Boston Park Plaza Hotel
64 Arlington Street
Boston, Massachusetts 02116-3912
Testimony -- Barbara C. Ruffino, Consultant
Sr. Vice President, iCSi, Providence, RI
I want to thank the National Committee on Vital and Health Statistics, the Subcommittee on Privacy and Confidentiality and the Office of Civil Rights for the opportunity to address the issues facing providers with the implementation of the privacy rules.
I have three areas I want to address in the brief time I have:
FIRST - the Impact of the privacy rules on providers based on my experience
SECOND - the HIPAA Myths I have encountered over the past few years
THIRD - HIPAA Resources - the resources that are available and those that should be but are not available for meeting HIPAA compliance.
There are thousands of physician and other practitioners across the country dealing with the impact of the new privacy rules. Yesterday you heard directly from the physicians as well as some of the other healthcare providers. I am here today as a consultant to the healthcare industry but I can speak only for the 200 or so practices that I have come in contact with in one way or another over the last three years of my work with HIPAA. . My work has included contact with dentists, chiropractors, physical therapists, massage therapists and other specialized health care providers.
As I have consulted and presented on privacy over the past three years I continually encounter practices that when educated about the background and requirements of the privacy rules comment that -- for the most part - the changes reflect what they have always thought was a better business practice. Let me add that for the most part I think physician offices have been a bastion of privacy for their patients. Just ask the lawyers who have to request records from them. That having been said there have been lapses in every office -- lapses that with the changes required by HIPAA might not have happened. Lapses and problems will continue to occur but HIPAA is about setting standards, not expecting perfection.
As I see it there are three major problems impacting practices, especially physician practices with the implementation of these standards:
(1) The standards are still not fully understood by physicians or other providers. Doctors are trained to treat patients. However today they also are required to be managers of a major business enterprise. My guess is that the 80-20 rule, or even a 90-10 rule applies here. Doctors spend 90% of their time on patients and 10% or less on the practice. The result is that a change has to be significant and longstanding before physicians have the time and energy to get around to understanding it and adopting it for their practice.
(2) Physicians are not what the change management field calls “early adopters.” Even with changes in clinical guidelines it is sometimes a long road to get physicians to change the way they practice medicine. And since they are spending probably less than 10% of their time on business and management issues -- the time frame for adoption of management practices is even greater. For example we have long known that electronic transactions and record keeping is quicker, cheaper and yields higher revenue and lower expenses for physicians -- so why isn’t every office fully electronic already? Probably for a number of reasons including: they are not always convinced that the research is valid, they think their practice doesn’t fit the mold of those used as the example, or because given the choice between spending healthcare dollars for a clinical improvement or a business improvement, physicians will most often opt for the clinical improvement first.
(3) With the squeeze on reimbursement rates for the average healthcare practitioner, especially doctors, and with office costs such as malpractice insurance escalating -- the dollars available for practice management are severely limited. In hindsight, some federal dollars should have been allocated to help practices with HIPAA implementation. In the surveys by the Health Information Management Systems Society (HIMSS) and Phoenix Health Systems payers consistently ranked higher in the percent who have completed or progressed in their implementation of HIPAA. I think the reasons for that are simple… the payers can more easily find the money to make the changes…they have more avenues for financing the cost of changes and they get the first dollar from the premiums…so they can spend what they need to implement HIPAA and make up the difference by cutting costs down the line, e.g. at the provider practice level. I recognize this may be an over-simplification -- but sometimes perception is reality.
Let me move to the Myths about HIPAA.
I think the most unfortunate part of the HIPAA efforts to date is that too often HIPAA has been reduced by many in our field to a description as just “another un-funded federal mandate.” I am going to revert for a minute here to my experience as a consumer advocate, as the former Director of Elderly Affairs for the State of Rhode Island. In that role I often advocated for state and federal rules to improve the administration of healthcare for the department’s constituents and I continue to do so whenever I can.
In point of fact, HIPAA is first and foremost consumer legislation. When HIPAA was passed in 1996 it was the first significant healthcare legislation since Medicare in 1965 that directly impacted consumers. However, the administrative simplification part of HIPAA was strongly promoted by the healthcare industry itself -- not just the federal government. It was pushed by the industry both to promote the use of electronic transactions and to improve the efficiency of the administrative processes for those in the insurance food chain -- from payer to hospital to physician. Very little of administrative simplification involves direct consumer benefits -- all of the benefits of national standards for transactions and codes sets accrue to the industry itself in the form of fewer forms and formats and quicker access to information and payment. So I think it is inaccurate and inappropriate to describe administrative simplification simply as “another federally mandated program.”
The privacy rules however are mandated but it would be more accurate to say that they are consumer mandated, using the federal government to represent the consumers. Privacy regulations were added as protection for consumers for a reason. It is one thing to walk into an office and walk out with 5-10 files of patients, but it is quite another to walk out with a diskette with every file on it or access those files from 100 miles away or to have every staff person in an office have access to very personal and confidential information about you and your health condition or treatment. When you go into a hospital, doctor’s office or nursing home the information you provide should be confidential and for the most part those entities have kept it private, but there are numerous instances where this information has been released without patient knowledge resulting in personal damage in one form or another. So again, I think it is inaccurate to reduce these consumer protection rules as merely “just another federal mandate.”
In my opinion the “un-funded” part also is a myth. Consumers already are funding the privacy rules with their insurance premiums and payments. Consumers have always thought that privacy and confidentiality was a given in healthcare. The only difference is that with HIPAA they found out how little privacy there really was. The HIPAA standards now make that privacy and confidentiality more likely to be maintained.
Let’s face it, the healthcare industry is going to get the lion’s share of the benefits from the dollar savings that come with the streamlined administration - not consumers. Once I pay my premium or co-pay there is no direct advantage to me if my provider is paid electronically or on paper or in 10 days or 50 days. Other than the increased cost of doing business and that is already factored into my premium and co-pay. I am sure the savings projected by HIPAA financial experts are not going to be turned around to lower my premium -- the savings are going to be used to fund the changes required -- the changes promoted by the industry. So HIPAA changes are not “un-funded”, they are being funded both by consumers everywhere and funded from the savings that the industry will see from electronic transactions --- as well as the continual increases in insurance premiums which I am sure we will see.
I want to quickly address two issues regarding the resources available to provider practices; first, the current resources available, and second, what I see as a critical need for provider resources going forward.
First -- the resources that are available….HIPAA implementation has been a unique collaborative effort within the industry. In September of 1999 a group of concerned professionals from industry, government and healthcare met in Baltimore at the first “HIPAA Summit” to discuss how each of the partners in healthcare could help the industry as a whole to meet the HIPAA requirements for both security and privacy. Representatives from various sectors of the industry signed up to develop materials and documents that could be used by anyone and everyone in the industry to meet the planning and implementation requirements of HIPAA. The HIPAA Summit and subsequent efforts by many organizations and groups have become a sort of “Linux” for HIPAA implementation. There are documents, materials, sample forms, websites and other resources that are either free or very low cost for providers at all levels. As a consultant I probably should be dismayed at the loss of potential business from “HIPAA free-ware” but I am far more impressed by the genuine collaboration than I am by the loss of potential business. Healthcare providers and physicians in particular have been battered by the financing side of healthcare too long and it’s about time they got a break. They just got over having the high cost of having to pay consultants to help them with Y2k and then along comes HIPAA -- but with the collaborative efforts at least they have a chance to try to complete most of the work themselves at far less cost.
Having said that -- the flip side of the multiplicity of resources is that many of these materials are confusing, misleading or just plain inaccurate. There is so much out there it is hard for providers to know which to choose or which is “right.” The result could be a practice spending thousands of dollars to be compliant and finding out that they are still going to be liable for a fine because they chose the wrong consultant or the wrong materials. Even if they don’t wind up with a fine, the lost practice time, the anxiety and the disruption to healthcare treatment is not going to be worth it for anyone in the long run. A number of associations and organizations have taken this task on and while some efforts are laudable, others are not. If OCR does anything it seems to me that the most valuable contribution at this point in time is the development of a reliable set of materials for provider offices. There are two options and I think both should be explored.
The first is to set up a clearinghouse of resources, model programs, best practices and other materials. Federal agencies have provided clearinghouses for many newly enacted programs in the past and privacy compliance is a perfect candidate for a clearinghouse of HIPAA information. Materials developed by OCR would give practices valid information to use for their implementation, reduce the cost of compliance, improve the climate for compliance and help to alleviate the “fear” of the privacy rules and potential fines for non-compliance. We don’t need any more mandates that are presented to providers as a threat of another fine or damage to their business.
The second option is to develop a very simple HIPAA Practice Management Handbook that gives providers the basics of what to look for and how to be compliant. An OCR office guide would reduce the turmoil and improve the level of compliance -- and after all -- that is what we are all looking for -- ways to do it right - to protect the patient’s information.
As a consumer I applaud the privacy rules and the changes they will bring, but as a consultant I am concerned with the confusion and conflicting opinions I see in provider practices today. I believe OCR should begin immediately to provide valid and reliable resources for providers; resources that can be trusted to help them in their compliance efforts. We owe it to them and we owe it to the consumers whose privacy rights will be better protected from improved compliance.
Thank you again for the opportunity to address you today and I hope what I have said will help you in your efforts to support the healthcare industry in the implementation of the HIPAA privacy rules.