The following square-off provides both a "yes" and "no" response to the question, "Are HIPAA regulations effective?" Where do you stand on HIPAA compliance?
Yes.
HIPAA provides the backbone for the privacy and security of data necessary for electronic medical transactions, including personal health records and a national health information exchange. It lets providers treat patients based on their entire medical history, not just the snapshot available at an isolated facility. HIPAA also furthers supply chain integration, ultimately lowering costs throughout the health care system.
Although there's been only one criminal conviction under the act so far, enforcement is only a narrow part of its overall mandate and shouldn't be the sole measure of effectiveness. To date, emphasis is on voluntary compliance rather than punishment. HIPAA's regulations are complex, and the industry is working to understand and implement them. Now that a final enforcement rule has been published, we can expect to see increased activity in situations where voluntary compliance efforts fail.
More than a decade ago, I had the opportunity to help shape the early health care transaction standards that would one day become HIPAA. I worked on the American National Standards Institute's X12 835 committee to define the first version of standard remittance advice, which is now a HIPAA standard. Back then, we could only imagine a time when the health care industry would give up its paper processes and go electronic. Thanks to HIPAA and the hard work of several industry organizations, standardized formats finally arrived, and electronic transaction usage increased as a direct result.
The Department of Justice now has the authority to pursue only violations of the most egregious nature - those that represent deliberate misuse of patient information. The penalties for lesser violations, such as inadvertent disclosures of health information, were set in the original HIPAA legislation and aren't, at first glance, particularly onerous: a minimum of $100 per violation per year, and a maximum of $25,000 per year per violation. The real deterrent isn't the fines themselves, but the bad publicity that befalls an organization when fines are imposed.
Because HIPAA regulations apply across a broad spectrum of organizations - ranging from a one-provider practice to the largest hospital system, academic medical center or insurance company - it isn't possible to provide a checklist of must-dos for each covered entity. The rules are deliberately nonspecific as to technology and implementation processes, providing the flexibility various types of organizations need.
The benefits of HIPAA compliance are clear to anyone in health care; the regulation's original purpose was to simplify administration, reduce costs, relieve the paper burden, and achieve improved management of administrative functions. The government initially justified HIPAA standards based on a compelling statistic: paper claims cost two to ten times more to process than electronic ones.
Although most employer groups aren't required to adhere to HIPAA transaction standards, they're starting to adopt them as a way to increase efficiencies by adopting EDI.
Health care is still working to eliminate, or drastically reduce, its technical limitations and manual processes. Adoption of non-claim transactions lags partly because of provider resources, particularly for smaller physician practices, and partly because of simple economics. However, the increasing availability of web-based tools provided by health plans will increase the adoption of these transactions. It's important to remember that despite regulations, deadlines and expenses, HIPAA was meant to simplify administration.
- Dawn Burriss, TriZetto Group
No.
Business managers often bring in IT to help them comply with HIPAA regulations. But the worst part of this imposition is that the effort isn't really paying off. With only a single conviction since its passage in 1996, HIPAA is a weak and poorly enforced law.
Last year, Info-Tech Research Group reported that roughly 25 percent of the 130 health care organizations it surveyed didn't feel they were ready for the forthcoming HIPAA deadline in April. In addition, the U.S. health care industry's own 2005 HIPAA survey found that many health care entities had simply decided not to meet HIPAA requirements; their top two reasons were "no public relations or brand problems anticipated" and "no anticipated legal consequences."
Those two rationalizations sound just about right. I speak with hospital IT decision makers daily, and I can tell you unequivocally that even now, a decade since the law's enactment, HIPAA compliance just doesn't resonate with them. Such disinterest seems common among government agencies and enforcement bodies as well.
From 2000 to 2003, the FBI received $379 million in funding to investigate HIPAA-related health care fraud. Despite this, Richard W. Gibson remains the only defendant ever to be convicted under the act. In August 2004, a federal court ordered the Seattle resident to serve 16 months in prison and pay $9,000 in restitution for stealing the identity of a patient at the cancer clinic where he worked and using the information to fraudulently obtain credit cards. The modest fine hardly justifies the government's investment of more than a third of a billion dollars.
Regulatory enforcement seems to occur only when it's profitable. For example, the Sarbanes-Oxley Act has netted the U.S. Treasury Department several billion dollars in fines, leading companies and federal authorities alike to take Sarbox seriously.
Another law with teeth is the Fair Credit Reporting Act. To settle Federal Trade Commission charges that it had violated the act by committing a security breach resulting in the theft of financial records involving more than 160,000 consumers, ChoicePoint in January agreed to pay $10 million in civil penalties and set up a $5 million victims' trust fund.
Why isn't HIPAA enforcement anywhere near as lucrative? One reason is the lack of executive accountability.
Sarbox is effective because the government holds the CEO and CFO accountable through yearly audits. Such audits don't exist for HIPAA, perhaps because of the urgent nature of hospital work. But health care providers and their executive teams must bear responsibility for violations, even those committed by low-level employees.
Another problem is that too many health care organizations labor under the misconception that HIPAA compliance is solely an IT systems issue. HIPAA says data must be kept confidential, but offers little or no leadership on how to engineer processes to ensure privacy.
In this regard, IT professionals should seek guidance from overseas - especially the United Kingdom, which, like Europe in general, is a world leader in data privacy. The Brits are focusing on BS 7799, the predecessor of the ISO/IEC 17799 security standard.
Without privacy-oriented processes, IT's technological involvement with compliance initiatives like HIPAA will have little effect in paper-based environments such as health care.
Don't get me wrong - there's much to be learned from IT-related laws and regulations to ensure public privacy and corporate governance. Indeed, such provisions are usually based on best practices and plain old common sense. However, HIPAA will never be effective unless the government enforces it as vigorously as other laws. If we don't start taking HIPAA seriously, we might as well drop it altogether.
- Ross Armstrong, Info-Tech Research Group
[Source: Optimize, April 2006]
