MLG

Keeping Secrets

By: Stuart Markus
Long Island Business News
May 5, 2001

Of all the data that exists about a person, perhaps none is so personal as one's health records. In the electronic age, however, massive amounts of sensitive patient information can routinely and easily be transmitted and accessed.

New federal rules are aimed at keeping that private information from falling into the wrong hands - but they come at a cost.

The regulations are designed to prevent a variety of potential abuses - from computer hackers breaking into hospital records for blackmail purposes, to bosses firing employees who might be an insurance liability and cause the company's premiums to go up.

"It's a consumer protection legislation, designed to let us (the patients) decide who sees what," said Roni Glaser, an attorney with Meltzer, Lippe, Goldstein and Schlissel.

In its waning days, the Clinton Administration issued the patient privacy component of the federal Health Insurance Portability and Accountability Act. After some review, new Health and Human Services Secretary Tommy Thompson two weeks ago announced the Bush Administration would let the rules stand, albeit with a bit of extra time for comment.

The new guidelines, which phase in over two years, apply to any health care provider that uses electronic means to send or receive patient information, including billing and payment information - in other words, nearly all. The overall cost of compliance nationwide has been estimated at $18 billion.

On Long Island, the impact will vary, depending on whether the health care provider already has privacy mechanisms in place.

At North Shore-Long Island Jewish Health Center, the Island's largest health care provider, corporate compliance officer Chantal Weinhold said the new rules are largely a codification of policies and practices already in place.

"Privacy has always been a very important element to the provision of health care ... it's part of our everyday business," Weinhold said. A review of how closely current practice hews to the new law was begun well before Thompson made his announcement, and it's now two-thirds done.

Among the new requirements is a standardized consent form requiring patients to give permission for doctors, nurses and other personnel to write or talk to their colleagues about a patient's case, on an as-needed basis. "Patients will be getting a lot more explanations," Weinhold said.

Of concern, though, is whether such paperwork and the fear of penalties for non-compliance will impede the efficiency of treatment. "These are areas (where) we're going to need further clarification on the intent of the regulations," she added. "I have to believe the intent is not to hurt our ability to deliver care."

Glaser said hospitals and medical offices that deal with outside vendors or associates will have to update the contracts with those partners to include language that they, too, will agree to uphold patient confidentiality.

Other documents now mandated - and probably needing a lawyer's touch - include a notice to patients of the facility's privacy practices and revisions to staff by-laws.

One large question mark remains: the requirements for computer security have not yet been issued.

At North Shore-LIJ, "We're constantly upgrading our systems to make them compatible with best practices," Weinhold said.

That's not necessarily the case with smaller health practices, where operations are typically a lot less formal.

Robert Callaghan, chairman of the New York State Association of Health Care Providers, says a lot of his members are bracing for the impact. The cost of compliance nationwide for the home health care industry alone has been estimated at $72.6 million initially and $450 million over 10 years.

"Most of these providers are small businesses, so they do become rather burdensome," said Callaghan, who is also president of New York Nursing Care, a Hauppauge-based home-health care agency.

Many of those businesses will have to hire consultants to upgrade their computers or install new, security-enhanced software systems, Callaghan said.

He is more worried about the cost of training his 200 full- and part-time nurses and health care workers to comply with the new modus operandi. "We just got the first proposal in the mail," he said, explaining that his agency has not yet set up a budget for the cost of compliance. The statewide association, which represents 600 health-care offices, is also looking into setting up its own training programs.

Other concerns are the time requirements to process the new paperwork and the prospect that new regulations will become "a floor upon which a state can build other regulations ... everybody jumps in on the bandwagon."

Glaser, who specializes in health care law, acknowledged, "This is not without cost ... but they have two years to do it in. It's very doable if they start now."