The final privacy rules for hospitals and health systems could cost $22.5 billion over five years -- far exceeding original government projections, according to research prepared by First Consulting Group for the American Hospital Association (AHA).

And these projections have the AHA concerned. "As guardians of patients' personal medical information, the nation's hospitals take privacy and security issues very seriously, and we support efforts to protect patients' records," AHA President Richard Davidson said. "But this sweeping proposal has gone far beyond what Congress intended and has the potential to interfere with the treatment we provide patients."

In 1996, Congress passed HIPAA, which calls on hospitals, health plans and clearinghouses to meet new requirements for performing electronic health care transactions, protecting the confidentiality of "individually identifiable" health information and implementing security standards that ensure medical records privacy. Rules on privacy were finalized at the end of 2000.

The Department of Health and Human Services' (HHS) estimated that $3.8 billion would be spent by the entire health care industry to comply with HIPAA's privacy rules alone and did not include several key provisions, the AHA said. The association asked FCG to provide cost estimates for the three provisions. AHA asked for estimated costs on the minimum necessary use of information, whereby hospitals must make every reasonable effort not to use or disclose (internally or externally) more patient information than is necessary to accomplish an intended purpose. Hospitals will have to conduct audits of all patient data created and maintained, change internal computer systems to limit access to information, train staff in appropriate uses of patient information and use costly audits to check compliance, the AHA said.

The minimum five-year cost to hospitals is estimated to be $1.3 billion. FCG estimates that if hospitals have to invest in new information systems or substantially upgrade existing systems, these costs could rise to $19.8 billion.

Understanding minimum necessary use
Under the minimum necessary use provisions, only the person who needs access to this information to do his or her job should have access. "That means that a nurse working on a floor only needs to know about those patients he or she is seeing," Erica Drazen, vice president of FCG's emerging practices group, told ADVANCE. "For physicians, they only need to see their patients, or if they're on call they only need to see those patients. Another example is that if a lab technician is trying to interpret a test, the technician may only have a piece of the information and will need access to the patient’s medical record to see which medications the patient is on and the results of previous lab tests."

Payers continually want detailed information about a claim and then ask for attachments to the claim -- which essentially amount to the patient's entire medical record. "People questioned why the payer would need to know all this information to pay a claim," Drazen said. "With computers, in theory, it would be easy to capture the necessary information, but many systems were not set up for these purposes. And, ironically, certain billing systems were not set up for this either, so essentially any billing clerk can see a patient's procedures, and bills include a lot of necessary clinical information. The costs are going to be high because these systems will need to be re-engineered."

Many information systems were not developed to track the kind of information required under HIPAA. For example, a woman who has an initial obstetrics visit may be in the hospital's scheduling system. "That, too, is protected patient information," Drazen said. "People don't really think about patient privacy when it comes to scheduling a doctor's visit. Hospital employees know they aren't supposed to talk about patient information, and up to this point that's what's kept patient information confidential. Now these employees will be required to protect patient information in a very new and different way, and that's the essence of the problems they're facing."

Cost projections
Keith MacDonald, senior manager of FCG's emerging practices group, told ADVANCEthat the maximum estimates are that HIPAA could cost hospitals $ 22.5 billion. "We had a broad range of estimates and the reason for that is due to two factors and a number of variables: First, we looked at how these facilities were going to approach becoming HIPAA-compliant, because there isn't a cookbook for doing this. Second, we looked at their requirements and readiness on the IT side. This is what really drove the significant cost variations," he said. "We also looked at what their vendors are willing to tackle on the IT side."

Full story