August 2001 Bulletin

HIPAA to boost paperwork burden

By Jennifer Kunde

Many physicians may be aware that standards for privacy of individually identifiable health information have taken effect, and that they will need to take steps to ensure compliance by April 14, 2003. However, what may be less well known is that there are a myriad of other regulatory requirements mandated by the Health Insurance Portability and Accountability Act (HIPAA) that are scheduled to take effect over the next few years, introducing many changes into a physician’s office.

Physicians already face voluminous, complex and sometimes contradictory regulatory requirements that significantly affect their daily practice. It is likely that these new, additional regulations will increase administrative burdens, reduce the amount of time physicians spend with patients and interfere with the development of the patient-physician relationship.

These new requirements come about as a result of the "Administrative Simplification" provision included in the final HIPAA legislation. When fully implemented, nine different sets of regulations designed to improve the efficiency of the healthcare system, protect the privacy of individual health information, and establish security mechanisms for the safekeeping of medical records will be realized. Currently, of these nine HIPAA-mandated changes only the privacy regulation and standards for transactions and code sets have established timeframes for compliance.

The other regulations that are mandated by HIPAA and that are expected to require compliance by either the end of this year or over the next couple of years, include: national health identifiers for providers, employers, health plans and patients; standards for electronic signatures; standards for security mechanisms; standards for the transfer of information among health plans; standards for enforcement; and uniform data standards for patient medical record information.

Several health care organizations, including the AAOS, have expressed concern about how these regulations may affect the delivery of health care to patients. Although "administrative simplification" is intended to improve the efficiency and effectiveness of the health care system, the HIPAA regulations are being released intermittently, essentially forcing physicians to evaluate and update office policy on a piecemeal basis.

For instance, in addition to the changes imposed by the privacy regulation, the finalized standards for transaction and code sets (which has set compliance for Oct. 16, 2002) require that uniform formats be used during any electronic exchange of information. This could require the purchase of new information systems to handle the new requirements; it will clearly require a change in office procedure and staff training.

What is frustrating about compliance with these new regulations, is that a final security rule, which will establish mechanisms for the safekeeping of medical records, has yet to be issued, which may likely require additional changes to office procedures and information systems.

Members of Congress remain concerned with the unintended consequences these regulations impose upon a physician’s practice, especially in light of their incremental approach, and, as a result, have taken some action. Legislation has been introduced in both the House of Representatives and Senate. Rep. John Shadegg (R-Ariz.) and Sen. Larry Craig (R-Idaho), introduced H.R. 1975 and S. 836, respectively, which would delay the compliance date for physicians, providers and health plans until two years after all of the administrative simplification standards have been issued. Both pieces of legislation have the support of physician groups and health plans, but it is not clear at this point how quickly Congress intends to move on this issue.

It is important to note that this legislation would not affect compliance with the privacy regulation–which will still require compliance by 2003. At this point in time, Congress would prefer to let any changes to the rule occur administratively.

Rep. James Greenwood (R-Pa.) has introduced legislation, H.R. 1215, which would repeal the privacy regulations in its entirety and replace it with a new standard, but it is not likely to move.

Significant concerns with the privacy regulation remain, however, and pressure continues to be applied by health care groups. During the National Orthopaedic Leadership Conference in April orthopaedic surgeons lobbied members of Congress to evaluate and assess the unintended consequences of some of the provisions. Members were asked to hold hearings and to encourage the Department of Health and Human Services (HHS) to make changes to the final rule.

Other groups, such as the American Hospital Association have estimated that compliance could cost as much as $22.5 billion over five years, far in excess of the HHS estimate of $17.6 billion over 10 years. Research organizations have raised concerns about the potential obstacles to continuing needed medical research. The American Association of Medical Colleges stated that the introduction of subjectivity into the review process for research projects may ultimately impede necessary medical research.

Physician and provider groups have decried the onerous "business associate" contract provision. This provision requires that physicians identify every individual and organization to whom they share personal health information and ensure that these business associates comply with HIPAA standards for privacy. Should these business associates violate a provision, however, providers are held accountable for the inappropriate disclosure of protected health information.

In response to provider concerns, HHS’s Office of Civil Rights (OCR), the department charged with enforcement of the privacy regulation, last month issued guidance on certain provisions of the privacy rule. Although some health care groups still hold out hope for actual changes to the regulation, in the meantime, individuals can access the OCR web site at and review guidance questions and answers.

Possibly as a response to provider concerns, HHS’s Office of Civil Rights (OCR)–the department charged with enforcement of the privacy regulation–has said that they will issue guidance on certain provisions of the privacy rule. Unfortunately, they have not indicated what provisions these guidances will address or when they will be issued. Part of the delay has been caused by concerns that any guidance issued will need to reflect the views of the White House, as well as other federal agencies. As such, HHS has moved with caution.

OCR also will formulate an enforcement standard towards the end of the year to establish penalties and fines for noncompliance; however, they indicate that their ultimate goal is to provide education and technical expertise for individuals and organizations working towards compliance. To ensure this, they plan to hire new agents and expand their current staff to regional offices throughout the United States so as to provide the necessary manpower to answer questions.

Although medical groups continue to raise these issues and others with the HHS Secretary Tommy Thompson and with Congress, no definitive action has been taken to amend any provisions. Members of Congress remain very concerned about the issue of privacy, but if any congressional action is taken in the privacy arena it will likely not focus on medical records privacy as much as on other privacy issues like the government’s handling of personal information.

Clearly, there is much that is unknown about the final compliance of the privacy rule. Although it is unfortunate that HHS does not know exactly what amendments they may make to the privacy regulation, or a time frame for such a change, physicians will still need to move forward and evaluate their office systems. As the process continues to evolve, one thing does remain certain as the deadline for compliance looms closer, physicians will need to assess their information systems and current office procedures, evaluate relationships with outside consultants, update current consent forms, and train staff on new policies.

The AAOS Washington Office will continue to monitor the release of new HIPAA regulations and remain active in physician and provider coalitions trying to address the most problematic provisions.

Jennifer Kunde is manager, government relations, AAOS Washington Office.

Home Previous Page