HIPAA, HIPAA, Hooray?

Abstract

A review of the current challenges, trends and initiatives around the various regulations as related to Health Informatics in the United States is presented.

A summary of the functions in a workflow-based approach organized into the process and compliance for HIPAA, secure email and fax communications interfaces, e-prescriptions and patient safety and the health information technology savings claims versus costs follows:

• HIPAA compliance is complex; data interoperability and integration remains difficult.

• Email and faxing is possible with current over-the-shelf technologies within the purview of the HIPAA Security and Privacy rule.

• Integration of e-prescribing and NPI data is an area where health informatics can make a real difference.

• Medical errors remain high.

• There are no real savings yet from the usage of health information technologies; the costs for implementation remain high, and the business model has not evolved to meet the needs.

• Health Information Technology (Health IT) projects continue to have a significant failure rate; Open Source technologies are a viable alternative both for cost reduction and scalability.

A discussion on the macro view of health informatics is also presented within the context of healthcare models and a comparison of the U.S. system against other countries.

Introduction

One editorial observer noted that the Health Insurance Portability and Accountability Act (HIPAA)¹ was “Health Care’s Giant Hairball” ² after Gordon MacKenzie’s observation of the layering and addition to bureaucracy in his book ‘Orbiting the Giant Hairball’, where he notes that “every new policy (or regulation, system, procedure or form) is another hair for the hairball. Hairs are never taken away, only added.” The corporate and bureaucratic ecosystem around the hairball is “a Gordian Knot of corporate normalcy.”

This paper is a review of the current challenges, trends and initiatives around the various processes and regulations, as related to Health Informatics, and is organized into the process and compliance for HIPAA, secure email and fax communications interfaces, e-prescriptions, the national provider identifier, patient safety, the health information technology savings claims versus costs and a summary discussion.

The secure portability and accountability of patient and insurance information requires the increased use of information technologies. However, the U.S. healthcare system has several disparate components: Medicare, Medicaid, private insurance, VA and government insurance, out-of-pocket and uncompensated care. A macro-informatics view with the healthcare informatics workflow as the centralized component, and related components either using the workflow or affecting it, is shown in Figure 1 below:

Figure 1.

Critical components in health informatics from a ‘use-case’⁴ perspective.

HIPAA as Workflow

The Administrative Simplification (AS) section of HIPAA, passed in 1996 by the U.S. Congress, primarily mandates the use of standardized electronic data interchange for healthcare transactions between providers, insurers and employers. The Security and Privacy Rule of the HIPAA protects patient, and in some instances, the physician information. A representative workflow is the Healthcare Provider—Payer workflow as shown in Figure 2 below:

Figure 2.

Provider-Payer Workflow, derived from.³

Radiology informatics has remained distinct from textual informatics owing to its image content. Another example workflow for secure data transactions for a Radiology workflow is shown in Figure 3 below utilizing the “Use Case” technique as described in the Unified Modeling Language.⁴

Figure 3.

Radiology Workflow for secure HIPAA data.⁵

HIPAA compliance is complex from a data perspective: the interoperability and data mapping standards identified by the Healthcare Information Technology Standards Panel (HITSP), which is sponsored by the American National Standards Institute (ANSI)⁶ are as follows:

• ICD-9-CM

• CPT

• HCPCS

• ASTM E1239-04—Standard Practice for Description of Reservation/Registration-Admission, Discharge, Transfer

• ICD-10-CM

• ICD-10-PCS

• HL7 V2. X (for messaging)

• HL7 V3 Clinical Document Architecture (CDA) for text reports

• LOINC^®

• SNOMED CT^®

• National Council for Prescription Drug Programs (NCPDP) for pharmacy

• National Drug File Reference Terminology (NDFRT)/RxNorm for formulary

HIPAA Compliance and Case Studies

General guidelines for HIPAA compliance in the “Seven Habits” format⁷ are as follows:

1. Document the policy and control environment.

2. Assign appropriate oversight of compliance management.

3. Require personnel screening and access control.

4. Ensure compliance through training and communication.

5. Implement regular control monitoring and auditing.

6. Consistently enforce control environment.

7. Prevent and respond to incidents and gaps in controls.

A HIPAA compliance case study⁸ of Sharp Healthcare—with 2,600 physician offices and 400 IT applications serving nearly 3 million San Diego county residents found that 40% to 70% of the users of its various IT systems were not employees which directly affected the access control process of the systems involved as per the HIPAA privacy and security rules. The HIPAA Security Rule guidelines used during this study were:

1. Information System activity review

2. Termination procedures for user accounts

3. Information access management

4. Access establishment, modifications

5. Access controls

6. Audit controls, initiated by management

A well publicized security breach of the Kaiser Permenante internet patient portal exposed the shortcomings within organizations with direct consequence for the HIPAA Security and Privacy Rule.¹¹ Lessons learned from this case study:

1. Complex, tightly-coupled computer systems aggravate security issues.

2. Security training is necessary but not sufficient to prevent breaches, due to individual errors.

3. Security issues may signify broader organizational weaknesses.

4. Good information management and standard operating procedures are as important as the regulatory forcing of security issues.

Even homogenized healthcare systems like the British National Health Service (NHS) are not spared from the challenges in implementing new information technology systems: The £13 billion overhaul of the NHS has run into several problems in emergency, primary, outpatient, cancer and child-abuse care departments. The number of complaints regarding medical errors and delays has more than doubled from 5,500 in 2006 to over 14,000 in 2007.⁵³ Recent NHS problems with smartcards and integration into the Cerner Corporation (Kansas City, KS) Millennium Release 1 Care Records Service have also been reported.⁵⁴

From the case studies noted above, it can be inferred that Healthcare Compliance is cumbersome and complex, especially for integrating diverse monolithic systems, where data interoperability and data scrubbing is an ongoing quality issue. A little investment in domain expertise can go a long way. A good example of HIPAA risk workbooks and compliance checklist templates is the HIPAA outreach effort of the University of Wisconsin.¹⁰

Communications Systems Compliance

The two critical communications components in any health informatics system that need to pass muster with the HIPAA Privacy are email and facsimile (fax) systems. A HIPAA security perspective of these components is presented below:

Secure email

Secure email messaging is a critical component of HIPAA, specifically the electronic Protected Health Information (ePHI). Messaging protocols like the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) and the Portable Document Format (PDF), which is now an ISO standard, are components that are readily available for integration into email and other electronic messaging applications.¹²

Secure faxes

The drawbacks of traditional paper-based faxing technologies as a HIPAA compliance risk are summarized¹³ with the following advantages of electronic or internet-based faxing:

• Elimination of paper faxes, reducing the risk of data being seen or copied by unauthorized personnel to almost zero;

• Elimination of the risk of a paper fax being delivered to the wrong person or being thrown away inadvertently;

• The ability to store every fax electronically; either on the user’s PC or a password-protected network server, assuring there is always a copy of important information;

• Availability of 128-bit encryption and SSL when transmitting and receiving documents through the secure server method;

• Greater accessibility to the information when the fax owner is off-site;

• Easy integration with document management applications, eliminating the need to scan paper documents while making information more accessible to auditors and other authorized personnel.

Since TLS, SSL and PDF technologies are readily available and easily integrated with existing infrastructures, secure email and faxing is possible with current ‘over-the-shelf’ technologies within the purview of the HIPAA Security and Privacy rule.

e-Prescribing and the National Provider ID

The e-Prescribing initiative, a section of the Medicare Improvements for Patients and Providers Act of 2008¹⁴ and the National Provider Identifier (NPI) database¹⁵ are critical pieces of the electronic healthcare workflow.

Electronic prescribing (e-prescribing) is the use of an automated data entry system to generate a prescription for pharmaceutical drugs, rather than the current paper-based system.¹⁶ The per-seat cost for e-prescription systems in 2006 was approximately $1,500 to $3,000 with a monthly service fee of about $50.¹⁶

Since HIPAA mandated the adoption of standard unique identifiers for health care providers and health plans, the U.S. Government Department of Health and Human Services (HHS), through the Centers for Medicare and Medicaid Services (CMS) developed the National Plan and Provider Enumeration System (NPPES). All healthcare organizations should have complied as per this mandate by May 23, 2008. The NPI is a critical component¹⁷ of NPPES which:

1. Stipulates a 10-digit numeric identifier with a check digit,

2. Establishes the National Provider System (NPS) will be the system to assign unique numbers to health care providers, and

3. Defines implementation specifications for Health Care Providers which must obtain an NPI and use it on standard transactions; Health Plans and Health Care Clearinghouses which must use the NPI to identify health care providers on standard transactions where the health care provider’s identifier is required.

This is another area where health informatics can make a real difference toward the speed and quality of the transactions.

Medical Errors and Adverse Events

One issue within the health informatics that has yet to gain critical mass is the reporting and auditing of clinical, medical and billing errors in health care systems within the context of patient and insurance information. From the 2008 report of the American Hospital Association (AHA), there are more than 5,700 registered hospitals in the U.S.²⁶

The HealthGrades Patient Survey¹⁸ studied over 40 million Medicare hospitalization records at approximately 5,000 hospitals between 2003 and 2005. The results, specifically for Medicare data, were disturbing: 1.16 million patient safety incidents (2.86% incidence rate) and approximately 250,000 preventable deaths and excess costs of $8.6 billion. Extrapolating it to the overall U.S. healthcare numbers (Medicaid, private insurance and VA), this is troubling, to say the least.

Two error reporting studies conducted by the American Academy of Family Physicians (AAFP) National Research Network (NRN), where 1265 medical errors were voluntarily reported by more than 440 primary care clinicians and staff from 52 physician offices. The analysis suggests that patients with complex health issues are vulnerable to more severe outcomes.¹⁹ Of the total error reports related to medications, 194 were analyzed: 70% of the medication errors were prescribing errors, while each constituted about 10% of the total medication administration and documentation errors.²⁰

After recent, high-profile drug reactions and interactions,²¹ the Food and Drug Administration (FDA) is publicizing three ‘road-map’ initiatives:

1. MedWatch, the FDA safety information and Adverse Event Reporting (AER) program, with a quarterly safety report,²²

2. Sentinel, “a national, integrated, electronic system for monitoring medical product safety”²³, and

3. Be smart about Prescription Drug Advertising, a consumer awareness website with examples of different “direct to consumer” (DTC) advertising examples.²⁴

ROI and the Savings Argument

Electronic healthcare records are the cornerstone argument for better HIPAA compliance. The Return on Investment (ROI) and savings arguments have been touted for implementing health information technologies using best practices. Most of the recommendations—client/server, standard operating procedures, anti-virus systems, accounts and role management, wireless LAN, backups, audit and logging, audits and quality practices—are standard IT infrastructure improvements that are providing marginal improvement outside the HIPAA context.²⁷

The glass half full

The eHealth Initiative, a U.S. non-profit organization that promotes health informatics policy advocacy and informal lobbying for health informatics initiatives, released the results of its fifth annual survey on 11th September, 2008.²⁸

The survey included 130 community-based initiatives in 48 states. The survey created seven stages of a Health Information Exchange (HIE) “initiative”: Stage 1 was recognition of health informatics as a concept and Stage 7 was a “fully” operational organizational HIE. Stages 1–4 are defined as pilot-stage projects, whereas Stages 5–7 are post-pilot “operational” projects.

The number of operational sites (stages 5–7) in the survey increased by 31% from the number in 2007, with stronger participation by providers, payers, patients and public health partners.

The glass half empty

Even the eHealth Initiative acknowledges that 82% of all respondents and 72% of operational initiatives responded that a sustainable business model was “very” or “moderately” difficult to accomplish.

In a statement to Congress, Peter Orszag, Director of the Congressional Budget Office (CBO) presented the analysis “Evidence on the Costs and Benefits of Health Information Technology” on July 24, 2008.²⁹ This study directly contradicted the widely quoted RAND Corporation³⁰ 2005 report, which projected an annual savings estimate of $77 billion using health information technologies.

The argument of the CBO study was that technology on its own would not affect the savings equation, primarily due to the hard numbers: as of late 2006, only 11% of physicians and 12% of all hospitals in the United States have adopted health information technology systems (defined as electronic documentation of providers’ notes, electronic viewing of laboratory and radiological results, electronic prescribing, computerized physician order entry, clinical decision support, and interoperability).

Large medical practices adopt health information systems at a faster rate: Only 16% smaller physical practices have “some sort of” health information system versus about 38% of larger practices and organizations.²⁹

Therefore, the commercial Personal Health Record (PHR, used interchangeably with electronic Health Record, eHR and Electronic Medical Record, EMR) initiatives and their features by Microsoft³¹ and Google³² are called into question, at least for the near future, for their integration to the various existing health information systems and promise of data security, in accordance with the HIPAA regulation. Neither system includes a HIPAA Security and Privacy compliance statement.^31,32

Risks, Costs and “Open-Source”

Most health information systems do not meet their goals as originally envisioned.³³ The definition of success and failure needs to be better defined and quantified using Risk Analysis and software Validation and Verification.³⁴

A common theme of failures in Health IT projects is the “Design-Reality gap.”³³ The issues that create these gaps between design and reality are: Information, Technology, Process, Objectives and values, Staffing and skills, Management and Other resources. Another important context for each of the issues for the Design-Reality gaps is the Hard-Soft gap—the hard rational design perspective that are standards and metrics based versus the soft political reality. Modularity in the planning process—that considers the risks and plans for the gaps, both Design-Reality and Hard-Soft—is a key success metric.³³

One of the largest risk factors for a PHR system is data sharing. Santa Barbara County, CA, faced most of the issues discussed here: cost, ROI, integration, back-up, maintenance, training and lost productivity during overlap and operation. The Santa Barbara County Care Data Exchange had to be shut down. However, the success of the data exchange platform of the Regenstrief Institute in Indiana is because 70% of the state uses it.³⁵ The U.S. Census Bureau shows the Santa Barbara county, CA, population in 2006 to be about 400,000; as compared to the population of San Diego county, CA, about 3 million—the same as the state of Iowa.

A PHR system for small group and single practice physicians costs $44,000 per physician, and has an estimated annual average ongoing cost of $8,500, the American College of Physicians President Lynne Kirk, MD, told the house Subcommittee on Regulations, Healthcare and Trade of the House Committee on Small Business in October 2007 and added that the business case does not exist to make this kind of capital investment.

This current Microsoft and Google PHR systems, in post-Beta stage, are negotiating with hospitals and insurance companies, but have not disclosed a revenue model. This raises the question of the most plausible revenue model: pharmaceutical drug and device advertising.

Since planning, implementation and maintenance costs remain the largest hurdle for funding and sustaining health informatics systems, the Open Source movement is a valid alternative to contain costs for health informatics implementation.³⁶

There is a vast amount of free-text information with confidential patient and physician information in nursing notes, discharge summaries and radiology reports. This confidential patient and physician information needs to be “de-identified” (obfuscated) and a method for correlating the specific file back to the de-identified information, the reverse process. Larger healthcare institutions average several terra-bytes (10¹² bytes, TB) of annual data. This results in an average free-text data processing rate of about 20 MB per day. The HIPAA Privacy rule defines two methods to “deidentify” health information, both require electronic processing:

1. Remove 18 specific identifiers for an individual: Names, Geographic identifiers, dates, telephone numbers, Fax numbers, email addresses, SSN, medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, VIN and license plate numbers, device IDs or serial numbers, web URLs, IP addresses, biometric IDs, full face photographs and any unique ID.¹

2. Use a qualified professional to determine the risk involved in the deidenftification process and document the methods and justification for this opinion.¹

A good example of an open-source software program is the free-text deidentifier³⁷ Perl³⁸ program called “deid”³⁹. The ‘deid’ program processes about 10 MB per hour of free-text data with an average recall performance of 0.967. This software is released under the GNU Public License Version 2.⁴⁰

Another open-source protocol and application available for secure communications is the public-private key infrastructure called GNU Privacy Guard (GPG)⁴¹ that can be easily integrated into messaging infrastructures. “Single Log-on” technologies like the Mayo Clinic case study⁴² could be implemented using OpenLDAP⁴³ architecture within existing infrastructures. A comprehensive (non-moderated) list of open source health care software is available through Wikipedia.⁴⁴ Open-Source currently faces a perception and user-facing-interface problem, which could be easily overcome since most applications nowadays are web-centric. The Health informatics community should be wary of the recent web-centric phrase d’jour: “Cloud Computing” and avoid its allure over the next few years. Risk and business requirements needs to drive the solution, not the technology.⁴⁵ Caveat emptor.

Healthcare Economic Models

An illuminating contrast of the healthcare expenses versus outcomes is the U.S. versus OECD (Organisation for Economic Co-operation and Development) country averages, 2004 data (updated 2007):⁵⁶

U.S. Healthcare expenses and metrics

• Healthcare spending per capita: $6,102 (2.5 × OECD country average)

• Outpatient care spending per capita: $2,668 (3.5 × average)

Healthcare outcomes

• Acute care beds per 1000: 25th out of 28 OECD countries

• Death rate from medical errors: 3rd highest of OECD countries

• Infant mortality rate: 3rd highest of OECD countries

It is evident from the macro-economic health models above that the U.S. healthcare model is a piece-meal patchwork of all the models used around the world. What is surprising and contrary to the increasing uninsured⁴⁶ and under-insured population⁴⁷, is that the combined-income of 50 largest “non-profit” hospitals in the U.S. (as defined by the American Hospital Directory) has grown from about $544 million in 2001 to about $4.27 billion, primarily due to a more than 160% mark-up of costs in 2005 (a 60% increase since 2000)⁴⁸. Uncompensated care was 2% of the total number of patients covered by this total income. U.S. Senators, led by Iowa Senator Charles Grassley (R) are mounting pressure on the tax-exempt status of the non-profit hospital industry after several investigative newspaper reports.^49,50

A consensus from the discussion with the thought-leaders in the field from various countries on the path forward for the U.S. healthcare system:⁵⁵

• Universal coverage—Medicare for everyone (long-term coverage not included)

• Remove for-profit competition among insurers and hospitals

• Adjust risk for coverage from a pool of funds weighted toward ability to pay

• Firm price controls (for doctors, drugs and paperwork)

• If there are critical snags, get the doctors, nurses, hospital administrators and pharmaceutical industry at one table and provide deadline to resolve the issue—otherwise government decides

The Healthy Americans Act⁵¹ proposed by the U. S. Congress and Senate for 2009 is a self-funded step in the right direction toward stitching together the disparate healthcare models.

A common standards platform for healthcare data recorded and exchanged during clinical trials is another area of amalgamation of the Clinical Data Interchange Standards Consortium (CDISC)⁵² with HIPAA.

Conclusion

From the above sections, the “take-home” message follows:

1. HIPAA Compliance is complex, especially for integrating diverse monolithic systems, where data interoperability and data scrubbing is an ongoing quality issue. A little investment in domain expertise can go a long way.

2. Email and faxing is possible with current over-the-shelf technologies within the purview of the HIPAA Security and Privacy rule.

3. Integration of e-prescribing and NPI data is an area where health informatics can make a real difference.

4. The reporting of medical errors and adverse events need continued input from the public, watchdog groups and whistle-blowers.

5. There are no real savings yet from the usage of health information technologies, the costs for implementation remain high and the business model has not evolved to meet the needs.

6. Health Information Technology (Health IT) projects have a significant failure rate like traditional IT projects and a disciplined risk mitigation along with standardized software validation and verification would reduce the failure rate. Open Source technologies are a viable alternative both for cost reduction and scalability.

It should be noted that Health informatics technologies are powerful tools toward a solution, but not the solution itself. These tools are chipping away slowly at a fundamentally and systemically flawed health care system. No large hoorays yet, but there is definite hope.

Figure 4.

The healthcare macro-models as related to the US healthcare system, derived from.⁵⁵