OP-ED

Another Law Raising the Cost of Health Care

While there has been much focus lately on the ways in which ObamaCare is chilling the growth of private business, we should not overlook the continuing deleterious effects of the one surviving relic of HillaryCare, the Health Insurance Portability and Accountability Act (HIPAA). Quietly, September 23 came and went as the compliance effective date for a new rule, expanding the reach of HIPAA, and likely driving many smaller players out of the health care industry.

Spearheaded by then First Lady Clinton, HIPAA was established in 1996 to improve privacy of personal health information, referred to as protected health information, or PHI. It requires health care providers, known as “covered entities,” and their vendors, contractors, and agents with access to PHI, known as “business associates,” to comply with certain privacy standards under its “Privacy Rule,” and with certain security standards under its “Security Rule,” in order to protect sensitive health information that is held or transferred in electronic form.

Over the past decade, equipped with the noble aim of protecting our privacy, HIPAA has successfully demonstrated the power of the law of unintended consequences. Improved protection of PHI has been marginal. However, HIPAA has impeded communication among physicians, reduced physician time devoted to patient care, and deterred medical research. And all at an enormous cost of compliance. While estimates vary widely, the cost of compliance for many providers has been in the millions.

Now, rather than take heed, the government has decided to double down through expansion. Under the Health Information and Technology for Economic and Clinical Health Act (HITECH), a corollary of HIPAA, promulgated to create incentives to facilitate the development of healthcare information technology, the government has sought to update the requirements of HIPAA in light of the changing dynamics of technology and health practices, increasing the safeguards and obligations of health care providers and their business associates.

Under the new rule, known as the Omnibus Rule, the Department of Health and Human Services implements a number of the provisions of HITECH, including (i) expanding the definition of business associate to encompass a wider net of businesses, (ii) increasing the obligations of notification by covered entities and business associates to individuals in the event of potential breaches of the privacy of their data, and (iii) increasing business associates’ exposure to liability for non-compliance. In addition, we can expect only increased enforcement of HIPAA under the new rule since the government has tied itself to the mast by removing discretion and mandating investigations of claims of potential willful neglect, adding criminal recourse along with increased penalties for non-compliance and “willful neglect.”

To be sure, in an age where even the likes of the Pentagon, CIA and NSA have proven susceptible to breaches of electronic information, it is understandable that we be concerned with the vulnerability of our most personal of personal information. But, assuming our electronic health information is actually “securable,” is the cost of securing that information worth it?

By comparison, when you opt to do a Google search, join Facebook etc., you, perhaps subconsciously, perform a form of cost benefit analysis, and the vast majority of us determine that the risk of exposing our personal information (albeit not necessarily health information) on the world wide web is outweighed by the pleasure we derive from participating in the modern age.

By law, HHS was required to provide a regulatory impact analysis of the new rule, presenting a cost benefit analysis of the new Omnibus Rule. HHS, in publishing the new rule, acknowledges that it has essentially bypassed its obligation by stating, “[W]e are not able to quantify the benefits of the rule due to lack of data and the impossibility of monetizing the value of individuals’ privacy and dignity….” While one can appreciate the difficulty in seeking to monetize the benefits of privacy, the inference one draws is that, from the government’s perspective, privacy is priceless and the costs of the new rule, by comparison, then become irrelevant.

HHS has estimated the cost of implementation of the new rule not to exceed $225 million in the aggregate, of which the estimated 200,000 to 400,000 new business associates (for a total now of about 2 million) will incur a cost not to exceed $113 million. Where historical costs to providers have been in the millions, simple division makes clear that, by any measure, this a very conservative estimate. In addition, HHS projects a $14.5 million per year ongoing expense to covered entities and business associates in connection with breach notifications.

So, on the one hand, HHS does not even attempt to quantify the number of privacy breaches that will be prevented by the law, as amended, let alone quantify the benefit of such preventions. On the other hand, data does show that in addition to the complaints voiced by healthcare providers on the impact on their practices, the cost of compliance is simply prohibitive for many. Moreover, for reasons of scale, the new rules have a disproportionate effect on smaller providers, such as solo practitioners, and smaller business associates, such as small billing companies or small law firms like ours.

Our six attorney firm, for example, provides legal services to several health care providers on a wide array of matters. By and large we do not receive PHI in our work. However, on occasion, a client will call with a matter that does involve PHI. In those instances we would be deemed a business associate. Therefore we must abide by much of the administrative and technological requirements of HIPAA, including creating and following policies and procedures and implementing the multitude of safeguards established by the Security Rule. This requires significant staff training, technological safeguards (including the purchase of new technology), and recording the processes by which HIPAA compliance is maintained.

The privacy laws are thus one more reason for the trend toward consolidation of the health care industry in a few big companies, displacing the smaller players and the innovations that are the hallmark of small business. While I am not oblivious to the irony of a lawyer (and a health care lawyer to boot) complaining about the busy work created by our prolific legislature and administrative agencies, in this instance the boon is for the likes of IT professionals and compliance consultants. For the rest of us, the costs are high, and the benefits remain unclear.

Josh Tenzer is an attorney at a law firm in New York City which primarily represents health care providers in transactional and regulatory matters.

Livongo’s Post Ad Banner 728*90

11
Leave a Reply

9 Comment threads
2 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
9 Comment authors
BudgetDocDeborah AlessiPatrick PineBobby GladdSaurabh Jha Recent comment authors
newest oldest most voted
Deborah Alessi
Guest

Thanks for sharing this great stuff. Keep sharing more useful and conspicuous stuff like this. Thank you so much.

Patrick Pine
Guest
Patrick Pine

The problem for ACA proponents is that thus far the federal and state systems developed or being developed for ACA have not been able to assure security and privacy – much to the delight of critics. But it seems to those of us who have to comply with HIPAA/HITECH that we are being held to a much higher standard than the federal government and state governments are. Just one more area where ACA proponents have alienated potential allies and given more ammunitions to critics.

Bobby Gladd
Guest

“Spearheaded by then First Lady Clinton, HIPAA was established in 1996 to improve privacy of personal health information” __ HIPAA 1996 was an INSURANCE REFORM bill and law, not a “privacy” law. The “Kennedy-Kassebaum” bill. You could call it “ObamaCare Precursor, v1.0” According to respected medical economist (and former Hill policy operative) J.D. Kleinke, “PHI privacy” was an 11th hour tossed-in faceless bargaining chip. Only 13 of the 167 pages of the law refer to it. I have my yellow-highlighted, sticky-noted, red-penned copy. (See Subtitle F “Administrative Simplification”). __ Washington Post, James K. Glassman, Tuesday, April 23, 1996 “…New, stricter… Read more »

Saurabh Jha
Guest
Saurabh Jha

Taleb had something to say on large integrated systems in his latest tome, Antifragile. The larger the unit is the more its maintenance costs, and because disasters are disproportionately larger, the more its secondary costs.

Centralization of records is healthcare’s Fukushima. Privacy leaks will be very very costly to fix. HIPAA is not the elephant in the room. The scale of integration is.

HIT Geek
Guest
HIT Geek

All ll this focus on just one part of HIPAA! How myopic!

BudgetDoc
Guest

HIT Geek, what other parts of HIPAA do you think are worth focusing on, or were left out of the article? Do you support the law?

HIT Geek
Guest
HIT Geek

Privacy & Security have caused more headlines, but they are simply not the most impactful sections. Just within the administrative simplification section, transaction standards that are ill-followed, e.g., the 834s used in Healthcare.gov, has a significant impact on health care revenue cycle. And the code set changes, e.g., ICD10, are non-trivial. Then there’s the whole continuity of insurance thing, with associated regulations, that set the stage for the ACA. Going back to Administrative SImplification, the failure of Congress to fund a single patient identifier has caused & cost a ton of problems with patient identification and the consequent work-arounds. The… Read more »

Perry
Guest
Perry

Just my opinion. The confusion in compiance and costs of this law both monetarily and in terms of actual patient care have far outweighed any potential good it has done. Politicians keep having a way of making laws without looking ahead to the unintended bad consequences. Just like the ACA, now it is the law and we have to deal with it.

LegacyFlyer
Guest
LegacyFlyer

For those of you who remember “Get Smart”, HIPAA is a lot like “The Cone of Silence”.

BC
Guest
BC

BTW health data privacy is very important given that it will contain your SS#, address, date of birth.

If not secured properly many will fall victim to identity theft. I think the problem here is not technical rather one of bad/unclear legislation.

The difference between Facebook and HC is that you can choose what to share on FB or just not use it at all. With your HC records one has no choice.

BC
Guest
BC

Josh – good read. Would love to know if anyone has a fix for this. I think HIPPA and the new Omnibus rule are a rounding error in comparison to the time/money that will be required to comply with the rest of ACA. I know a lot of doctors and one complaint that they have is they have no idea how to comply with it. I would think there should be a SMB market for software that handles all of this securely that doctors and law firms could buy at a reasonable cost. Of course this will take time to… Read more »