Good morning. My name is Jim Daley and I am the HIPAA Program Director for Blue Cross Blue Shield of South Carolina (BCBSSC). BCBSSC is a member of the Blue Cross and Blue Shield Association (BCBSA). The Blue Cross and Blue Shield Association is comprised of 42 independent, locally operated Blue Cross and Blue Shield companies that collectively provide healthcare coverage for 84.4 million -- nearly 30 percent of all Americans. BCBSSC provides innovative health benefit plans, dental and vision benefits, pharmacy benefits, life insurance and workers’ compensation benefit management. We also are the nation’s largest Medicare and TRICARE administrator and we provide Medicaid services to the State of South Carolina, and a subsidiary offers software products and clearinghouse services to providers.
Because of our span of interests, we view the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) from a variety of perspectives. I would like to thank you for the opportunity to offer our comments on the implementation issues associated with HIPAA privacy.
The healthcare industry continues to focus on the need to safeguard individual health care information. BCBSSC fully supports this goal.
It is important to note that implementation of all the current HIPAA rules represents a significant challenge to the health care industry. According to a recent report from Gartner, Inc., that studied a representative sample of payer and provider organizations, the average payer will spend over $14,000,000 to comply with HIPAA while the average provider will spend over $5,600,000. I quote the report as follows:
“…the total compliance costs may be staggering for many HCOs that are still recovering from the U.S. Balanced Budget Act and other financial pressures. After removing several responding payer outliers that reported using HIPAA to completely transform their operations around e-business (and having budgeted up to $300 million for that effort), payers still report expected total HIPAA costs that exceed $14 million, on average … Although providers' expected total costs are relatively less, at more than $5 million on average …, it should be noted that many of these respondents are 250-bed community hospitals that have substantially smaller operating budgets than a typical HMO or PPO.”(1)
The current and anticipated HIPAA initiatives, including transactions and code sets, privacy, security, and the employer, provider, and health plan identifiers, call for a substantial dedication of resources for the healthcare industry. It is therefore important to identify measures that can ease the burden of compliance and allow covered entities to allocate resources to serve the consumer in other ways. BCBSSC supports the efforts of NCVHS in this regard and we appreciate the opportunity to share with you our thoughts regarding how to facilitate implementation of the HIPAA privacy requirements.
BCBSSC began addressing HIPAA in 1999, although our privacy efforts at that time were limited since the proposed rule for privacy had not been published. We currently have a HIPAA privacy task force consisting of representatives from law, compliance, and operational areas representing all lines of business to review existing corporate-wide privacy policies and practices and to adjust them as needed to accommodate HIPAA-specific requirements. The members of this task force are responsible for assuring the privacy requirements are addressed within their respective areas.
During the course of our efforts we have found two areas to be particularly troublesome. My remarks today will focus on these areas:
The subject of preemption continues to be troublesome from two perspectives. First, there are numerous state laws associated with privacy. Second, there are other federal laws on privacy, with additional legislation under discussion.
1. Preemption of state law
As an example, South Carolina presently has over sixty statutes that address confidentiality of health information, including some so specific that they apply only to health records of state employees. Based on the preemption criteria, covered entities must decide on a provision-by-provision basis, which parts of state law would be retained and which would be preempted by federal law. This becomes an even more complex task for entities doing business in multiple states. Since there is not currently a centralized analysis of preemption, this analysis must be accomplished by each covered entity. That means every payer (including employer health plans), provider and clearinghouse must perform this task. The redundant effort of these covered entities uses valuable resources that could be spent in other ways to safeguard protected health information (PHI) and to benefit the consumer. At BCBSSC we have joined a coalition with other Blue plans and have hired outside counsel to assist in the preemption analysis. Unfortunately, many small or rural providers do not and will not have access to legal staff with the expertise to conduct this analysis. Furthermore, each time a privacy law changes or a new one is passed, this analysis will need to be revisited by all covered entities.
The preemption issue is compounded by Section 160.204 of the rule that describes a process whereby a state can apply to except a provision of state law from preemption. While this may help accommodate certain specific needs, how will covered entities and consumers know which exceptions have been requested and approved? Will state insurance departments be expected to provide preemption guidance?
The preemption process will be very frustrating and confusing for consumers. It will be difficult for them to determine which provisions apply to them. Instead of promoting an individual’s ability to know his or her privacy rights, the preemption process will only confuse them.
It would be helpful for HHS to prepare and to maintain an up-to-date, detailed privacy guide that would show covered entities and consumers the privacy provisions that apply for each state across the country. This would alleviate the need for tens of thousands of covered entities to perform this analysis, and would eliminate potentially conflicting determination of which provisions apply within a given state.
2. Other federal law
There is other existing legislation on privacy (e.g. Gramm-Leach-Bliley, the Privacy Act of 1974, the Federal Substance Abuse Regulation, etc.). Additional privacy legislation has also been discussed at the federal level. With the passage of each new bill, there is the potential for requirements to change and for previous efforts by covered entities to be legislated out of compliance. The preemption analysis would need to be conducted each time a new privacy law is passed.
Covered entities in compliance with HIPAA should be deemed to be in compliance with other Federal privacy requirements. This would avoid conflicting or fluctuating requirements and provide a clearer statement of federal privacy laws for consumers to understand.
Even as the HIPAA deadlines approach, we have become increasingly aware of the lack of understanding of HIPAA within the provider and employer community. As a result, payers are finding it necessary to create awareness programs for these covered entities.
1. Providers
At a recent conference in California, one provider made reference to the fact that no one sent a letter to providers telling them they needed to comply with HIPAA. At an awareness program held in South Carolina, one provider commented, “Even though mandatory, I didn’t know much about it.” While some providers have made significant strides toward compliance, others are still asking very basic questions. As a result, payers are finding it necessary to develop awareness materials to fill this gap. This presents a few potential problems.
First, it is conceivable that the information provided may differ slightly depending on which payer or other consulted expert offers the material, thus creating uncertainty among providers over the specifics of the HIPAA requirements. Second, creating these awareness programs diverts payer resources that could be spent to benefit the consumer in other ways.
Some providers are beginning to question what information is allowable to share under HIPAA. While this indicates a step forward in protecting the privacy of consumers, it may also impact the consumer if required and allowable information is withheld due to misunderstanding of HIPAA provisions. Such impacts may include delays in authorization for services or in determination of the amount of coverage.
It would be helpful to have a national plain-language HIPAA guidance for providers that explained their basic requirements and provided reference to sources of additional information. It would also be helpful if this guidance could be accessed via the Internet. Although the FAQ section of the HHS/CMS web site is a valuable source of information for specific questions, it does not provide the higher-level explanation of requirements that many covered entities might need. A WEDI SNIP work group has drafted a white paper to address provider awareness, but the value of this material depends on the provider becoming aware of this resource.
2. Employer health plans
Employer health plans must comply with HIPAA requirements. While many of these plans may use a third party payer to handle transactions and code set requirements, the same cannot be said for privacy. These plans must be made aware of their obligations under the privacy rule. At present this awareness is often dependent on information provided by payers, business associates, vendors and consultants. The amount and quality of this information varies. The level of awareness will influence the amount of protection PHI receives within the employer health plan. This in turn affects the privacy of consumers.
A related concern is the potential impact to employee benefits if the flow of PHI is impeded due to lack of understanding of the HIPAA privacy requirements. This disruption could inhibit the ability of consumers to obtain coverage or to have their claims processed. Some payers are taking steps to create awareness materials for employers, but this action is subject to the same issues described above under providers. The consistency of information may vary and these awareness initiatives divert resources from other essential activities.
3. Vendor information
It is important to emphasize that HIPAA compliance is the responsibility of the covered entity. BCBSSC recognizes that vendors offer services that can be of great assistance to help covered entities address HIPAA requirements. However, vendor statements could lead some covered entities into thinking that compliance could be achieved merely through purchase of a product or service. Vendors and consultants have seized upon HIPAA as a lucrative new source of revenue and some vendor literature contains phrases that imply HIPAA compliance can be achieved solely through their product, when in reality the product is only a tool or service that can assist a covered entity to become compliant. Since all the HIPAA rules have not yet been published, even the use of the phrase “HIPAA compliant” may be premature, without sufficient qualifiers describing which aspect of HIPAA is being addressed.
BCBSSC feels it would be beneficial to have HHS prepare guidance that describes how vendor services may assist covered entities in their HIPAA efforts and clearly describes what covered entities may still need to do on their own.
In conclusion, it is our view that the industry could benefit significantly by having access to a centralized preemption analysis and by having access to standardized awareness and outreach materials.
We therefore recommend that HHS do the following:
Thank you for the opportunity to testify. This concludes my statement.
(1) August 2002 HIPAA Panel Results: Expected
Costs/Benefits; QA-18-1958
Research Note, 2 October 2002; M. Duncan, Gartner, Inc.