Roadblocks to Reform: The Influence of HIPAA and HITECH on the Affordable Care Act
By Craig B. Garner
Adjunct Professor of Law
Pepperdine University School of Law
April 2013 – When it comes to health care, our nation has reached a crossroads. President Obama’s fledgling Affordable Care Act is a multifaceted, aggressive program designed to overhaul the delivery of health care by effectively restructuring its foundations from the inside out. In doing so, it seeks to reduce the number of uninsured patients who have for so long been a burden to a struggling health care system that must provide medical care as a service while also turning a profit as a business. But such a far-reaching plan has little chance of success if it is forced to evolve while fettered with the restrictions placed upon providers by certain grandfathered programs, most notably the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). As a result, we as a nation must now consider whether the ACA’s fundamental mission or patient privacy should rule the day.
Entering its fourth year, the ACA has sharply divided the nation. Detractors paint the program as a misguided crusade of sorts, while supporters welcome what they consider a long overdue attempt to provide care to the millions of uninsured Americans that have for decades taxed the country’s emergency departments and strained such government programs as Medicare and Medicaid. The combination of escalating health care costs and the continuous burden placed upon the system by forcing hospitals to swallow the price tag for treating America’s uninsured have in a sense given reform the justification to wage war on the cost based health care plans of yesterday, in favor of a more sweeping plan that bases reimbursement on performance and seeks to provide coverage for all. Enacting such a dramatic long-term plan at a time when America’s health care system finds itself in such a precarious state has effectively elevated the subject to a matter of national security and, as a result, any meaningful response to address this crisis must comport with the actions of a nation in times of war.
As in any war, tactical decisions must be made about where and when to strike, and certain basic individual liberties may come into question as focus shifts to the priorities of the country as a whole. History provides plenty of examples from which society can gauge the purported need to temporarily rescind fundamental rights as a means to protect the sovereign nation. Ocean vessels were outright seized during the Civil War, Cuban ports were obstructed during the Spanish-American War, American citizens of Japanese ancestry were subject to detention and relocation during the Second World War, and more recently, the passage of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (also known as the “Patriot Act”) issued what some consider to be questionable changes to the Constitution, sacrificing individual privacy in the name of public safety. While the casualties from reform’s war on behalf of health care bear no resemblance to recent conventional campaigns, it is not too soon for the United States to take drastic measures as a means to resolve the conflicts found at the heart of her slowly evolving new health care program.
When considered from this vantage point, the fundamental premise entrenched within HIPAA and HITECH represents an overwhelming restriction of the ability of health care reform to succeed, as the combined programs prevent the ACA from developing into maturity. Although HIPAA’s early provisions in many ways mirror the spirit of the ACA by protecting health insurance coverage for workers who lose their jobs, its evolution and partnership with HITECH have established national standards for the delivery and sharing of patient health information, the violations of which often lead to Draconian stipulations. The result has been a massive, often crippling price tag for providers, who must adopt new systems and work practices in order to comply or risk incurring civil money penalties ranging from hundreds to millions of dollars.
The most recent HIPAA and HITECH privacy regulations released in January 2013 and affecting almost 700,000 health care entities weigh in at a modest 138 pages. And yet, the costs involved are substantial, and whether or not justification exists must be viewed in the context of a nation struggling to save an industry. Breach notifications may run as much as $14.5 million (in 2011), not including an estimated initial expense of $3.9 million to set up toll-free notification lines. This is but a fraction of the estimated cost to business associates, which could be as high as $150 million once security rule compliance documentation and business associate addendums are included. To notify patients of privacy practices, providers, health insurers and third party administrators may be forced to spend as much as $56 million.
While the above numbers estimate the price tag for the implementation of these new regulations, the burden on industry participants is beyond calculation. The law requires nearly every health care related electronic device to employ encryption algorithms, from a home facsimile or copy machine to all institutional servers. Laptops and other portable devices must default to unreadable ciphertext, a protocol far beyond the ordinary login password, for all intents and purposes marking the end to casual virtual communication. This is compounded by the cost each hospital must pay out of pocket to implement and transition to a new electronic system capable of meeting these new demands, while sequestration compromises the return of these funds.
Separate from the new privacy regulations are the Medicare and Medicaid Programs Electronic Health Record Incentives, stage two of three. The 196-page final rule specifies hospital stage two criteria to qualify for electronic health record incentive payments. Physicians have another set of regulations with which to comply before receiving incentive payments from the Federal Government and, while incentive payments can be as much as $44,000, the future penalty for not participating in the Medicare incentive program can be as high as 3% of all Medicare payments, starting in 2017.
Whether necessary or not, there has been a fundamental shift in the overall expectation of privacy since September 11, 2001. Perhaps it is time for the Federal Government to create a similar paradigm in health care. While the need to protect patient privacy remains extremely important, the ways in which compliance is enforced do nothing short of crippling the power of providers as they focus on their primary goals of ministering to today’s patients while keeping their doors open to serve the patients of tomorrow. In the modern age of reform, the provision of medical care must be administered with a view toward the future, lest the providers themselves become extinct. To successfully do so in the current health care climate calls for a sacrifice of equal measure.
Craig Garner is an attorney and health care consultant, specializing in modern American health care and the ways in which it should be managed in its current climate of reform.