February 12, 2001, 1:34 PM — A MASSIVE UPHEAVAL OF the IT and administrative procedures of the health care industry is about to get under way as a result of President Bill Clinton's approval late last month of two-thirds of the proposed HIPAA (Health Insurance Portability and Accountability Act) regulations.
In a surprising move, Clinton extended the goal of HIPAA beyond creating standards for transmitting and securing electronic transactions of Americans' personal health information to include paper records and oral information.
To meet the mandated privacy and security guidelines, health care organizations will have to leapfrog to automated systems, industry observers said. This is likely to be an expensive and burdensome process, but many organizations have taken a more corporate, bottom-line approach that is expected to help ease the automation process, observers added.
The decision signals a decree by the federal government to remove antiquated internal and external processes of overseeing patients' privacy while also steering health care organizations toward a computer-based system, said analyst Dr. David Steele at Gomez Advisors, a market research firm based in Waltham, Mass.
"[The government] is taking this very seriously. The message here is, 'Don't mess with us,' " Steele said. "This is not something that's supposed to sit on your desk that you can ignore."
Violations of HIPAA's new strict patient-information privacy regulations can result in fines of as much as $250,000 and 10 years in prison for health care providers, hospitals, health plans, health insurers, and health care clearinghouses.
Most providers must be HIPAA-compliant 24 months to 36 months after the final part of the HIPAA proposal, the security and administrative piece, is accepted.
Steele said the HIPAA privacy regulations succeed in giving patients a sense of control that was not present before, allowing greater trust to communicate or disclose their health information online or in person.
"[Medical organizations] are going to have to invest in some of these new technologies -- digital certificates, authentication, [and] biometrics standards in the future -- to really make sure that those authorized to view something are the only ones that have access," Steele said. "These are huge up-front costs. The short term is going to be tough."
The privacy portion of HIPAA, along with the EDI (electronic data interchange) and impending security/administrative simplification regulationns, was purposely designed to be technology-neutral.