State CIOs seek federal help to implement health care rules
The federal government must share with the states the cost of implementing health care rules and must work with the states to ensure that technology systems are up to the task, according to state chief information officers.
Members of the National Association of State Chief Information Officers (NASCIO) convened in Washington last week for the group's annual "fly-in." State CIOs met with various officials to discuss topics like implementation of the 1996 Health Insurance Portability and Accountability Act (HIPAA), which promulgated medical privacy rules.
Those privacy rules took effect April 14, 2001, and the states, health care clearinghouses and other organizations that conduct financial and administrative transactions electronically must comply by April 14, 2003. Small health plans have until April 14, 2004, to comply.
But states see HIPAA as another unfunded federal mandate that requires them to bear the costs of upgrading old technology or replacing systems altogether to satisfy not only the privacy rules but also the security rules included in the law.
The security regulations, which will be issued by the Centers for Medicare and Medicaid Services (CMS), would impose safeguards for implementing the privacy regulations. A spokesman for the Health and Human Services Department said the security regulations are "in circulation." "We're telling people that this final rule is not going to put any big burden on people," he said.
NASCIO issued a white paper questioning the separate rule-making processes for privacy and security, saying that the approach will prevent states from formulating comprehensive remediation plans.
"It is impossible to do privacy without security first," Kentucky CIO Aldona Valicenti told reporters last week during a briefing following the fly-in.
NASCIO and the National Governors' Association (NGA) want HHS to provide more guidance on HIPAA's requirements, as well as improved federal-state cooperation and increased federal cost-sharing. NASCIO and NGA are requesting a national meeting of about 30 federal and state stakeholders to discuss implementation challenges.
Iowa CIO Richard Varn said states are being asked to estimate HIPAA costs, but that is virtually impossible given that that law covers health care companies, schools, correctional facilities and other institutions. Varn is asking his congressional delegation to urge legislators and HHS to clarify "covered entities" under HIPAA, along with other details of the law, so states have a better idea of what to encompass in the implementation process.
Many state officials have likened HIPAA compliance to preparations taken for the Y2K computer bug--huge and costly.
New Mexico CIO Bob Stafford stressed that states cannot comply without federal dollars. Stafford's state established a multi-agency group to examine the medical privacy rules and request funding from the state legislature to implement the necessary technology.
"We are very concerned at the state level that there are penalties for non-compliance," Valicenti said. "It's not a pretty picture."
On Tuesday, CMS announced the adoption of a unique identifier for employers in the filing and processing of health care claims and other transactions. The standard identifier, mandated by HIPAA, seeks to eliminate paperwork, save money and simplify various administrative duties.