Wednesday, August 3, 2011

The Burden of Compliance

In a recent email noting the challenges of implementing ICD-10, 5010, eRx, EHR, and HIE simultaneously, Jim Walker (CMIO of Geisinger) referenced a paper in the British Medical Journal by Enrico Coiera ( BMJ 342: d3693, 2011)

"Experimental computer modeling has shown that as the number of dependencies increases in a system, the height of the local optimums [of organizational fitness] in a landscape lowers.  In other words, the more dependencies there are in a system, the more likely they will be in conflict (through competing demands), flattening the landscape and diminishing the potential for improving system fitness. Thus the more complex a health system becomes, the more difficult it becomes to find any system design that has a higher fitness."

As we draft new regulations that impact healthcare IT organizations, we need to keep in mind that every regulation has a cost in dollars, time, and complexity.

Many people have spoken to me about the burden created by the Accounting of Disclosures NPRM, highlighting three major challenges it creates - an implementation burden that goes beyond the intent of HITECH, an inadequate impact analysis especially on small entities, and administrative overhead that is incompatible with impending budget cuts from the recent debt ceiling compromise plan.

The wording in the proposed rule which summarizes its intent is

"These two rights, to an accounting of disclosures and to an access report, would be distinct but complementary. The right to an access report would provide information on who has accessed electronic protected health information in a designated record set (including access for purposes of treatment, payment, and health care operations), while the right to an accounting would provide additional information about the disclosure of designated record set information (whether hard-copy or electronic) to persons outside the covered entity and its business associates for certain purposes (e.g., law enforcement, judicial hearings, public health investigations). The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information (it will not provide information about the purposes of the person's access). In contrast, the intent of the accounting of disclosures is to provide more detailed information (a 'full accounting') for certain disclosures that are most likely to impact the individual."

Here's a commentary based on the feedback I've received.

Challenge 1 – Scope beyond the intent of the HITECH Act

Protecting privacy is essential to building patient trust in electronic health records and health information exchanges.

To me, the intent of HITECH is to offer patient access upon request to EHR audit trails and HIE audit trails.   However, the proposed rule goes beyond that, creating the concept of a "designated record set" and "disclosure logs" while exempting HIE transactions.  It's too much and too little at the same time.

The Designated Record Set (DRS) is a super-set of information that includes the Electronic Health Record as well as data housed in many other systems including billing, quality, research, and operational data bases.   It includes data shared with business associates such as small entities which provide specialty billing, transcription, and other services.   By characterizing the accounting requirements around the more broadly defined DRS, the burden of compliance has been greatly increased, requiring new technologies to aggregate audit logs from a broad array of software applications.

Disclosures are broadly defined as the release of patient information to other entities.   This means that every access to the Designated Record Set by physicians, nurses, allied health, lab, billing, accountants, auditors, legal staff, and numerous other "business associates" which are involved with a patient episode of care within the covered entity must be logged, aggregated, and reported to patients on-demand.

Business Associates are extensions of a health care provider, plan or clearinghouse’s workforce.   An example is a business hired by a physician practice to bill and collect medical fees.   Another example is an independent contractor who provides coding or transcription services.   Business Associates provide a wide variety of services.  Some may access content of the Designated Record Set as a direct consequence of their role such as a transcriptionist.   Some may access DRS content as an incidental part of their role, such as a software vendor performing troubleshooting on a data base.    Under the proposed rule, each of these must be logged and included in the disclosure accounting. 

By requiring providers to create disclosure logs on designated record sets including business associate access,  I believe HHS has gone beyond the intent of HITECH.

Challenge 2 – Inadequate Regulatory Analysis

In describing the regulatory impact, HHS under-stated the expense burden that the proposed rule will impose.

On page 31442 of the May 31, 2011 Federal Register, the proposed rule notes  “We estimate the effects of the requirement for covered entities (including indirect costs incurred by third party administrators, which frequently send out notices on behalf of health plans) to issue new notices of privacy practices, would result in new total costs of $20.2 million.”

The accompanying commentary suggests most of the information needed is already available for disclosure logging.   This suggests a lack of knowledge of current state of  healthcare information systems.

HHS notes costs will be limited because the number of requests for disclosure accounting will be few.  However, it's not the number of requests that will drive the cost, but the preparation needed to meet a request whether there is one or one thousand.

In the Federal Register, HHS suggests there are 673,324 entities that will be impacted by these regulations.  This is another understatement as it only includes providers, insurance carriers, and third party administrators.  To this count, must be added the hundreds of thousands, perhaps millions of businesses and independent contractors who do commerce with a one of the 673,324 and receive protected health information under a Business Associates Agreement.  

Without counting Business Associates, this works out to $30 per entity, an absurdly low figure.

With Business Associates included, the proposed rule will impact more than a million entities.  Every business and independent contractor that provides transcription, billing, computer repair, auditing, or other service to a health care provider, plan or clearinghouse will be affected.  A high percentage of these are small businesses.

The cost of modifying or upgrading just one software application and educating a two person staff would easily exceed $5,000 in first year implementation cost.   Many organizations face modifications to dozens of systems, educating thousands of employees, and modifying hundreds of Business Associates Agreements.  

Even if only 500,000 firms are affected, at $5,000 each the total cost to implement the proposed rule would be $2.5 billion.   A more realistic estimate is in excess of $10 billion.

Challenge 3 – Incompatibility with the Federal debt challenge

The debate on the debt ceiling over the past two weeks included a discussion of reductions in payments to providers and hospitals.   Yet, as currently proposed, the rule adds billions in additional costs.

A 1999 study comparing Canadian and U.S. health care costs showed administrative overhead consumed 31 percent of the U.S. health care dollar.   In Canada, administrative overhead accounted for only 16.7 percent of their health care costs, nearly half what we require in the U.S.   We cannot add more administrative overhead and hope to reduce Medicare cost without affecting access or quality of care.

The healthcare industry has often been criticized for inefficiencies.  What other industry, including the Federal government is asked to produce an accounting, on demand, of everyone who touches data for any reason?    It does not occur in banking, brokerage firms, or credit card processors.  It doesn’t even occur with the Internal Revenue Service.

To impose such demanding requirements on the healthcare industry at a time when administrative cost reduction is a top priority seems counter intuitive.

In summary:

The rule should be revised to limit scope to that which is needed to support the spirit of HITECH.

The rule should not be implemented until a realistic regulatory impact analysis can be completed.

The healthcare industry will undergo an upheaval as it contends with healthcare reform and reimbursement decreases.    It does not make sense to impose significant regulatory burden while constraining supply (Medicare funding)  and maintaining all Medicare benefits such that demand will continue to rise.

I look forward to reading the HHS analysis of comments and hope the final rule supports enough auditing to foster patient trust, while realistically constraining the burden on implementers.

1 comment:

GreenLeaves said...

John,
Based on your knowledge does HITECH allow for any cost recovery or does it prohibit a healthcare provider from levying a fee to provide the information?

Martin