HIPAA Privacy Rules Create Uncertainty, Compliance Woes

When it comes to information-sharing, just when does ‘no’ mean ‘no’? What about conflicting statutes? We have two years to sort it out.

The privacy requirements mandated by the Health Insurance Portability and Accountability Act of 1996 are finally out. For health plans and providers, the hard work is just beginning: figuring out how to comply with the massive regulations and how they will affect day-to-day operations. There’s no consensus yet among physicians and managed care organizations on how the new requirements will affect continuity of care, disease management programs, or data management. In fact, there seems to be agreement on only point: The cost and effort in complying with the HIPAA regulations may equal — or even surpass — what the managed care industry needed to do to become Y2K compliant.

“That’s the sound-bite description,” says one insurance trade association official, who adds, “I hope it turns out as well.”

Under the final rules, published late last year, patients must give health care providers explicit approval for any use of their medical information to carry out treatment, payment, and “health care operations.” Moreover, after authorizing the use of information for such purposes, patients may revoke their consent.

Most health care industry groups support the confidentiality of personal health information — in principle. They’re just uneasy about how the regulations can be implemented effectively — in a way that makes all stakeholders, and the law, happy.

The American Association of Health Plans, for example, issued a statement of support for “standards that encourage patients to communicate openly and honestly with their physicians, while ensuring that health information vital to helping patients get the care they need at the right time continues to flow freely among key health care players.” AAHP isn’t sure that the HIPAA regulations will help to accomplish that.

“Patient privacy and quality health care go hand in hand. One should not be pursued at the expense of the other,” says Mohit Ghose, the association’s media relations manager. AAHP officials were hopeful that the final rule would apply the guiding principle outlined in the proposed rule: to make private information easy to use for health purposes, and hard to obtain for other purposes.

But the rule “strayed far from that original principle, in ways that will reduce, not improve, consumers’ access to quality health care,” says Ghose, who adds that the regulations will have unintended consequences by creating barriers to information sharing, threatening the effectiveness of programs that promote better care for the chronically ill.

DM not too concerned

That sounds like trouble for disease management programs, which rely heavily on shared information to base projections for enrollee health improvement. Still, the effect on DM initiatives — which often are encouraged by government and expected by purchasers — is yet unclear.

Al Lewis, head of the Disease Management Purchasing Consortium, says managed care operations “would be well advised to put the provisions into place well before the revisions take effect” and work out any problems before the compliance deadline.

“Get as many people in the programs, and put the programs in place as soon as possible,” Lewis advises. That way, if there are problems with limitations of information under the HIPAA regulations, they will affect only new enrollees, he explains.

The American Medical Association is evaluating the regulations and isn’t ready to tell physicians — or anyone else — what needs to be done.

“The rules are quite substantial, and our legal and privacy experts are going through it,” says Robert J. Mills, an AMA public information officer. “We do share the concerns by many physicians that the HIPAA regulations are going to affect their privacy substantially.”

There’s not much doubt on that score, and the AMA is on record expressing misgivings about the privacy provisions. The AMA’s House of Delegates discussed the HIPAA regulations in December, but the policy-making body took no action — most delegates said they wanted more information on the rules. Delegates also debated, but did not adopt, a resolution offered by the South Carolina delegation to mount a legal challenge to HIPAA.

Nonetheless, William Mahon, CEO of the South Carolina Medical Association, reports that his organization will file a lawsuit to have them declared unconstitutional. Noting that the regulations were drafted only because Congress failed to act, Mahon says “Congress has allowed the executive branch to write a law that goes far beyond what is proper. It allows for jail terms or fines without any kind of legal authority.”

Legal challenges to the new regulations seem inevitable. “This is an avalanche of regulations. Everybody is still digging out from under them and saying, ‘What happened?'” one health law expert says. “I can see what looks like some conflicts, some contradictions, some uncertainties — and whenever you have those, they have a way of being interpreted in court.”

So, just what are clients telling their legal eagles — and vice versa — about the new rules?

Kathy Sanzo, a health care lawyer with Morgan, Lewis, & Bockius in Washington, says “people are having a negative reaction” to the regulations. “It is going to be months before we understand it fully,” she says. Sanzo points out a distinction in the final rule: Patients can give two varieties of permission for release of information — one for treatment and claims processing, and another for commercial or marketing uses.

The statute creates a right for patients to safeguard their health information, but recognizes that physicians and managed care entities must have some information that’s necessary for billing, disease management, and treatment decisions. “I think patients now understand that they have rights, but they don’t understand what those rights are yet,” she says.

For health plans and providers, that means they’ll have to educate consumers about the medical need for information. Over time, Sanzo predicts, patients “will become calmer” as they come to better understand the need for providing the information and how it will be used.

However, Sanzo says, the regulations will have to be interpreted to resolve some inconsistencies, such as the circumstances under which a managed care organization may deny coverage if a patient isn’t willing to provide information.

Most managed care organizations are putting together teams — which include lawyers, administrators, and technical personnel — to take the required steps.

“The various affected segments of the health care industry are moving at various speeds, depending on how they’re affected,” says Douglas Hastings, president-elect of the American Health Lawyers Association and a partner in the Washington law firm of Epstein, Becker & Green. “I think it’s fair to say that large health plans are moving forward at a faster pace than small physician practices, but all of them are reacting.”

That speed may be needed to ensure that multistate operations can comply with the federal requirements and with the requirements in the various states in which they operate, Hastings says. “The regulations say that they are a floor and not a ceiling,” he notes. “If a state has laws on the books that provide greater protection [than does HIPAA], the greater protections will apply. So there may be some complex adjudications that will have to be made as to whether the state law or the federal law provides greater protection. That will be a challenge for multistate companies.”

Joe Holahan, director and counsel for policy development at the Health Insurance Association of America, says health insurance operators already have implemented substantial privacy policies. However, the lack of uniformity among state-level requirements, and between states and the federal government, poses enormous problems.

“These regulations don’t preempt state requirements, so it may be difficult to determine compliance,” he says.

Holahan acknowledges that the HIPAA privacy rules are part of a larger set of rules dealing with administrative simplification, an appealing concept to both doctors and health care plans. He adds that the rules may err on the side of being “overly prescriptive,” and probably will mean that health care plans and physicians must make major changes to ensure compliance.

Better IT systems, at least

Hospitals are in the same boat as physicians and managed care organizations. “The HIPAA rules are sweeping. We’re still trying to see what they do,” says Melinda Hatton, chief legal counsel at the American Hospital Association. “It’s hard to do a cogent analysis where there’s not enough information to know what’s right and what’s wrong. We’re trying to sort out what’s really going on.”

It appears that the regulations don’t represent a fundamental change in the way hospitals view patient information, but do significantly affect how they treat that information.

Hastings says the HIPAA regulations are “a watershed event,” but not an unanticipated one. “The people affected knew they were coming. They’ve been out in proposed form for a year, and there have been 55,000 comments on them. This is a major new regulatory scheme. On the other hand, it isn’t created from whole cloth. There are state laws requiring both privacy and security that have been in effect, and case law that has established various precedents,” Hastings says.

That means most health care plans, hospitals, physicians, disease management specialists, and anyone else affected by the new regulations will need to be doing “gap analysis,” Hastings says, to determine what they’re currently doing, and what will be required to be done once the regulations go into effect.

Inevitably, Hastings concludes, there will be “spinoff issues, some foreseeable, and some unforeseeable, from day to day.” For the moment, the best advice on dealing with the HIPAA regulations may be that offered by Sanzo: “Approach it in small sections.”