Interview: Harry B. Rhodes

Been there. Done that. If anyone could say that about a career in a particular field, Harry B. Rhodes just might be that person.

Rhodes remembers the pandemonium that reigned in the ’80s when DRG (diagnostic-related groups) coding was first proposed. He also compares the hullabaloo over HIPAA to the doomsday predictions of Y2K. “I’m not saying [complying with HIPAA] is not hard,” he commented during his recent interview with Medical Imaging, “but this is better than what we went through with Y2K. With Y2K the only benefit we hoped to achieve was to not crash. With HIPAA, we are actually going to get something back.”

What is the essence of HIPAA? And what is its purpose?
HIPAA is a small part of something else. The Health Insurance Portability and Accountability Act that was signed into law in August 1996 had several intents: to improve the portability and continuity of health insurance coverage; to combat fraud and abuse; to promote the use of medical savings accounts; to improve access to long-term care; and under subtitle F, to achieve “Administrative Simplification.” When people say HIPAA, that’s the part they mean.

Essentially, HIPAA’s purpose is to encourage standardization. HIPAA also requires that, wherever possible, existing standards be used, and they’ve done a very good job up until now of not creating any new standards.

There are quite a few pieces to this Administrative Simplification: one is transactions, another one is code sets — DRG (diagnostic-related groups) coding. Others are unique identifiers for the employer and the individual patient, security, electronic signatures and privacy.

Another one is electronic signatures. There are quite a few initiatives to develop digital signatures — signatures that use the public key infrastructure (PKI), private key encryption code. Here again, the government is trying to get everyone to use the same electronic signature standard throughout the country. Your electronic digital certificate would allow you to sign any document on any file because there is an agreed-upon standard.

There are 28 state laws that address privacy, and all are different. Some say only that the patient’s record must be protected but don’t issue guidelines on how to do that. Others spell out details. Another 24 states don’t have any kind of privacy rules. By coming out with these privacy regs (released Dec. 20, 2000), there will be one standard for privacy throughout the country. And it will be the same thing with security.

Whom does HIPAA affect?
The “Administrative Simplification” part affects all health plans, all healthcare clearinghouses, all healthcare providers who transmit information in connection with treatment, payment or healthcare operation. Additionally, the privacy regs require that your ‘business partners’ — including vendors and repair people — sign agreements to follow your business practices. Equipment vendors [are included] because if you buy a piece of equipment, it has to comply with the standards for security and privacy. If vendors or others come in and do repairs, you have to make sure that the technicians understand your privacy and security rules, that their access is limited to what they need to do and that you will monitor what they access.

What are healthcare providers’ biggest concerns?
Clearly they are cost, administrative burden and compliance as well as how much all this is going to cost to make sure that they have all these policies in place, that the policies are enforced and that the equipment has the technology to do things, such as to encrypt files, to control access or to perform security audits.

The privacy regs require that you set up privacy boards, that you hire a privacy officer, that you hire a security officer, that you have a mechanism in place that allows patients and the general public and your employees to complain about your privacy practices. They require that all health plans send a copy of their privacy practices to the people enrolled in their plans on a regular basis. A hospital or clinic has to make patients aware of their privacy right and allow them to review their records and correct them. That will take staffing, new equipment, new technology.

A Blue Cross & Blue Shield study indicated that implementing HIPAA as a whole package is going to cost the country $42 billion — nationwide. DHHS says implementing the privacy regulations will cost between $1.8 billion and $6.3 billion over five years.

Remember, all of HIPAA is based on existing standards. If organizations have been keeping up their standards, on ASTM (American Society for Testing and Materials), on HL7, and they have their privacy and security regs up to the national acceptable standard, they are going to have less of a problem than organizations that have not been following standards all along. The reason this projection varies between $1.8 billion and $6.3 billion is because no one is quite sure where facilities stand. A study by the American Hospital Association (AHA) predicts that implementing the privacy rules will require closer to $22 billion — that’s almost 3 1/2 times the most expensive DHHS prediction.

And that dovetails into the second thing: the administrative burden. Suddenly, there are new responsibilities. You have to provide security and privacy training to your staff on a regular basis; you must have them sign nondisclosure agreements; you have to enforce security in your facility; you have to hire people who will perform audit trails and, if they find somebody who has breached patient confidentiality, will take action against them. Any new piece of equipment has to be looked at from a privacy and security point of view.

The third thing is compliance. Some of these guidelines are merely that: guidelines. When the final rules come out, people will be surprised that the government is not demanding you ‘Do this.’

Please refer to the February 2001 issue for the complete story. For information on article reprints, contact Martin St. Denis