HIT Think

HIPAA turns 20, and there’s no reason to celebrate

Register now

In 1996, The Spice Girls were at the top of the pop music charts. DVDs had just been launched. The number of Internet host computers increased from 1 million to 10 million. And the Health Insurance Portability and Accountability Act (HIPAA) was passed into law.

Now, 20 years later, two of the Spice Girls launched a website that celebrates the group’s two decade’s worth of “girl power.” A DVD is more likely used as a coaster for a cold drink than as an entertainment medium, and the number of host computers on the world wide web is well over 1 billion. And, most unfortunately, we’re still struggling with HIPAA.

When the law was enacted, its aim was to limit exposure or disclosure of personal information and enhance communications between doctor and patient. However, it was created well in advance of the ubiquitousness of the Internet, smartphones and social media platforms. In 1996, most if not all medical records were in paper form, the concept of data mining was a sparkle in the mind of a computer scientist, and the business of sifting through data to better analyze and predict was not yet conceived.

The collective view people hold about privacy also has changed. In large measure, this shift has come about because so much of our lives are now “done” online, from taking classes to banking to buying cars to reviewing the results of a medical examination.

Still, there appears to be a slew of problems surrounding HIPAA. Among them includes what is or isn’t “HIPAA-compliant,” and to say this is a “gray area” would be an understatement.

Curiously, as much as compliance interpretation is vague at best, nothing has been done to adjust the law to reflect the world in which we live. This is in contrast to PCI (Payment Card Industry) compliance, which is black and white with a pass or fail grade.

The HHS Office for Civil Rights this year will conduct audits of HIPAA covered entities and business associates to assess organizations’ compliance with the privacy, security and breach notification rules. This includes about 200 desk audits and 24 more comprehensive on-site visits, according to Hayes Management Consulting. But there are ways providers can properly prepare, according to Hayes Management.
March 24

For example, it apparently is quite easy for third parties to access hordes of data about patients of a certain type being treated for a particular health issue as long as those profiles are “anonymous.” In stark contrast, despite HIPAA's protections, there is no standard set of steps consumers can follow to get their information from hospitals which is a very real transparency imbalance.

Organization for European Cooperation and Development (OECD) countries are seeing healthcare expenditures rise at the rate of one to two percentage points faster than GDP. If this trend continues, healthcare would represent more than 25 percent of France’s GDP by 2050. Understandably, you’d say, “but America isn’t France.” Well, according to McKinsey & Company, healthcare as a percent of US GDP could be 35 percent by 2050. The need to get costs under control globally is intense.

McKinsey also notes that developed countries like ours face a twofold challenge in healthcare; improving quality and financial sustainability. Management consultants suggest that digitization can help health systems achieve both objectives and unlock substantial value through lower spending and superior healthcare delivery. They point out that one large OECD country estimated that implementing existing digital technologies could reduce its healthcare expenditure between 7 percent and 11.5 percent.

Those cost-savings would be achieved using three methods:

  • Seamless data and information exchange
  • Advanced analytics and transparency
  • Process automation

The enthusiasm shown on the operational side of healthcare to embrace digitalization is akin to that of a person allergic to bee stings standing amidst beehive huts. Anything that has occurred in the last 20 years that involves technology has been met with significant kicking and screaming. In fact, the move from paper to electronic health records wouldn’t have occurred, in all likelihood, were it not for the passing and signing of legislation and the resultant large payments from government. By contrast, other large industries such as banking realized the need for automation to drive down cost and enable scalability back in the 1980s, without the need for government to pay or set laws to drive adoption.

Also see: HIT Think HIPAA turns 20: Why it’s an effective law for healthcare

The case for efficiency attained with automation in healthcare business operations is compelling, yet maddeningly difficult to achieve. Let’s circle back to the rise of healthcare as a factor of GDP. Brought to a level all of us can appreciate, 25 percent of GDP translates to one-quarter of a household’s budget going against that cost. Layer on top of that the emergence of high-deductible health plans, which shift as much as half of the financial responsibility to the consumer, and the argument to employ digital, online, user-friendly services becomes overwhelming.

Despite this preponderance of evidence, healthcare continues to operate, business-wise, like it’s 1966, not even 1996, let alone 2016. For example, 87 percent of all bills issued by healthcare providers today are in paper form. Just about every other industry asks its customers to go “paper-free” for the obvious benefits to them and convenience of their patrons. Not healthcare.

HIPAA is a law that was conceived at a time when paper flow was the predominant workflow. That it hasn’t been adapted to the times is unfortunate. However, to realize meaningful process improvements, real automation efficiencies, in areas like human resources, scheduling, logistics and billing, among others, much of what’s needed is already in place or can be easily bolted on without incurring any capital expenditure by way of a cloud-based service.

For reprint and licensing requests for this article, click here.