The frustration in Kathleen Shivery’s voice is apparent as she talks about the Health Insurance Portability and Accountability Act. Despite doing a lot of research, the corporate benefits manager for High Industries Inc. said she remains confused about how the act’s privacy regulations will affect the Lancaster County company.
“We know we have to make a lot of changes,” Shivery said. “So far, I don’t know what we have to do, and we don’t have much time to figure it out.”
Shivery isn’t alone in her confusion.
And for those who don’t figure it out, penalities could mean fines or jail time. In April 2003, the privacy regulations go into effect, and employers could face fines of up to $250,000 and prison terms of up to 10 years for intentional disclosure of private health care information.
The privacy regulations included in the act, which is known as HIPAA, require providers, insurers and employers to make greater efforts to protect the privacy of consumers’ health care information. Observers in the region’s insurance industry said many Central Pennsylvania companies are still unaware of what
they must do to make sure employees’ medical information is properly protected.
And that is true, they said, despite the fact that health care providers and insurers nationwide have spent several years and millions of dollars to make sure they comply with the regulations.
For some employers, the observers said, complying with the regulations will mean making administrative changes, such as naming privacy officers.
“Employers don’t know what they don’t know,” said Nancy Pletcher, senior consultant for Benecon Group Inc., a benefit consulting firm in Manheim Township, Lancaster County. “HIPAA is not on their radar screens. It’s virgin territory for them.”
Polls show that privacy is a major concern for health care consumers, according to the Health Privacy Project at Georgetown University in Washington, D.C. One in five adults participating in a survey for Oakland, Calif.-based California HealthCare Foundation said they believed a health care provider, insurance plan, government agency or employer has improperly disclosed personal medical information.
HIPAA’s privacy regulations will affect employers in different ways, depending largely on how an employer’s health insurance plan operates, said Kathy Kelly, privacy officer for Capital Blue Cross in Susquehanna Township, Dauphin County.
Kelly said many small businesses would have to make few, if any, administrative changes. Many small employers have insurance plans that do not allow them access to employee-specific information about things such as claims and prescription costs.
The burden of protecting personal health information in these cases falls on health care providers and insurers, Kelly said.
However, Kelly added, larger employers often want employee-specific information about claims and other costs in order to track health care expenditures and to design workplace wellness programs.
Other large companies, such as East Lampeter Township-based High Industries, offer self-funded health insurance plans to their employees. Both groups will have to make several changes to comply with HIPAA, Kelly said.
The changes include naming privacy officers, offering HIPAA training
to employees who handle health insurance information, and making sure that health information is kept as private as possible.
A company wouldn’t necessarily have to hire a new employee to be a privacy officer but could appoint an existing employee to make sure that information remains private.
Also, these businesses need to ensure that health care information is not shared with those who make employment decisions at a company. For example, information about an employee’s cancer treatments cannot be shared with those who might use the information to fire the employee.
The time and expense needed to make these changes might convince employers that get employee-specific information to stop doing so in order to escape the regulations, Kelly said.
Employers who are self-insured might also consider purchasing insurance rather than funding it themselves, she added.
Some businesses will not feel an immediate effect from the privacy regulations, but all businesses might eventually have to pay higher insurance premiums to help pay for insurance companies’ HIPAA compliance efforts, said Tom Henschke, director of SMC Business Councils’ central region office in Wormleysburg. SMC Business Councils, which also has an office in Pittsburgh, is a small-business trade association.
“Small businesses are already frustrated with the increases in health care costs,” Henschke said. “It’s tremendously difficult for small businesses to deal with these costs.”
Pittsburgh and East Pennsboro Township-based Highmark Inc., which does business as Pennsylvania
Blue Shield in this area, expects to spend more than $60 million to comply with all of HIPAA’s regulations, said Jim
Mikula, the insurer’s vice president of enterprise systems and HIPAA project officer.
Despite the amount of money insurers will have to spend to comply with HIPAA, Mikula said, insurers are also expecting to save money after they implement other HIPAA regulations designed to increase efficiencies.
Mikula would not speculate what HIPAA’s final effect on premiums might be.