News

Highmark Blue Cross Blue Shield has spent $50 million on it already. One health systems group shelled out $20,000 just to print new forms. A doctor's office replaced translucent chart holders on the outside of exam room doors with solid ones.

"HIPAA the Hippo" -- as one industry wag called it -- has left a giant federally approved footprint on the health care industry. In its wake will be a streamlined processing system with increased security for electronically captured data, and stringent new rights of privacy for patients.

However, for a piece of legislation that virtually envisions a paperless future, it's ironic that the general public's first encounter with HIPAA involves a dizzying array of papers to be signed.

Any medical provider -- from a doctor to an outpatient testing site to hospitals and pharmacies -- which generates personal data about an individual is now required to inform patients of that provider's privacy policy.

Patients must sign it to acknowledge receipt.

Whether the costs to implement HIPAA are insignificant or substantial, and if or how they are passed along to consumers, a spokesman for the U.S. Department of Health and Human Services says it will be worthwhile in terms of patient service.

"We believe the benefit to the patient in terms of privacy rights is so extraordinary that it can't be measured in monetary terms," says Bill Pierce from his HHS office in Washington, D.C.

The privacy component of HIPAA -- The Health Insurance Portability and Accountability Act of 1996 -- began in mid-April.

The policies "are generally common sense and have already been in place virtually everywhere," says Pierce. "But this provides a federal floor to support protection wherever you are in the country, and there are some very key rights given patients.

"Patients may have experienced difficulty in the past obtaining their medical records and this makes it clear patients have an absolute right to their records for whatever reason," Pierce explains. "The policy also requires those records be in the patient's hands within 30 days."

HIPAA allows for a reasonable charge for making copies. For example, the Neurological Institute of Western Pennsylvania, near Mountain View, east of Greensburg, charges a $15 fee plus 10 cents per page to copy medical records. And, of course, there will be a form to sign before the record is released.

That's why the greatest burden wrought by HIPAA at NIWP has been upon the medical records division where Karen Bish has been processing as many as 10 patient requests weekly for copies of personal medical records.

She also processes requests from lawyers and there is a separate form they and the patient must sign regarding use of the data.

"Sometimes, the lawyers don't like what the form says and they'll return it with little editing marks," Bish says. "But they've got to follow our procedure just like everyone else."

However, there is no standard federal form for the general Notice of Privacy Practice. "We allowed individuals to devise their own while meeting privacy standards," Pierce explains. "Some data without identifiers might be shared with researchers, for example."

One key provision requires patients to name the people authorized to inquire about the patient's care. Anyone other than those listed will be denied information regardless of the relationship to the patient.

"It doesn't matter if you're the wife, or the child of, without that name authorization, we cannot discuss medical matters with you," emphasizes Cathy Tofani, who manages the NIWP offices. "If you call us and say, 'listen, my wife's coming later but she isn't going to tell you about something,' if you aren't named on the list, we cannot listen to it.

"If the doctor returns a call, he will know whose name is on the authorization form and if someone other than those people answer, he can't talk about it."

"HIPAA's meant a lot of work for us and, in particular, our medical records department," says Richard Plundo, financial officer for the NIWP headed by Dr. Louis Catalano. "But clearly this is of the greatest benefit for patients."

Whether consumers actually take the time to read the privacy notice -- the form at Catalano's office is two pages front and back -- before signing is unknown. However, it is on this form where a patient must name others authorized to discuss his or her care.

A hospital patient can also choose the level of privacy. Separate questions give the patient the right not to be listed on the public directory or receive a visit from clergy.

"If you want your clergy to visit you, then you've got to be specific about your church, your name and your room number," says Rich Lobb, corporate privacy officer for Conemaugh Health System, headquartered in Johnstown, and a HIPAA expert for the Hospital Council of Western Pennsylvania.

"We have been working very hard to train our people to help incoming patients understand the privacy rights," Lobb says. "We've produced different scripts, training videos, all to help hospital employees help explain the new privacy restrictions to the public."

Costs of implementation vary widely, depending upon the size of the provider organization and such attendant issues as the quality of their computer software.

"Some places might have to spend hundreds of thousands of dollars while others may be in good shape already, but it will affect everyone to some degree," Lobb says. "Just in paperwork alone, for example, we spent $20,000 to get 300,000 privacy notice forms printed. Recouping these and other costs of this federal -- and unfunded -- mandate poses a challenge.

"We could send Medicare a bill for a million dollars and they'd still just pay us what they want to pay us regardless of whether we raise the daily cost of a bed."

The Office of Civil Rights within the HHS is charged with enforcement, but a roving band of official investigators isn't on the books at the moment.

"Anyone can make a complaint, even if it's a privacy matter that doesn't concern them directly," Pierce says. "Every entity has to name a privacy officer and we can mediate through them."

For those who fail to comply to HIPAA, there's a $100 fine per violation up to $25,000 per person, per year.

On the criminal side, knowingly violating patient privacy brings a penalty of from $50,000 and one year in prison to a maximum of $250,000 and 10 years in prison."

Pierce says "there was considerable talk about the costs of HIPAA but we believe the industry may in the long run save billions of dollars because of the increased efficiencies of administrative recordkeeping."

Highmark budgeted $75 million for HIPAA, but so far has only spent $50 million, spokeswoman Hollie Plevyak said.

"Obviously, those costs get rolled into the cost of doing business," says Jim Spare, who works out of Highmark's Camp Hill office and oversees the corporation's "HIPAA Knowledge Center."

Highmark has made both hardware and software upgrades in anticipation of the next HIPAA deadline in October governing electronic transactions and security. Spare and his staff have invested considerable time in training.

"We've been doing training all across the state and meeting with physician and hospital providers and our business associates and trading partners to talk about privacy and data collection, storage and protection," Spare said. "From a technology perspective, we see HIPAA as a good thing for the industry in terms of electronic data and maintenance."

Carol Palm Brault, Highmark manager of HIPAA communication and education, says 80 percent of the existing computer system required modifications and more than 43 million lines of code had to be modified.

"There are more than 400 variations of claim forms out there and the maintenance of those files requires a lot of time," she said. "HIPAA will establish a single format with the same set of codes across the board and really streamline the process for providers. We'll all actually be speaking the same language."

Plevyak said Highmark processed 77 million claims in 2002.

Pat Epple, executive director of the Pennsylvania Pharmacists Association, says she hasn't heard much feedback since HIPAA became effective.

"Our association endorsed a handful of the kits that we're being sold to help pharmacists become HIPAA compliant," she says, "but confidentiality has always been important in pharmacies, so a lot of safeguards have been in place. In terms of costs, I think it may be better measured in terms of time away from filling prescriptions and processing initial paperwork.

"Some pharmacists who are used to talking over the counter about someone's medication might need to create a space where a private discussion can be held, where there aren't other customers around."

Plundo says patients have been signing so many papers in the past three months that the initial complaints and misunderstandings have subsided.

"I think it was part of the HIPAA strategy, to come across so serious with providers it was almost like a scare tactic, almost like creating a panic, and, in the end, I think we all felt that it wasn't as bad as we thought it would be."

• Most Read
• Most E-mailed
• Latest News