Another Law Raising the Cost of Health Care

While there has been much focus lately on the ways in which ObamaCare is chilling the growth of private business, we should not overlook the continuing deleterious effects of the one surviving relic of HillaryCare, the Health Insurance Portability and Accountability Act (HIPAA). Quietly, September 23 came and went as the compliance effective date for a new rule, expanding the reach of HIPAA, and likely driving many smaller players out of the health care industry.

Spearheaded by then First Lady Clinton, HIPAA was established in 1996 to improve privacy of personal health information, referred to as protected health information, or PHI. It requires health care providers, known as “covered entities,” and their vendors, contractors, and agents with access to PHI, known as “business associates,” to comply with certain privacy standards under its “Privacy Rule,” and with certain security standards under its “Security Rule,” in order to protect sensitive health information that is held or transferred in electronic form.

Over the past decade, equipped with the noble aim of protecting our privacy, HIPAA has successfully demonstrated the power of the law of unintended consequences. Improved protection of PHI has been marginal. However, HIPAA has impeded communication among physicians, reduced physician time devoted to patient care, and deterred medical research. And all at an enormous cost of compliance. While estimates vary widely, the cost of compliance for many providers has been in the millions.

Now, rather than take heed, the government has decided to double down through expansion. Under the Health Information and Technology for Economic and Clinical Health Act (HITECH), a corollary of HIPAA, promulgated to create incentives to facilitate the development of healthcare information technology, the government has sought to update the requirements of HIPAA in light of the changing dynamics of technology and health practices, increasing the safeguards and obligations of health care providers and their business associates.

Under the new rule, known as the Omnibus Rule, the Department of Health and Human Services implements a number of the provisions of HITECH, including (i) expanding the definition of business associate to encompass a wider net of businesses, (ii) increasing the obligations of notification by covered entities and business associates to individuals in the event of potential breaches of the privacy of their data, and (iii) increasing business associates’ exposure to liability for non-compliance. In addition, we can expect only increased enforcement of HIPAA under the new rule since the government has tied itself to the mast by removing discretion and mandating investigations of claims of potential willful neglect, adding criminal recourse along with increased penalties for non-compliance and “willful neglect.”

To be sure, in an age where even the likes of the Pentagon, CIA and NSA have proven susceptible to breaches of electronic information, it is understandable that we be concerned with the vulnerability of our most personal of personal information. But, assuming our electronic health information is actually “securable,” is the cost of securing that information worth it?

By comparison, when you opt to do a Google search, join Facebook etc., you, perhaps subconsciously, perform a form of cost benefit analysis, and the vast majority of us determine that the risk of exposing our personal information (albeit not necessarily health information) on the world wide web is outweighed by the pleasure we derive from participating in the modern age.

By law, HHS was required to provide a regulatory impact analysis of the new rule, presenting a cost benefit analysis of the new Omnibus Rule. HHS, in publishing the new rule, acknowledges that it has essentially bypassed its obligation by stating, “[W]e are not able to quantify the benefits of the rule due to lack of data and the impossibility of monetizing the value of individuals’ privacy and dignity….” While one can appreciate the difficulty in seeking to monetize the benefits of privacy, the inference one draws is that, from the government’s perspective, privacy is priceless and the costs of the new rule, by comparison, then become irrelevant.

HHS has estimated the cost of implementation of the new rule not to exceed $225 million in the aggregate, of which the estimated 200,000 to 400,000 new business associates (for a total now of about 2 million) will incur a cost not to exceed $113 million. Where historical costs to providers have been in the millions, simple division makes clear that, by any measure, this a very conservative estimate. In addition, HHS projects a $14.5 million per year ongoing expense to covered entities and business associates in connection with breach notifications.

So, on the one hand, HHS does not even attempt to quantify the number of privacy breaches that will be prevented by the law, as amended, let alone quantify the benefit of such preventions. On the other hand, data does show that in addition to the complaints voiced by healthcare providers on the impact on their practices, the cost of compliance is simply prohibitive for many. Moreover, for reasons of scale, the new rules have a disproportionate effect on smaller providers, such as solo practitioners, and smaller business associates, such as small billing companies or small law firms like ours.

Our six attorney firm, for example, provides legal services to several health care providers on a wide array of matters. By and large we do not receive PHI in our work. However, on occasion, a client will call with a matter that does involve PHI. In those instances we would be deemed a business associate. Therefore we must abide by much of the administrative and technological requirements of HIPAA, including creating and following policies and procedures and implementing the multitude of safeguards established by the Security Rule. This requires significant staff training, technological safeguards (including the purchase of new technology), and recording the processes by which HIPAA compliance is maintained.

The privacy laws are thus one more reason for the trend toward consolidation of the health care industry in a few big companies, displacing the smaller players and the innovations that are the hallmark of small business. While I am not oblivious to the irony of a lawyer (and a health care lawyer to boot) complaining about the busy work created by our prolific legislature and administrative agencies, in this instance the boon is for the likes of IT professionals and compliance consultants. For the rest of us, the costs are high, and the benefits remain unclear.

Josh Tenzer is an attorney at a law firm in New York City which primarily represents health care providers in transactional and regulatory matters.

11 replies »

  1. Privacy & Security have caused more headlines, but they are simply not the most impactful sections.

    Just within the administrative simplification section, transaction standards that are ill-followed, e.g., the 834s used in Healthcare.gov, has a significant impact on health care revenue cycle. And the code set changes, e.g., ICD10, are non-trivial.

    Then there’s the whole continuity of insurance thing, with associated regulations, that set the stage for the ACA.

    Going back to Administrative SImplification, the failure of Congress to fund a single patient identifier has caused & cost a ton of problems with patient identification and the consequent work-arounds. The cost of patient mis-identification, leading to medication errors and other oopsies is significant.

    While I support HIPAA, and have since it was passed, the regulatory and advocacy chaos resulting from it is stupefying.

  2. HIT Geek, what other parts of HIPAA do you think are worth focusing on, or were left out of the article? Do you support the law?

  3. The problem for ACA proponents is that thus far the federal and state systems developed or being developed for ACA have not been able to assure security and privacy – much to the delight of critics. But it seems to those of us who have to comply with HIPAA/HITECH that we are being held to a much higher standard than the federal government and state governments are. Just one more area where ACA proponents have alienated potential allies and given more ammunitions to critics.

  4. “Spearheaded by then First Lady Clinton, HIPAA was established in 1996 to improve privacy of personal health information”

    HIPAA 1996 was an INSURANCE REFORM bill and law, not a “privacy” law. The “Kennedy-Kassebaum” bill. You could call it “ObamaCare Precursor, v1.0”

    According to respected medical economist (and former Hill policy operative) J.D. Kleinke, “PHI privacy” was an 11th hour tossed-in faceless bargaining chip. Only 13 of the 167 pages of the law refer to it. I have my yellow-highlighted, sticky-noted, red-penned copy.

    (See Subtitle F “Administrative Simplification”).

    Washington Post, James K. Glassman, Tuesday, April 23, 1996

    “…New, stricter laws will be needed to correct the deficiencies, and probably more after that. Inevitably, Americans will arrive at the destination they rejected when Bill and Hillary Clinton proposed it: government-controlled health care.

    “…At its heart, the bill does two things that seem worth doing. First, it makes insurance policies more “portable” by requiring insurers to issue you a policy if you lose or leave your job. Second, it prevents insurers from denying you a policy if you have a pre-existing medical condition…”

    “Both of these measures seem humane and sensible. Unfortunately, they are also expensive. For example, if an insurer does not have the right to reject — or delay for a long time — coverage of someone who has a disease that’s costly to treat, then the insurer will have to raise premiums.

    The bill sponsored by Sen. Ted Kennedy (D-Mass.) and Sen. Nancy Kassebaum (R-Kan.) does not cap premiums — which is why so many Republicans support it. But caps will come because the outcry over higher rates will be deafening, and politicians will be forced to respond. That’s what makes this bill so insidious and its “modesty” so illusory.

    Just take a look at what’s happened in the state of Washington. The state’s program, says an article on the front page of the Wall Street Journal, “contains many provisions — broader public access to insurance rolls, portability and short waiting period for people with pre-existing heath problems — that mark the health-care bills that congressional reformers are pushing.”

    The article continues: “But three years into Washington state’s program, rates for its 400,000 individual policyholders are soaring, in some cases to triple their former level. . . . More than 30 insurers have notified the state they no longer want to do business here.”

    The Washington state program is broader than Kennedy-Kassebaum, but the effects are likely to be similar. What Congress wants to do is to force insurers to insure sick people. When that happens, everyone else will have to pay more in premiums. And when that happens, the healthiest people (mainly the young) will decide they don’t need insurance at these prices, so they’ll drop out of the system. And when that happens, premiums will increase even more sharply for those who are left, because the healthy people who subsidized the sick people will be gone…”

    Sound familiar? Groundhog Day, anyone?


    Search the article for the word “privacy.” You won’t find it.

  5. Taleb had something to say on large integrated systems in his latest tome, Antifragile. The larger the unit is the more its maintenance costs, and because disasters are disproportionately larger, the more its secondary costs.

    Centralization of records is healthcare’s Fukushima. Privacy leaks will be very very costly to fix. HIPAA is not the elephant in the room. The scale of integration is.

  6. Just my opinion. The confusion in compiance and costs of this law both monetarily and in terms of actual patient care have far outweighed any potential good it has done. Politicians keep having a way of making laws without looking ahead to the unintended bad consequences. Just like the ACA, now it is the law and we have to deal with it.

  7. For those of you who remember “Get Smart”, HIPAA is a lot like “The Cone of Silence”.

  8. BTW health data privacy is very important given that it will contain your SS#, address, date of birth.

    If not secured properly many will fall victim to identity theft. I think the problem here is not technical rather one of bad/unclear legislation.

    The difference between Facebook and HC is that you can choose what to share on FB or just not use it at all. With your HC records one has no choice.

  9. Josh – good read. Would love to know if anyone has a fix for this.

    I think HIPPA and the new Omnibus rule are a rounding error in comparison to the time/money that will be required to comply with the rest of ACA. I know a lot of doctors and one complaint that they have is they have no idea how to comply with it.

    I would think there should be a SMB market for software that handles all of this securely that doctors and law firms could buy at a reasonable cost. Of course this will take time to develop, but I would guess similar software exists now – but perhaps I’m wrong.

    You’d probably also need by law a standard format by which all data is transmitted/claims submitted. All doctors, hospitals, insurance cos, states would have to do it the same way.

    The tech business would not work without standards. USB for example is a well defined standard this way anything that plugs into a USB port works as it’s one standard.

    When doctors submit claims it’s different for every carrier, which is akin to 30 different manufacturers of widgets plugging into USB all having different standards = nightmare. It’s doable, but very expensive.

    Perhaps medical can take a lesson from tech.