The High Cost of Hipaa

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was developed to combat fraud, abuse, and waste in health care and to improve the system’s efficiency. By creating national standards, the federal government strived to create one format for each type of health care transaction in an attempt to alleviate the administrative weight of various formats.

In addition, Section 264 of HIPAA suggested that the Department of Health and Human Services (HHS) propose standards that would safeguard the privacy of patients’ health information. HHS developed privacy regulations designed to improve patients’ faith in health care via a regulatory structure that would preserve their health information. Furthermore, HHS produced policies that would regulate agreements between health care groups and third-party organizations that completed their management and administrative functions. Basically, these policies required that contracts with third parties include guarantees that all health information revealed to third parties would not be divulged in a manner that violated the privacy policies.

Even though HIPAA was supposed to decrease the cost and ease the delivery of health care, the early stages of compliance are estimated to be expensive. Small health plans (plans with annual receipts of $5 million or less) had until April 14, 2004, to comply. Although the objective of the act is to reduce the cost of delivering health care through the standardization of business practices, the short-term financial cost to organizations could be substantial.

One study has established that just 32 percent of health-care groups were able to approximate their estimated costs related to implementing HIPAA. Within the groups surveyed, projected costs varied from $10,000 for a small physician group practice to approximately $14 million for one of the larger integrated-delivery organizations. The average of the projected costs ($3.1 million) was significantly higher than the $450,000 average of healthcare providers’ original (2001) HIPAA budgets.

In addition, a study by the American Hospital Association determined that hospitals (in total) could incur as much as $22.5 billion in additional costs complying with merely three of the privacy provisions of HIPAA during its initial five-year period. These costs are also significantly higher than the federal government’s initial estimate of $3.8 billion estimated costs for compliance with all of the privacy regulations. With such dire projections, it is crucial that financial managers be able to forecast accurately the impact of HIPAA on their businesses.

While HIPAA does not establish a personal right to sue health care workers who leak information, state laws in many circumstances do establish such a right. For example, emergency rooms are sometimes known as places to work for those who want to know what is going on in the community, according to a statement in the Emergency Medical Treatment and Labor Act (EMTALA). Personal information can sometimes be distributed throughout a hospital within a short period of time and can often spread into the community almost as quickly. Such occurrences are one of the factors that resulted in the privacy regulations included in HIPAA.

In a civil case filed in Wisconsin (even before the implementation of HIPAA), an emergency medical technician (EMT) responded to a 911 call for a woman with a “possible overdose.” After she was taken to the hospital, the EMT told an acquaintance who worked for the woman that the woman had experienced a drug overdose. The story circulated throughout the community. Simply telling one person would have been a violation of the patient’s privacy rights.

The patient filed suit in Wisconsin for “invasion of privacy involving intentional actions,” and the EMT, the volunteer fire department, and others were named in the suit. Usually the plaintiff will sue for all potential causes of action and seek the greatest recovery. The court ruled in favor of the plaintiff, ordering a $3,000 judgment plus more than $30,000 in legal fees and interest against the EMT.

Although HIPAA was enacted in 1996, its delayed timeframes for compliance caused many health plans to be unprepared for the numerous regulations that affect all self-insured health plans. For example, one of the major mistakes that self-insured employers have made is underestimating the law’s impact on their workers’ compensation claims and other medical claims. Since HIPAA relates at the present time only to health (group benefits) programs and not specifically to workers’ compensation claims, many employers are preparing their group benefit programs to be HIPAA-compliant only for employee information, privacy transmittals, and coded medical information. However, most medical providers are making all of their transmittals and medical information HIPAA-compliant in order to be cost-efficient in the processing of medical information. The result is that many self-insured worker’s compensation programs will be required to send and receive all employee information and medical information to medical providers in a HIPAA-compliant format (even though workers’ compensation is not technically covered by HIPAA).

A number of the other HIPAA provisions that could affect employers include: (1) creating policies related to privacy issues for medical information and employee information; (2) developing medical-employee transactions and coding; (3) ending the use of employees’ Social Security numbers as identifying codes; (4) addressing the topics of electronic signatures and security issues; and (5) encrypting all electronic transmittal of medical or personal information.

* Editor’s note: Dr. Les Nunn and Dr. Brian McGuire are faculty members in the College of Business at the University of Southern Indiana. Nunn is associate professor of businesses law, and McGuire is associate professor of accounting and chair of the Department of Accounting and Business Law.