Getting Tangled In Health Care's Web

Hospitals say new laws to simplify electronic health transactions are a nightmare

Robert Frieden, chief information officer at Michael Reese Hospital in Chicago, looks around the Administrative Service Center and shakes his head. The hospital's data-storage system is a ticking time bomb. Anyone strolling past the center might get a look at the scads of paper folders holding patient records or peruse sensitive medical data on a dozen different computer monitors. That's particularly frightening because within just two years, Frieden will have to ensure that his organization meets tough regulations outlined by the Health Insurance Portability & Accountability Act of 1996 (HIPAA).

Frieden is not alone. Over the next several years, every health-care organization in the country that uses computers will have to comply with these rules. They were drawn up by the Health & Human Services Dept. (HHS) to help medical institutions adopt new technology while protecting patients from possible abuses. But right from the start, HIPAA has been mired in controversy. Still reeling from heavy technology spending to ward off the Y2K bug, hospitals cringe at the thought of fresh tech-related outlays. Health-care companies also worry that they will be smothered by the new rules, which dictate how digital patient records are to be standardized and kept secure from prying eyes. Consumer groups, at the opposite extreme, say the rules don't go far enough to protect patient privacy.

HIPAA was born out of a political movement to reform health insurance in the mid-1990s. It began as a small piece of legislation designed to make it easier for Americans to maintain their health insurance when they switch jobs. The aim was to restrict insurers' ability to reject job-hoppers based on preexisting conditions such as cancer or heart disease. The issue of insurance portability "was really heating up with the emergence of the New Economy," says M. Peter Adler, national HIPAA team leader for law firm Foley & Lardner.

But riding along with the new insurance-reform rules was a set of provisions cryptically labeled "administrative simplifications." At the time, hospitals and insurers used more than 400 different software formats to transmit health-care data back and forth. These covered everything from the headers on insurance forms to the codes describing diseases and medications. The government hoped to standardize and simplify electronic claims and thus speed up the entire claims-and-payment-processing system for the health-care industry. In addition, the new standards spelled out procedures to protect health information that is digitally transmitted and stored.

But HIPAA rules quickly mushroomed into an unruly garden of laws that nearly everyone finds disturbing. Doctors and hospital administrators complain that the laws are too vague and could limit the care they're able to provide to their patients. They also worry that the two-year deadline is too tight and that the penalties--including possible jail sentences for noncompliance--are too severe.

Consider, for example, the proposed standards for electronic transactions. Many common medical and administrative procedures, such as billing for a routine doctor's checkup, are adequately spelled out. But there are glaring exceptions. Because psychologists haven't been very active in the HIPAA process, for instance, codes for treating some aspects of mental health still haven't been hammered out. What's more, for HIPAA to work as planned, every hospital, pharmacy, insurance company, and health-information clearinghouse that routinely sends information to other health-care organizations must switch over to the new formats at the same time. Today, such cooperation is the exception, not the rule, says Shannah R. Koss, the top HIPAA expert at IBM.

Some of the deepest disagreements over HIPAA concern costs. The HHS claims that the health-care industry should be able to comply with the new laws at a modest cost of about $3.8 billion over the next five years. Health-care players are more pessimistic. Blue Cross & Blue Shield Assn. says the industry may have to spend $40 billion just to put privacy standards in place. Meanwhile, Medicare-reimbursement laws are squeezing dollars from many health providers' coffers. "These regulations come at a tough time," says Elliot M. Stone, CEO of Massachusetts Health Data Consortium, a nonprofit that tracks health-care trends in New England.

Easily the most contentious of the HIPAA regulations are the privacy proposals. In theory, these rules will limit third parties from viewing or transmitting anyone else's medical data. The government's stated goal is to help doctors exchange private medical records for the benefit of patients and protect those records from other people. Judging from the scores of outraged responses HHS received after releasing their proposed regulations, however, many people believe the government missed on both counts. "Patients want maximum privacy--damn the costs," says William Braithwaite, senior adviser on Health Information Policy for HHS. Organizations, on the other hand, don't want to spend money on costly privacy-related audit trails and other software-based protections. "They say: `To hell with privacy, we won't spend any money on it,"' he says.

With a few exceptions, HIPAA proposes that access to medical records be restricted. Visibility should be limited to the "minimum necessary" data for each situation. For example, if a patient is taking the antidepressant Prozac, that fact could be withheld from doctors who are not mental-health specialists, even though the medicine can interact with certain heart and sleeping medications. Such stringent rules have doctors and health-care administrators shaking their heads in consternation. Patient care will suffer, says Alissa Fox, executive director for legislative policy at Blue Cross. "We already know that to get the best health care and avoid errors, we need complete and timely access to information," she says.

LAYERS OF RED TAPE. Another sticking point involves patient authorization for the release of data. One privacy proposal would require patients to sign off on the release of medical records for purposes other than treatment and payment. But that could add layers of red tape to research efforts and other legitimate causes that rely on patient data.

The proposed security rules are also causing nightmares. In addition to physically securing computers and printers, organizations will have to safeguard the confidentiality and integrity of digital medical records through the use of password-protected software, electronic audit trails to track who has accessed data, and encryption for the transfer of files. That may sound dandy to patients. But it creates major administrative hassles for doctors.

HHS downplays the burden its rules will place on health-care companies, claiming that the best-run medical facilities already have a lot of these measures in place. And despite the challenges, HIPAA is on track with its initial goal: making it easier for consumers to change health-care providers and health plans. But as regulators begin to enforce the new regulations, they'll have to be careful in managing the fresh burdens that are placed on an already strained health-care system.