Doctors offices, pharmacies, hospitals, health insurersin short, the entire health-care industryhave exactly one year to prepare for the first wave of new federal regulations covering the handling of medical records.


Its not a task theyre relishing: Many in the industry believe that implementing the regulations will cause significantly more disruption and expense than preparing computers for Year 2000 did.


I wouldnt be surprised, for a fair-sized clinic, for it to cost upwards of $1 million to comply with the new rules, says Jim Barry, CEO of WindStar Group Inc., a Spokane-based computer services company.


The regulations stem from federal legislation enacted in 1996 called the Health Insurance Portability and Accountability Act, or HIPAA.


The HIPAA regulations are split into three parts, one governing electronic transactions and procedure coding, the next covering privacy issues, and the third addressing security. The deadlines for compliance also are staggered, with the deadline for the transaction and codes rules coming up in October 2002, and the deadline for the privacy rules in April 2003. The deadline for complying with the security rules hasnt been set yet.


The intent of the regulations is laudable, health-care providers here say.


Its hard to be against the confidentiality and privacy of patient information, says Dr. Glen Stream, medical director of clinical information services at Rockwood Clinic PS here.


The confusion that exists about how the regulations must be implemented, however, has many health-care companies concerned, as does their expected cost.


Estimates of the cost nationally range from just under $20 billion to $50 billion or more. Medical practices here typically havent gotten far enough along in their HIPAA planning to be able to estimate their costs, but Lloyd Guthrie, executive director of Spokane Cardiology PSC, says the final bill is sure to be substantial.


Whats more, all of this has to happen while practices take care of their normal business, says Brent Stanyer, of Spokane-based Stanyer Consulting, which specializes in health-care administrative issues.


Theyve got patients to see, theyve got bills to send out, theyve got staff and employees to supervise. Adding HIPAA readiness on top of that is a difficult process, he says.


First rules helpful


The first HIPAA hurdle is likely to be the easiest to overcome, as well as the most helpful to health-care providers, sources here say.


Basically, the regulations for that first hurdle will standardize a number of electronic transactions, such as submitting claims, verifying the eligibility of health-plan members, and handling authorizations for referrals. Both the electronic format of a transaction as well as its information name, address, date of service, for examplewill be standardized.


The rules also call for standardization of the codes that care providers and insurers use to designate different procedures. Stream says that currently, 20 different insurance companies can have 20 different code sets.


The combined effect of the transaction and code regulations should be to cut down on the administrative workload to prepare transactions, as well as on the instances of insurance companies rejecting transactions, such as claims, because they dont meet insurers specific criteria, sources say.


Ginger McCandless, a sales representative at ISET Inc., a consulting company here, says this part of HIPAA, at least, is really going to streamline (the medical industry) and make them run much more efficiently, and theyre really going to be happy about it in the end.


While medical offices that dont conduct business electronically arent subject to the rules, Stanyer says he wouldnt be surprised if paper records also are changed to conform to the new, formats.


Its also worth noting, he says, that the rules could impact other businesses, such as large employers that pay health-insurance premiums electronically or that enroll workers in health plans that way.


Privacy rules controversial


The second step of HIPAA, covering the privacy of medical records, is the most controversial, and could spark the greatest changes in day-to-day operations.


Those rules dictate how health-care companies can use a patients medical records, to whom they can disclose those records, and when and how patients can have access to their own health-care records.


The intent is to protect medical records so they can be seen only by people who need specific information, says Stream. For example, a receptionist shouldnt be able to look up the patients lab results on his or her computer, he says. The rules also will require that medical practices and hospitals get written consent from patients before using or disclosing their medical records, even to carry out treatment, except in emergency situations.


The privacy rules have raised alarms in the health-care industry, which fears that the rules will severely restrict the flow of information needed to provide good medical care. The government already is pledging to change some of the regulations to allay those concerns; a pharmacist will be allowed to fill a prescription phoned in from a doctor without first getting a patients written consent, for example.


The concerns persist, however. The American Hospital Association, an industry group based in Chicago, says that for hospitals even to schedule procedures, patients first will have to read, sign, and return a 10-page privacy notice and separate consent form. For many patients, in particular the elderly or disabled or those who live in rural areas, obtaining and returning those forms could present a significant and frustrating burden that delays or impedes their ability to obtain timely care, the organization testified before a congressional committee in August.


Complying with the privacy rules will take staff training and revising policies and procedures, sources say.


Its going to involve a lot of changing of behavior, Stream says.


Jim Webster, chief financial officer of Northwest Orthopedic Specialists PS here, says complying sounds simple, but probably wont be.


The medical record for each patient is probably pulled out eight or 10 times in relation to one visit, he says. Paperwork flows in and out of a physicians office to other medical-care providers, and copies of those recordsphysical therapy notes, for examplehave to be included in patient files at Northwest Orthopedic, he says. What are the requirements to safeguard all these pieces of paper when they come into the office? Theres some potential for substantial additional documentation.


Other question marks include seemingly mundane practices, such as dropping a patients file into a bin outside an examination room for the doctor to pick up on his or her way into the room, or having patients sign in on a log in the waiting room.


Is that a violation of HIPAA? Webster says. I dont know.


No final draft on security rules


The third phase of HIPAA, the security rules, is related to the privacy rules; while the privacy rules deal with how information is disclosed, the security rules dictate how that information must be stored and transmitted.


The government hasnt come out with its final draft of the security rules yet, so its unclear what they might entail.


Its safe to say, however, that no longer will you walk into the doctors office and see all those pretty colored files behind the desk, says Barry, at WindStar.


Offices will have to make sure that files are in secure areas or locked cabinets and will have to monitor who has access to them.


Any offices that send information over the Internet or, possibly, even over private computer networks could have to encrypt that information so it cant be intercepted, just as individual companies will have to ensure that computer hackers cant access their office records, Stanyer says.


All of those different means (of storing and sending files) raise different security questions, he says.


A hot topic


Although some health-care companies are well under way with their HIPAA preparations, some havent even started them, says Webster, who also is president of the Spokane-based Inland Medical Group Managers Association.


Some 50 of the groups 70 members signed up for a recent seminar on HIPAA and its requirements, he says. Judging from the sign-up response its a hot topic.


Spokane Cardiology already is working on its HIPAA plan, but Guthrie says he believes that the deadlines for implementation could end up being delayed, especially in the wake of the Sept. 11 terrorist attacks.


Barry admits that HIPAA is a political football since it was enacted by a Democratic administration and now is being implemented by a Republican one.


However, Theyre not going to pull the plug on it, he says. You want your confidential medical data protectedyou dont want the results of your last mammogram passed around on the Internet, and thats what this is really all about.