HIPAA• HIPAA: recognize need for

protecting medical privacy…have been doing it for some time:– No question about the need—in the

electronic age--to be able to both:• Kept exchangeable data private and secure;

as well as

• Streamline transmission of data to achieve efficiencies.

– But, we have created a bureaucratic nightmare that could pose barriers to providing effective patient care…and add billions to the nation’s medical bills.

– Pleased that HHS Secretary Thompson agreed to reopen comment period.

– Provides opportunity to fix and reshape.

HIPAA– Very concerned about:

• Barriers to patient care in terms of information necessary to treat people; and

• Costs– First Consulting Group: just

three HIPAA provisions could cost up to $22.5 billion over five years.

» Minimum necessary (1.3 – 19.8)» Business associate (2.4)» State law preemption (351)

• Dozens of substantive issues:– Among them is the need for a federal

pre-emption…to have a uniform set of standards.

– Would say that we have a half-dozen other priority concerns about the regulations.

HIPAA

• First, the consent process.– This would require a patient to

sign a new set of consent forms before the hospital can use any medical information to prepare for an admission…even scheduling surgery or reserving a room.

• What does this mean?– Patients could be forced to make an

extra trip to the hospital—no matter how inconvenient—to sign a consent form.

• Solution:– Revert to HHS’s original proposal to

eliminate this requirement…and permit hospitals to determine method of obtaining patient consent.

HIPAA

• Second, requirements to disclose only minimally necessary information.– This limits information that can

be shared within the hospital for treatment…and with external sources for payment and hospital operations.

• What does this mean?– A nurse walking by a patient in distress

is denied access to the medical record because the patient isn’t his or her patient.

• Solution:– Eliminate this requirement for medical

information used within the hospital.

HIPAA

• Third, Oral Communications– This extends requirements on

protected information to oral communication.

• What does this mean?– A doctor might be reluctant to discuss

diagnosis and treatment with patients in their rooms—where they are semi-private—for fear of being overheard by nearby patients…or their families and friends.

• Solution:

– Eliminate this requirement

HIPAA

• Fourth, treatment of business associates.– This requires hospitals to have new

privacy contracts with all of their business associates and vendors…including mechanisms to share information for analysis with third parties.

• What does this mean?– Hospitals will haveto spend tens of thousands of

dollars—that can be used for patient care—to renegotiate every contract with outside vendors.

– In addition, state hospital associations could not share data among contributing hospitals to benchmark for purposes of quality improvement or to achieve economic efficiencies.

• Solution:– Replace with a safe harbor from liability for

hospitals that do business with privacy-certified third parties…and eliminate restrictions on information sharing among contributing hospitals.

HIPAA

• Fifth, law enforcement– The regulations would permit

law enforcement officials to seize patients’ records without judicial review.• What does this mean?

– In the course of a routine billing inquiry, federal investigators could obtain and use sensitive medical information to investigate a patient for suspected substance abuse.

• Solution:– Require judicial approval for

any request for medical records.

HIPAA

• Finally, implementation date– The regulations require

hospitals to be in compliance two years after the rules become effective.• What does this mean?

– Coming on the heels of Year 2K—and implementation of new payment systems for SNF, home care and outpatient—hospitals might have to invest nearly $22 billion in HIPAA compliance…diverting funds from patient care.

• Solution:– Extend implementation date by

additional two years.