States Find New Medical Privacy Rules Costly, Confusing

States are struggling to comply with new federal medical privacy rules that set standards for using and shielding medical information, from patients’ files to insurance billing records.

Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 as part of landmark reforms to the health insurance industry. Designed by officials of the Clinton administration and amended by the Bush team, HIPAA aims to bring consistency to the patchwork of state laws affecting health care privacy, security and administrative procedures. Compliance with privacy rules, the first part of a three-phase implementation process, was required as of April 14.

States must determine what agencies need to comply, if any state laws take precedence, how to educate health care providers about the new requirements and how to pay for administrative and technical costs — all in the midst of large budget deficits.

“(HIPAA rules) are going to affect the states tremendously, especially at a time when they have no money to implement them,” said Trudi Matthews, chief health policy analyst at The Council of State Governments (CSG). “These deadlines are coming down at the worst possible time.” HIPAA affects every aspect of health care, from patients and doctors to pharmacists, nursing homes and insurance companies. At the state level, the rules can affect Medicaid programs, state laboratories, public health departments, correctional facilities and employee benefit and workers’ compensation programs.

Most HIPAA-required measures will occur behind-the-scenes, but patients may encounter some directly, experts said. For example, medical charts must be face down when outside of examination rooms so a passerby cannot see them. Another new requirement: hospitalized patients may choose not to be listed in the facility’s directory, which could leave even family members in the dark about whether a loved one has been admitted.

Such policies are being implemented from large state-run hospitals to small private practices.

“The impacts that folks feel in the private sector, we feel in the public sector, too,” said Sarah Brooks, North Carolina’s HIPAA office manager.

HIPAA lays down basic privacy rules, but states can and do go further. California, for instance, had some of the toughest medical privacy laws in the country prior to HIPAA and any more stringent laws will still preempt the new federal requirements, said Burt Cohen, director of the California Office of HIPAA Implementation (CalOHI).

“(HIPAA) creates a floor, not a ceiling,” Cohen said. His office was established more than two years ago for the sole purpose of demystifying and implementing the new rules and has 12 full-time state workers. States complain that while they’ve gotten some guidance from Washington on how HIPAA should work, they’ve been left to interpret the complex rules on their own.

“(The U.S. Department of Health and Human Services) has tried to make it as clear as they can, but states have been doing a lot of preparation for these rules going into effect on the fly … there are still so many unanswered questions,” The CSG’s Matthews said.

But HHS and the federal Centers for Medicare & Medicaid Services (CMS) have been doing “extensive” outreach over the past few years by hosting teleconferences and regional seminars for health care providers, said press officials with both HHS and CMS. They’ve issued more than 3,000 educational CD-ROMs and launched an expensive Web site and e-mail listserv dedicated to helping states sift through the minutiae of the laws.

Fines for non-compliance range from $100 for a civil violation to up to $250,000 and 10 years in prison for a criminal violation, such as marketing Social Security numbers or intentionally giving medical information to a patient’s prospective employer that might deter the company from hiring the patient. Enforcement is strictly complaint-driven.

“The folks on the ground level are just frustrated. This is a new undertaking for HHS as well as for the states,” said Robert Burns, a policy analyst at the National Governors Association Center for Best Practices (NGA). “It’s a huge undertaking and there’s no precedent for it.”

To assure compliance with the new federal rules:

• California and North Carolina set up central, stand-alone HIPAA offices to ensure state agencies received consistent messages. 
• Arkansas and several other states contracted with private consultants to help make necessary changes.
• In South Carolina, where the unofficial mascot of the state’s HIPAA office Web site is a big, barrel-shaped hippopotamus, officials issued a HIPAA guide for state legislators.
• Ohio designated the Department of Job and Family Services to lead other agencies to compliance.
• And in Colorado, Gov. Bill Owens (R) issued an executive order in February 2002 mandating state agencies to cooperate to implement the HIPAA.

No federal funds have been allocated to states for HIPAA, but state Medicaid programs can qualify for federal dollars to help upgrade computer systems, which will likely be necessary under phase two of compliance. Cost estimates are inexact, as most states don’t isolate HIPAA compliance in their budgets.

HIPAA officials and outside experts said money is being spent on upgrading and streamlining computer systems, hiring additional staff and training existing staff. As within the private sector, state agencies also are being confronted with a mountain of administrative costs, such as creating standard forms for billing insurance claims, experts said. Ohio, for example, will have spent approximately $20 million on administrative and technical aspects of HIPAA from July 2001 to October 2003, said Robert Bergin, Ohio’s HIPAA project manager. The Buckeye State established five HIPAA “working groups,” trained 1,700 state workers and mailed out more than 1 million privacy notices to Medicaid recipients and providers. Postage alone cost the state $300,000.

California sent out training packages to state agencies and more than 6 million privacy notices printed in both English and Spanish.

Despite angst over the new rules, policy analysts and state administrators alike said they think they’re compliant, for now.

“Folks are doing what they think they’re supposed to be doing,” said Joy Johnson Wilson, a health expert and director of federal affairs at the National Conference of State Legislatures (NCSL). “We’re just going to have to feel our way through this.”

The next HIPAA deadline is Oct. 16, 2003 for administrative transaction and code sets, which Medicaid uses to describe covered services. States said they’ve made some progress, but will be cramming the next five months in order to meet the deadline.