HIPAA Regulations: The Cost of Compliance

This article was written by Jim Cagliostro.

With the increasing concern over HIPAA regulations, what is the cost of compliance for your hospital?

On November 13, 2018, the Centers for Medicare and Medicaid Services (CMS) submitted a request for information (RFI) to the White House’s Office of Management and Budget[1].

The purpose of the request was to address the growing concern among healthcare workers of whether or not HIPAA regulations are limiting or discouraging coordinated care and case management among hospitals, physicians and other providers.

Key Historical Events 

A review of the key events that have led us to this point is outlined below:

HIPAA – 1996: The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. It required the US Department of Health and Human Services to adopt national standards for electronic healthcare transactions and code sets, unique health identifiers, and security.

Privacy Rule – 2000: The Privacy Rule established national standards for the protection of individually identifiable health information.

Security Rule – 2003: This rule established national standards for protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI).

HITECH Act – 2009: The HITECH Act widened the scope of privacy and security protections and increased the potential legal liability for non-compliance.

What’s Causing the Concern?  

The fines imposed on an organization when HIPAA laws are violated and patient health information is not protected are “nothing to sneeze at.”

For instance:

  • In February 2017, Memorial Healthcare Systems paid $5.5 million to the Office of Civil Rights (OCR) for failing to prevent a former employee from accessing patient health records.
  • On October 16, 2018, Anthem paid the OCR a record $16 million following the largest US health data breach in history. Needless to say, healthcare providers understand that the Office of Civil Rights (OCR) takes HIPAA violations very seriously.

According to the HIPAA Fines Directory, penalties can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.[2]

HIPAA fines can range from $100 to $50,000 per violation and a maximum penalty of $1.5M per year per violation. Compliance is vital for your hospital. Click To Tweet

The consequences of the HIPAA ruling

The ruling has resulted in numerous issues, including:

A Culture of Paranoia?

There are some suggestions that HIPAA has created a culture of paranoia that prevents the exchange of health information which would be in the best interest of the patient.

This is understandable. The possibility of your health system incurring such astronomical fines has led many healthcare workers to avoid sharing PHI at all costs.

If uncertainty over sharing patient information exists, the frustration expressed by the requestor is the preferred choice over a potential financial penalty amounting to millions of dollars – and the possible loss of their jobs.

Undue Burdens Limit Care Coordination

CMS argues that HIPAA creates undue burdens that limit care coordination and prevent effective case management by preventing the exchange of essential information between the multiple providers involved with a patient’s care.

To be clear, CMS has chosen to pursue this issue because they feel that barriers created by HIPAA “undermine [current] attempts by the agency to move Medicare from a fee-for-service to a value-based pay system[3].

CMS is not alone.

A Barrier to Collaboration

The American Hospital Association concurs that HIPAA regulations have made it more difficult for providers to work together and create care management teams.

One common dilemma is the need for sharing PHI when a patient is cared for at another facility, especially in emergencies or situations where the patient or family is unable to consent to the sharing of information.

In these situations, hospitals are hesitant to share information with other providers as this could lead to penalties if too much information is shared or if the requestor gains access to more information than is needed to care for a particular patient.

According to the official RFI, CMS is also inquiring about the creation of a ‘safe harbor’ for good faith disclosures of PHI. This applies particularly to cases where information is requested for the purposes of coordinating care or case management. But it applies equally applies to other scenarios where patient information could be shared appropriately without the patient’s consent.

Solutions to HIPAA Compliance

If HIPAA regulations are indeed overly burdensome and preventing coordinated care, then something needs to change.

The Agency for Healthcare Research & Quality states:

Care coordination is identified by the Institute of Medicine as a key strategy that has the potential to improve the effectiveness, safety, and efficiency of the American healthcare system. Well-designed, targeted care coordination that is delivered to the right people can improve outcomes for everyone: patients, providers, and payers[4]. ”

In other words, improved care coordination leads to better patient outcomes and more efficient processes, all while reducing the cost of care.

As mentioned above, creating a ‘safe harbor’ presents a potential solution, albeit one that comes with many variables.

Improved care coordination leads to better patient outcomes and more efficient processes while reducing the cost of care. Click To Tweet

As with so many aspects of healthcare, however, the solution is not straightforward. The obstacles include:

  • There is no way to ignore the need for patients’ personal health information to be protected. This must remain a priority.
  • Many have argued that HIPAA indeed allows for the disclosure of patient PHI to other healthcare providers for care coordination. Healthcare industry experts believe the problem boils down to confusion about the circumstances of when it is permissible to share data. In other words, they believe the problem is a misinterpretation or a lack of understanding of HIPAA rules.
  • Healthcare leaders must educate all employees to clarify when it is and when it is not appropriate to share a patient’s health information.

Ultimately, patients, healthcare providers, CMS, and OCR must work together to find a solution. It will not be easy and it will take time. We must find a way to protect patient health information while allowing for the safe and effective exchange of that information between providers.

Research has shown that coordinated care, with open communication about the needs of the patient, produces the best health outcomes. However, this does not give license to handle patient information carelessly.

With proper clarification of privacy laws and coordinated efforts by all involved, the American healthcare system can become the worldwide standard in which quality patient care is coordinated AND patient health information is protected.

At VIE Healthcare Consulting, we take patient privacy very seriously and we know that your hospital does too. The healthcare consulting providers working with your hospital may be experts at what they do, but do they understand just how crucial it is to protect patients’ health information?

The cost of HIPAA compliance is high. The cost of noncompliance is even higher.

[1] https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201810&RIN=0945-AA00

[2] https://compliancy-group.com/hipaa-fines-directory-year/

[3] https://www.modernhealthcare.com/article/20181114/NEWS/181119972/cms-to-ask-if-hipaa-is-a-barrier-to-care-coordination

[4] https://www.ahrq.gov/professionals/prevention-chronic-care/improve/coordination/index.html