Seven years after its enactment--and following many bureaucratic twists and turns, a mountain of public comments and numerous modifications--the Health Insurance Portability and Accountability Act is finally coming into its own with the first of three compliance deadlines looming for insurers this month. This first key date, April 14, 2003, applies to the law's Privacy rule, which creates national standards to protect individuals' personal health information and gives patients increased access to their medical records.

The rule states that a health-care provider can share information with a patient's health plan for treatment, payment or health-care operations, but the information must be specifically for treatment, payment or operations of the provider and not the plan. Most covered entities, such as health-care providers and health plans that conduct certain financial and administrative transactions electronically, fall under the first deadline, while smaller health plans have another year to comply.

Implementation of the HIPAA Privacy rule follows closely on the heels of privacy requirements imposed by the Financial Services Modernization Act of 1999, otherwise known as Gramm-Leach-Bliley. While this law allows financial institutions, such as banks, insurance companies and securities firms to affiliate, it also provides rules giving consumers more control over disclosure of their personal financial information. Under Gramm-Leach-Bliley, an insurer annually must notify policyholders of its information-sharing policies and give them the ability to "opt-out," or refuse to permit the insurer to share nonpublic personal information with third parties for marketing purposes.

Building a Framework

The HIPAA Privacy rule "is largely a policy and procedure issue, requiring that you have policies and procedures, safeguards on those policies and procedures, that you educate your employees and enforce the policies and procedures," said John Quinn, a principal in Cap Gemini Ernst & Young's National Health Care Consulting Practice. He has been working with large hospitals and insurance companies on HIPAA compliance, and continues to field questions from clients on how the new Privacy rule applies to them.

"There's less confusion on the payor side than on the provider side, primarily because the payor organizations tend to be coherent, hierarchical and closed organizations," he said. In contrast, hospital personnel can include volunteers, physicians who aren't actually hospital employees and employees working under hundreds of different contracts. "You come to the realization that having an employee's policy and procedure book and a set of policies and procedures that you follow is a little more challenging in the provider space than it is in the payor space," he said.

But this process is not nearly as costly as the one prompted by Gramm-Leach-Bliley, with its estimated price tag of as much as $2 billion in employee labor, mailing costs and other expenses. "Much of the security required is already in companies' computer systems in terms of user name passwords and ability to audit what employees do in their systems," he said. "It may take a few extra employees to manage those policies and procedures and the auditing that needs to go on, but that's pretty much it."

An Early Start

Nevertheless, insurers say that gearing for the Privacy rule, in tandem with preparations to meet the Transactions and Code Sets rule and the Security rule, began drawing their attention some years ago. For example, Nationwide Insurance Co., Columbus, Ohio, began work on HIPAA compliance in 2001, attacking it in much the same way it did Gramm-Leach-Bliley, said Kirk Herath, chief privacy officer. But unlike Gramm-Leach-Bliley's requirements, HIPAA's do not have the same universal effect on his company, he said.

"We have pockets of covered entities throughout our enterprise--a small health plan, self-insured employee plans, and we had a small long-term-care plan that was covered in our life company," Herath said. At the time the company began this effort, it also had a number of individual health policies on its books as well as a Medicare claims operation that administered all Medicare claims for Ohio and West Virginia. The Medicare claims business has since been sold.

Nationwide quickly formed teams to focus on HIPAA compliance for its health business and to see that self-insured programs also met the deadlines. "Unlike GLBA [Gramm-Leach-Bliley Act], which affected everyone in the company uniformly, HIPAA only affected a small number of our operations," Herath said.

The team preparing for the Transactions and Code Sets rule started in earnest more than 18 months ago, he said. "It really took that long to get all the uniform code sets in place and to get the systems reworked," Herath said. The groundwork to meet the Privacy rule began about a year ago. "One of the first big things we had to do was to create the policies and procedures by which we were going to operate to comply with HIPAA, and that really was a job for a team of lawyers," he said.

The company created a privacy legal working group and, to expedite the process, hired an outside legal expert who answered the company's questions and provided Nationwide with templates for the policies and procedures. "What we did was divvy them up among about 10 company lawyers, including myself, so nobody had too much of a workload, and we gave ourselves about a three-month window to get them done," Herath said. Once that was completed in July 2002, the company began implementing the new policies and procedures during the remainder of that year.

Funding Implementation

The other key component in Nationwide's privacy compliance plan was to develop an online training module. The company developed this proprietary product in house, paying "a quarter of the $200,000 that some of the big consulting firms wanted to charge us," Herath said. "We partnered with an outside Web firm that does training modules. We created all the content, we basically designed it, and they built it for us."

Although the training program touches upon security, it mostly tackles the HIPAA Privacy rule, and includes all of Nationwide's policies and procedures in a back-end glossary. Because HIPAA is very specific about what training is required according to an employee's function, few people at Nationwide have had to undergo the entire training program. The software "will tell you you have to take modules 1, 3, 5, 8 and 10 and then it'll track your progress, allowing you to log off and log back on where you were," he said. "When you complete the program, it documents it for us for compliance purposes and the employee receives a certificate."

Herath said the training module is so good that the company Nationwide worked with is licensing a version of it for sale to the public.

Addressing the HIPAA requirements has cost the company about $500,000 in hard costs for printing and mailing statements as well as some systems work, a sum far below the estimated $6 million for hard costs associated with Gramm-Leach-Bliley compliance, Herath said. But then the Gramm-Leach-Bliley effort also piled on considerable soft costs in employee hours. "Everybody was doing it--we had literally hundreds of people running around doing this work in some cases for up to two years," he said, putting those soft costs in the $3 million to $4 million range.

Unaware and Unprepared

"We're talking about many employers across the country--and in my experience at least 50% are not aware that they are covered or are under the mistaken belief that someone else is handling the compliance issues for them," said attorney John A. Knapp, a member of Cozen O'Connor's health/law unit in Philadelphia. "Oftentimes, a group health plan will believe that whoever their insurer is--whether it's Blue Cross, Aetna or any of the large commercial companies--those insurance entities are taking care of all of the HIPAA compliance requirements for the group health plan. And that's usually not the case. There are many, many who have not even tackled this issue. It's my expectation that HIPAA compliance, even on the Privacy rule, will go on well past the April 14 deadline."

Broader Obligations

Every U.S. employer that provides health benefits to its employees and has 50 or more people in its plan is a covered entity under HIPAA, Knapp said, and of that group, self-insured employers have a broader set of compliance obligations than those that are fully insured. Under HIPAA, a company is considered self-insured if any part of its health-benefit program is self insured, and that could be as little as offering what's called a flexible spending account or cafeteria program to employees, Knapp said.

Knapp, a co-leader of his firm's HIPAA team, estimates that 75% of his time over the last nine months has been spent on HIPAA work. Recently, he was dealing with a dozen HIPAA compliance projects involving health-care providers or group health plans--employers offering health benefits to their employees.

Enforcement Plans

In cases of noncompliance, HIPAA provides penalties as low as $100 an infraction, with a maximum of $25,000 for each type of infraction a year, Knapp said. Penalties can become more severe--a maximum of 10 years in jail and a $250,000 fine--for such violations as selling protected health information for commercial profit.

Practically speaking, however, enforcement of the Privacy rule under HIPAA is the responsibility of the Office of Civil Rights of the Department of Health and Human Services. This office, Knapp noted, does not have a large budget for enforcement efforts, and it has made public announcements that its intent is to approach enforcement, at least for now, in an educational mode. "That may change in the future, but initially no one really expects a widespread harsh enforcement policy," he said.

Establishing Standards

After HIPAA's Privacy rule deadline, comes its Oct. 16, 2003, deadline for the rule on Transactions and Code Sets, a provision that seeks to establish standards and requirements to enable the electronic exchange of some health information. Finally, the third component, the Security rule deadline, is in April 2005. The Security rule, which had been issued in proposed form a number of years ago, addresses the electronic and mechanical security measures that a covered entity is required to take to safeguard protected health information that is stored or transmitted electronically. The Security rule does not affect paper records.

Security Awareness

Peggy Weigle, chief executive officer of Sanctum, a Santa Clara, Calif.-based security company founded by two former members of the Israeli Defense Forces, credits HIPAA with spurring companies on to greater realization of the need for tighter electronic security. "We've been tracking both GLBA [Gramm-Leach-Bliley Act] and HIPAA for two to three years now, and both pieces of legislation really heightened the security awareness in the corporate world," she said. But the interest the company has seen in the past year is the direct result of HIPAA's Privacy deadline, coupled with the fact that HIPAA has more teeth than Gramm-Leach-Bliley in sending executives to jail or, at least, imposing fines, if private information is exposed, she said.

"What we have seen in our customer base alone is a dramatic increase in the number of health-care and insurance companies that have bought our products," Weigle said. The company has more than 350 customers worldwide and added 150 of those in 2002 alone. Of the new 150, 35% were health-care and insurance companies in the United States, she said.

Vulnerable Web Sites

But despite implementation of some electronic security measures, most companies remain vulnerable to hackers at their Web sites, she said. Her firm has audited more than 300 sites at companies' requests and has been able to break into 98% of them. "That's just a stunning number, and that includes health-care companies, insurance companies and brokers," she said. "Lots of companies, and insurance companies in particular, have invested in things like anti-virus software and network firewalls, and they definitely are encrypting the data that they are moving back and forth across the Internet. But the problem is that the majority of them have not protected the last mile, or the Internet site itself."

Herath thinks Nationwide's early efforts to comply with HIPAA rules forced some strategic decision making. While he can't say that HIPAA was the driving force behind Nationwide's determination that health insurance wasn't a core business, and therefore it would stop writing individual health and transfer or sell its Medicare claims operation, he does acknowledge that the law played a role in that change. Another benefit for the company in meeting the HIPAA privacy requirements was a continued understanding of how its business flows, Herath said. Before Gramm-Leach-Bliley and continuing with HIPAA, "there were very few people if any who ever sat down and said, 'How do all these different business units relate to each other, where's all the information coming in from, where does it reside and how is it protected?'" he said.

Quinn sees HIPAA as a plus for both patients and insurance companies in providing "a defined floor of privacy" showing what a company can or cannot do with personal medical information. "From an insurance company's perspective, it's good in that it sets up some parameters to keep them from ultimately being sued," he said. "You can never say it prevents suits, but the law specifically does not allow violations of the provisions to be used as a basis for a suit. Of course, anyone with specific concerns about HIPAA and suits should talk to their legal counsel."

Good Trustees

Insurance companies also will get a public relations boost by saying that they are acting as a good trustee of the private information of their customers, Quinn said. "You can be a cynic and say they're only doing it because they're afraid to go to jail, but that's neither here nor there," he said. "The fact is that they're doing it, and this law is the catalyst that's making it happen."