Executive Summary
Who: William R. Braithwaite, MD, PhD, FACMI
What: Senior Advisor on Health Information Policy, the Office of the Assistant Secretary for Planning and Evaluation in the U.S. Department of Health and Human Services.
How: Physician, medical information specialist, 20-year academic career at the University of Colorado School of Medicine. Graduate of the Robert Wood Johnson Health Policy Fellowship Program and internship with the Senate Finance Committee Health Staff. He became one of the major authors of the Administration Simplification language that was attached to the Health Security Act before its introduction on the Senate floor.
A lackadaisical healthcare industry, government bureaucracy, bullying vendors and a fearful public are threatening key pieces of HIPAA, the Health Insurance Portability and Accountability Act of 1996. Today, after more than two years of complex government and industry maneuverings, important administrative and financial transaction standards are well along the path to industrywide adoption. Unresolved, however, are some of the Act’s thorniest components, including privacy issues, which are key to HIPAA’s success.
Bill Braithwaite tackles HIPAA controversies head on in his post as senior advisor on Health Information Policy at the U.S. Department of Health and Human Services. In the following interview, Braithwaite talks from his office in Washington, D.C., about the challenges facing the unresolved HIPAA provisions and the goal to streamline healthcare administration.
How can HIPAA help solve healthcare’s security problems?
Most industries that use information technology pay close attention to the need for security in their systems. They value the information they have and strive to protect it. For many reasons, many of which are incomprehensible, healthcare has been very lax. Current practices are not acceptable. However, there are four issues that must come together to solve the security problems.
One, awareness. Everyone in the organization must understand the importance of security and the associated technical requirements. Many computer systems have security capabilities with timed log-ons, biometrics, multiple passwords and audit trails, but typically the security system isn’t turned on when the system is installed. Naturally, if a feature is not used, system vendors stop producing systems with the capabilities. This cannot be allowed to happen.
Two, cultural acceptance. Doctors and nurses, burdened with increasing documentation, often refuse to use a system that demands keyboard skills and increases charting time. This must be resolved, perhaps in finding different and more creative approaches to security barriers.
Three, administrative policy. The issue of security must have a major emphasis in training but a hard line administrative backup is required. Administrators must be willing to fire people over breaches in security.
Four, law. The security policy must be turned into law with mandates and penalties. Security regulations that are emerging now have the administrative simplification law to back them up with penalties.
What makes this security policy unique?
The specific policy stated is nothing unusual or onerous. It is a standard security policy that would be used for any industry other than healthcare (for details, see "Battening Down the Hatches," below). It’s scaleable. A one-person practice with a PC can implement every one of the security measures required as can the largest multi-national corporation.
We expect complaints, especially from small providers because they are the most likely not to understand the policy. Consequently, we have gone to some lengths to try and provide an example of how a small provider might deal with this complex-looking matrix of requirements.
Beyond security, what are the major obstacles to HIPAA implementation?
There are two right now. One is the furor over a choice for the individual identifier. The other is the Paperwork Reduction Act (PRA) of 1995 (for more about HIPAA opposition, see the sidebar, "Counterpoint: HIPAA Hiccups," below).
The issue of privacy to precede other implementations has been the intent of HIPAA from the beginning. The timing of the regulations is such that privacy protection will be in place before anyone is mandated to use the standards. The angst among uninformed people has reached the point that some members of Congress are considering writing a law that stipulates that privacy legislation must be in place before the standards are implemented (assignments for identifiers, etc.). Go ahead--restate HIPAA if it will make people more comfortable, just so long as it doesn’t change the intent. And so long as it permits the industry to go ahead and start building information systems. They don’t need to actually implement them until the privacy is in place.
The original bill that I helped write for the Senate finance committee included a section on health information privacy that was at least as large as the section on standards--Congress stripped it out. It was there again in 1996, as part of HIPAA--for about five minutes.
One of the things we did manage to get into HIPAA was the backup clause that states that if Congress does not pass a general health information privacy law by August 1999, the Secretary of the Department of Health and Human Services (DHHS) has the authority to do so by regulation. Now, that authority is limited to information associated with electronic transactions, but it’s better than nothing.
Privacy has a price. To date, the healthcare system hasn’t been willing to pay that price.
Is it possible that privacy concerns will derail HIPAA’s plans for a national personal identifier?
There is always that chance. Privacy advocates are not really my opponents; I’m on their side. I want health information to have privacy protection. The devil is the details, not the basic philosophy.
Education is really the only thing we can do. DHHS has begun to realize that it needs to be more proactive when we release items that might be construed as controversial--mainly because people don’t read them. We plan to do a better job with our press relations and in educating the media.
How does the Paperwork Reduction Act (PRA) relate to HIPAA?
From my perspective, there are two problems regarding the law as it was intended. While on the surface it may appear that these are not in conflict, in reality its due process--that of submission of all rules and subsequent modifications to the Office of Management and Budget (OMB) for approval--runs counter to the process of industry consensus.
First, it takes a great deal of time to go through this very detailed review of all the standards covered under HIPAA. If we are going to maintain each rule and keep them up with the standards that are required to meet business needs on an annual basis, this process is extremely problematic and must be streamlined. The PRA will stand in the way.
Second, it adds a layer of veto power to an industry standard that HIPAA did not intend. HIPAA intended the industry to come up with a standard by consensus, which would then be adopted by the Secretary. The law did not intend for another part of the administration to second guess that and decide that it didn’t like this code here or that process there. If the force of PRA is invoked, everything down to the finest detail is under the OMB. OMB would have to approve every change to the standard and every code addition to the CPT. Choosing ICD-9 (the International Classification of Diseases, Ninth Revision) is under it; adding a single code to the ICD-9 is under it.
Once a standard--and its development and refinement process--has been chosen and approved, the process should proceed in its current form without additional requirements for re-approval. This issue should be clarified in the rule with explicit statements about the relations between the act of standards and the resulting effect on the standardization process.
Is there an option?
Yes. Although administrative simplification provisions have been interpreted as falling under OMB, the final ruling remains open to question. Change can occur in one of two ways: either the OMB can decide that it doesn’t apply or Congress can attach a waiver to the law that excludes OMB review from the process.
Some of the comment periods for the proposed rules are closed. Is it too late?
No. The issue is ongoing. Every Notice of Proposed Rule Making (NPRM) asks the question of whether the PRA should apply or not. All the comments are being collected. The final decision will be based on the collective body of comments.
How is the vendor community reacting to upcoming implementations?
Implementation guides with detailed-level directions for implementing the new standards have been publicly available since November 1997. Our department is now going through the process of making sure that everybody understands what is happening, that the consensus is spread across the industry and that everybody signs off in the process to make it law.
Some vendors are going ahead with whatever is necessary to set up teams or even design their systems to meet the new standards. Others are waiting--but I think it’s an excuse. Any excuse by the industry that "we’re not going to do anything until we see the final rule" is just that--an excuse. They know what we’re doing and they know what to expect from this process because they have participated and have helped create it.
Are you satisfied with the penalties set forth under HIPAA?
No, I’m not happy. The fines are not those proposed. In the last phases of passing HIPAA, zeros were eliminated from the ends of the penalty numbers. The problem is that penalties have been reduced to the point that some companies have told me that they will make the decision to violate the standards--that it is cheaper to pay the penalties than it is to modify their information systems. Eventually the market will bring them around. They won’t be able to compete against systems that save their owners millions of dollars. But the fact that some consider this philosophy acceptable is very disturbing.
How do you rate progress so far?
Although I am a patient man, it’s not moving fast enough. This is a significant and important part of improving the healthcare system, and I want to do it right. Right means that we have fully followed the consensus-building process and have industry onboard. This is not the government going into a back room and deciding what to do and springing it on them This is a long consensus-building process for a reason. We want it to work and to meet the needs of the industry, as well as those of the government.
Battening Down the Hatches
Proposed standards for health information security, as mandated under the Administrative Simplification provision of HIPAA, affect all health plans, healthcare clearinghouses and healthcare providers. The security standard is designed to protect the privacy and confidentiality of electronically stored, maintained or transmitted health information. Here are the plan’s highlights:
- The proposed ruling does not require use of an electronic signature but, where used, specifies a standard that identifies the signatory person, assures the document’s integrity and secures validity of the signature.
- To guard data integrity, confidentiality and availability, the Department of Health and Human Services (DHHS) has proposed itemized requirements in four categories: administrative procedures, physical safeguards, technical security services and technical security mechanisms.
- The security standard must satisfy three criteria: It must be comprehensive, it must be technology-neutral and it must be scaleable.
- DHHS does not mandate a single, one-size-fits-all solution. Rather, it defines organizational and technical practices and procedures that, when implemented, will ensure a secure data environment.
- Organizations need to develop security and confidentiality policies, designate information officers, institute education and training programs and prescribe sanctions.
- Information technology will need to develop a strategy to satisfy DHHS’ eight-point plan that includes individual user authentication, access controls, audit trails, physical security and disaster recovery, protection of remote access points and external electronic communications.
- The public comment period on the proposed rule-making ends Oct. 13, at which time the proposals return to the internal government review process. Final adoption may be as early as the end of the year. More realistic observers expect sometime in 1999. --C.M.
HIPAA Sites on the Web
Updated and detailed information about HIPAA’s proposal and review process is available on the Web. These public windows on the legislative process encourage conversation and feedback for every rule proposed. You can download and read all of the proposals, comment and/or track the process at the following sites:
Administrative Simplification (law, process, regulations, comments): http://aspe.os.dhhs.gov/admnsimp/
Health Care Financing Administration (National Provider Identification and PAYER ID): http://www.hcfa.gov
Health and Human Services (HHS) Data Council: http://aspe.os.dhhs.gov/datacncl/
National Committee on Vital and Health Statistics (NCVHS): http://aspe.os.dhhs.gov/ncvhs
Washington Publishing Company (HIPAA-EDI implementation guides): http://thedma.org/hipaa/
Counterpoint: HIPAA Hiccups
HIPAA is choking on the national personal identifier. Stalled congressional action on federal health information and privacy legislation prolongs the agony. Not only is there no consensus on how to proceed logistically, the issue is spawning public paranoia. One rumor spreading through the general press is that the government plans to create a national data bank to store all medical records. Simply not true, says administrative simplification author Bill Braithwaite. "Linking the personal identifier with a governmental database is totally inaccurate, totally misleading and totally sensationalist," he says. "HIPAA contains absolutely nothing that mandates the collection of data."
CALLING DR. SOLOMON
Adele Waller, a health law practitioner with the Chicago law firm of Goldberg, Kohn, Ltd., agrees that HIPAA deals only with transaction data, but poses the query: Since it is unrealistic to think that the HIPAA identifier will not be attached to the individual medical record, how does the healthcare organization separate transaction data from medical record data? It was pretty simple when all the information was on paper: claims data went to the payor, clinical data stayed in the chart. But when that information is data bits and bytes, how do you keep it separate?
Furthermore, the separation problem flows over into problems of penalties and jurisdiction. HIPAA’s penalties are restricted to transaction data--its primary focus. However, if DHHS assumes the power to prosecute for criminal infractions without the force of federal law, it may well be restricted to improprieties with transaction data--but not medical record data.
"Congress will need the wisdom of Solomon to balance individuals’ privacy rights with legitimate uses of healthcare information," says Waller. But she says that without such legislation, the HIPAA plan can run amok in the court system where the individual identifier is likely to become open to privacy challenges.
SERIOUS DOUBTS
And personal rights issues don’t even begin to take into consideration the sheer magnitude of the identifier proposal. Lewis Lorton, executive director of Healthcare Open Systems & Trials (HOST), a non-profit consortium working on policy and technology issues, doesn’t think the government did its homework. Without detailed cost-benefit facts and figures, he has serious doubts that the government can achieve the consensus needed.
And that’s not the only architectural problem. James Gabler, enterprise information architect, Healthdyne Information Enterprises of Marietta, Ga., says that if you use a national healthcare identifier as the only identifier within the local healthcare system, it opens up the issue of multiple associations. Co-chair of HL-7’s MPI Mediator special interest group, he says a recent workshop concluded that the single number would create a heavily political and very expensive hierarchical structure. The resulting pyramidal structure would require so many master person index (MPI) directories pointing always to larger MPIs that a separate MPI would be required to find the data--and it would be so large that only the government could build it.
The issue of privacy is a very emotional issue and it will be a rough road for HIPAA backers as they try to convince the American public that a personal identifier is a good idea. Some don’t think that a number for each American will ever fly--at least not in the form proposed. The proposals may be too simplistic for such a complex issue.
--C.M.
What’s Inside HIPAA | |||
Mandated Standards | Candidates | Progress | Status |
Administrative and financial transactions and code sets | X12N for all transactions except claims Code sets: ICD-9-CM, CPT-4, CDT-2 and NDC Universal Product Number (UPN) likely to replace Health Care Financing Administration Procedure Coding System (HCPCS) | Proposed May ’98 (Except First Report of Injury and Claims Attachments) Implementation guides on Washington Publishing Company Web site. | Adoption possible end of ’98 [Compliance deadlines: End of 2000: small plans, end of 2001] |
Unique health identifiers | |||
Healthcare providers | National Provider Identifier (NPI) | Proposed May 1998 | Adoption possible end of ’98 [Compliance deadlines: End of 2000: small plans, end of 2001] |
Employers | Employer Identification Number (EIN) | Proposed June 1998 | Adoption possible end of ’98 [Compliance deadlines: End of 2000: small plans, end of 2001] |
Health plans | (PAYER-ID: Not published criteria) | ||
Individuals | |||
Security standards | |||
Security and electronic signature | Technology-neutral guidelines; digtal signature | Proposed August 12, 1998 | Adoption possible end of ’98 [Compliance deadlines: End of 2000: small plans, end of 2001] |
Privacy and confidentiality |
--C.M.
Line by Line
Minnesota is actively participating in review and comment on proposed HIPAA regulations
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 introduced a new concept to many healthcare organizations when it put together the two words: "administrative" and "simplification." But to the Minnesota healthcare industry, the idea that some administrative functions could, and should, be simplified was old hat.
That’s because Minnesota has had a similar law, called the Health Care Administrative Simplification Act, on its books since 1994. The state law requires uniformity of some electronic data interchange transactions; standardized paper forms; universal payor, provider and patient identifiers and prescribes the use of uniform patient identification cards.
The driving force behind this groundbreaking legislation was a collaborative group of Minnesota payors, providers and government agencies called the Administrative Uniformity Committee. Since 1996, members of this committee and another public/private partnership called the Minnesota Health Data Institute, have spent thousands of hours reviewing and preparing comments on the administrative simplification efforts outlined in HIPAA.
"Minnesota has really taken the lead in moving forward with the standards that are now required at a national level," says Walter Suarez, MD, the executive director of the Minnesota Health Data Institute, which was created by the state legislature in 1993 to measure and improve the quality and cost efficiency of healthcare services. "Because of experiences that have been brought up by some of the organizations in the state with the use of some of these standards, we have been able to bring very concrete recommendations to the national level," says Suarez.
For example, when the American National Standards Institute was developing the electronic standard for claims, Minnesota’s data institute and the committee put together a review team that provided more than 200 comments to help improve the implementation guide. Because of Minnesota’s act, Minnesota healthcare organizations were already familiar with the review process and had practical experience putting their business needs to the test, says Suarez.
BACKGROUND IN EDI
The Minnesota healthcare industry is familiar with more than the policy side of electronic data interchange, it has a lot of practical experience, too. One of the provisions in the Minnesota act called for the creation of the Minnesota Center for Healthcare Electronic Commerce. The institute operates the center, which is the country’s first and only independent center dedicated to education and training on EDI in healthcare, according to Suarez.
In 1994, the center surveyed health plans and providers in Minnesota to get a baseline of EDI utilization within the industry and found that about 66 percent used some form of EDI. When the survey was repeated three years later, that number had increased to almost 79 percent, Suarez says. "We found there was a significant increase in the use of EDI both from the health plan perspective as well as the provider perspective."
Acknowledging that some providers don’t have EDI capabilities and that consumers are often frustrated and confused by healthcare paperwork, the Administrative Uniformity Committee has worked to standardize some paper forms, too. Last year, it developed a standard remittance advice and a standard explanation of benefits, both of which it hopes will be passed into law during the next legislative session. "Even though in the electronic world there’s going to be all these standards, there is still paper that comes through the system," says committee Chair Trisha Schirmers, who is also the reimbursement director for Allina Health System in Minnetonka, Minn.
Together the institute and the Administrative Uniformity Committee have responded to all of the HIPAA regulations that have been released for review and comment so far, using a very thorough method. "It was a process of going through them line by line," says Schirmers. The effort is well worth it, she says, because the Health Care Financing Administration’s (HCFA) request for feedback isn’t just lip service. Many of the suggestions that the institute and the committee made over the last two years were incorporated into the drafts for some of the rules, she says. HCFA really seems to value the experience Minnesota has brought to the discussion, says Schirmers. "They look to us as a resource."
Charlene Marietti is senior technology writer at Healthcare Informatics.
Carla Solberg is a healthcare writer in Minnetonka, Minn.