While there has been much focus lately on the ways in which ObamaCare is chilling the growth of private business, we should not overlook the continuing deleterious effects of the one surviving relic of HillaryCare, the Health Insurance Portability and Accountability Act (HIPAA). Quietly, September 23 came and went as the compliance effective date for a new rule, expanding the reach of HIPAA, and likely driving many smaller players out of the health care industry.
Spearheaded by then First Lady Clinton, HIPAA was established in 1996 to improve privacy of personal health information, referred to as protected health information, or PHI. It requires health care providers, known as “covered entities,” and their vendors, contractors, and agents with access to PHI, known as “business associates,” to comply with certain privacy standards under its “Privacy Rule,” and with certain security standards under its “Security Rule,” in order to protect sensitive health information that is held or transferred in electronic form.
Over the past decade, equipped with the noble aim of protecting our privacy, HIPAA has successfully demonstrated the power of the law of unintended consequences. Improved protection of PHI has been marginal. However, HIPAA has impeded communication among physicians, reduced physician time devoted to patient care, and deterred medical research. And all at an enormous cost of compliance. While estimates vary widely, the cost of compliance for many providers has been in the millions.
Now, rather than take heed, the government has decided to double down through expansion. Under the Health Information and Technology for Economic and Clinical Health Act (HITECH), a corollary of HIPAA, promulgated to create incentives to facilitate the development of healthcare information technology, the government has sought to update the requirements of HIPAA in light of the changing dynamics of technology and health practices, increasing the safeguards and obligations of health care providers and their business associates.
Under the new rule, known as the Omnibus Rule, the Department of Health and Human Services implements a number of the provisions of HITECH, including (i) expanding the definition of business associate to encompass a wider net of businesses, (ii) increasing the obligations of notification by covered entities and business associates to individuals in the event of potential breaches of the privacy of their data, and (iii) increasing business associates’ exposure to liability for non-compliance. In addition, we can expect only increased enforcement of HIPAA under the new rule since the government has tied itself to the mast by removing discretion and mandating investigations of claims of potential willful neglect, adding criminal recourse along with increased penalties for non-compliance and “willful neglect.”
To be sure, in an age where even the likes of the Pentagon, CIA and NSA have proven susceptible to breaches of electronic information, it is understandable that we be concerned with the vulnerability of our most personal of personal information. But, assuming our electronic health information is actually “securable,” is the cost of securing that information worth it?
By comparison, when you opt to do a Google search, join Facebook etc., you, perhaps subconsciously, perform a form of cost benefit analysis, and the vast majority of us determine that the risk of exposing our personal information (albeit not necessarily health information) on the world wide web is outweighed by the pleasure we derive from participating in the modern age.
By law, HHS was required to provide a regulatory impact analysis of the new rule, presenting a cost benefit analysis of the new Omnibus Rule. HHS, in publishing the new rule, acknowledges that it has essentially bypassed its obligation by stating, “[W]e are not able to quantify the benefits of the rule due to lack of data and the impossibility of monetizing the value of individuals’ privacy and dignity….” While one can appreciate the difficulty in seeking to monetize the benefits of privacy, the inference one draws is that, from the government’s perspective, privacy is priceless and the costs of the new rule, by comparison, then become irrelevant.
HHS has estimated the cost of implementation of the new rule not to exceed $225 million in the aggregate, of which the estimated 200,000 to 400,000 new business associates (for a total now of about 2 million) will incur a cost not to exceed $113 million. Where historical costs to providers have been in the millions, simple division makes clear that, by any measure, this a very conservative estimate. In addition, HHS projects a $14.5 million per year ongoing expense to covered entities and business associates in connection with breach notifications.
So, on the one hand, HHS does not even attempt to quantify the number of privacy breaches that will be prevented by the law, as amended, let alone quantify the benefit of such preventions. On the other hand, data does show that in addition to the complaints voiced by healthcare providers on the impact on their practices, the cost of compliance is simply prohibitive for many. Moreover, for reasons of scale, the new rules have a disproportionate effect on smaller providers, such as solo practitioners, and smaller business associates, such as small billing companies or small law firms like ours.
Our six attorney firm, for example, provides legal services to several health care providers on a wide array of matters. By and large we do not receive PHI in our work. However, on occasion, a client will call with a matter that does involve PHI. In those instances we would be deemed a business associate. Therefore we must abide by much of the administrative and technological requirements of HIPAA, including creating and following policies and procedures and implementing the multitude of safeguards established by the Security Rule. This requires significant staff training, technological safeguards (including the purchase of new technology), and recording the processes by which HIPAA compliance is maintained.
The privacy laws are thus one more reason for the trend toward consolidation of the health care industry in a few big companies, displacing the smaller players and the innovations that are the hallmark of small business. While I am not oblivious to the irony of a lawyer (and a health care lawyer to boot) complaining about the busy work created by our prolific legislature and administrative agencies, in this instance the boon is for the likes of IT professionals and compliance consultants. For the rest of us, the costs are high, and the benefits remain unclear.
Josh Tenzer is an attorney at a law firm in New York City which primarily represents health care providers in transactional and regulatory matters.