor of purely tactical compliance approaches.
Questions remain
The industry is still waiting for the final rule on HIPAA's security regulations-promised at least eight times already. Additional transactions revisions and rules are expected, including a standard claims attachment transaction. And providers are alarmingly behind payers on implementing the existing transactions and code set rules, according to industry sources.
In addition, the Administrative Simplification Compliance Act of December 2001-which allowed the one-year extension for standardized transaction compliance-stipulated that testing must begin this April 16. But the law is vague about what testing means, sources say.
"There were a lot of industry questions," says Daley of Blue Cross Blue Shield of South Carolina, which processed 240 million claims in 2002 using its cimrONE software. "Does that mean everybody is done with all their (internal transaction) work and they're testing with their trading partners? Or does that mean they have software installed and they're testing to make sure it works internally? As finally worded, he says, the law leaves it up to each healthcare organization to determine how much testing it needs to have in place by April.
"You're never going to have a point when every healthcare organization in the country says, 'Okay. We have the standard transaction format now. We never have to worry about it again,'" says PwC's Duncan. "It will be one big industrywide continuous improvement initiative."
In addition, privacy compliance won't be complete on April 14. No one knows how many people will request personal health information and accountings of disclosures.
"I was just out with a client today, a prescription-benefits management company," says John Cerwin, president of HIPAA Accelerator, a Banockburn, Ill.-based HIPAA privacy software provider. "And they have determined if they get one-tenth of 1% of their population requesting access to protected health information or requesting an accounting of disclosures, it will amount to several hundred requests per day."
