When Congress passes laws concerning health care, intentions and results do not always match up. Two cases in point are the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). Understanding what happened to these two statutes as they passed from Congress to the reg writers and administrators might give us better insight into how we should expect the Affordable Care Act to play out.

HIPAA, passed during the Clinton Administration, had three goals: to allow insured individuals to change location and employment without losing health insurance coverage; to combat waste and fraud; and, ironically, to simplify the administration of health insurance. Initially, much of the work of the law involved standardizing the electronic filing of insurance claims. In 1997, the law established portability of coverage of pre-existing conditions and medical savings accounts. In 2003, compliance with the privacy and security rules in HIPAA became mandatory, establishing firmly the importance of protected health information. In 2006, civil penalties for violations of the privacy and security rules kicked in, but initially there were no prosecutions. In other words, it took a decade for the act to finish chewing reality, and when it did it little resembled its congressional sponsors’ initial vision.

HITECH was enacted as part of the American Recovery and Reinvestment Act, which President Barack Obama signed into law on February 17, 2009. The main intent was to establish a nationwide intercommunicating electronic health record. It provided a financial subsidy to physicians who demonstrated meaningful use of one by 2015 and imposed penalties on those who did not do so by 2016. The program was supposed to reform medical care through public health-style research and surveillance of physicians’ practice patterns, but HIPAA privacy rules made it difficult to get the necessary data. In 2010, regulators allowed specific categories of researchers freer access to patient medical records. They also imposed stiffer reporting and notification requirements, especially for data breaches involving greater than 500 patients. In 2013, the Final Omnibus Rule updated HIPAA and HITECH by requiring stiffer penalties for data breaches, and coverage of contractors associated with doctors, hospitals, and other medical entities. It also required protection of private health information for fifty years after a patient’s death.

These laws involve a series of discrete functions. One is electronic data interchange, which has helped to standardize medical billing. Historically, a physician would submit a company-specific paper claim, which required information that varied among insurance companies. With the evolution of electronic data interchange, practice management software in the physicians’ offices, internet transmission, and computerized claims management by the insurance companies have standardized and facilitated the claims process. The object of the physician’s office is to submit a “clean claim”, one that has all the required information filled out and is consistent with diagnostic and treatment codes. Several generations of elaborate diagnostic and procedural codes have evolved. The procedural codes determine the amount of payment the caregiver is supposed to receive. At least one diagnostic code must support the billed procedure code in order to establish a “determination of medical necessity.” This process is fairly well standardized for Medicare, although it can vary slightly by geographic region. Medicare administrators, however, constantly update these codes and requirements for “medical necessity”, making compliance with the rules very difficult.

Most private insurers have also adopted electronic data interchange and with it the diagnostic and procedural codes. They often impose additional conditions, such as prior approval for treatment and exclusion of certain Medicare-covered treatments altogether. Medicare Advantage plans, for their part, essentially convert regular Medicare coverage to private coverage. These plans tout low copayments and deductibles with no additional premiums, but often impose payment restrictions very similar to private non-Medicare insurers.

After filing the claim electronically, the physician receives an explanation of benefits from the insurance company. If the claims examiner at the insurance company (often a computer) determines that the physician is a participant in its plan, the patient has active insurance with it, and there is appropriate medical necessity, the insurance company may send payment in addition to the explanation of benefits. For Medicare and many private insurers this process works smoothly, demonstrating the successful implementation of electronic data interchange. Obtaining payment from some insurance companies can be difficult, but at least the disputes are framed by a standardized process.

A second function concerns the portability of insurance. The earlier Consolidated Omnibus Budget Reconciliation Act of 1986 (COBRA) required employers to allow departing employees to purchase a continuation of their group medical insurance for up to 18 months. New employers could still exclude coverage of pre-existing conditions indefinitely. HIPAA changed this, preventing new employers from excluding an employee with pre-existing conditions for more than 12–18 months. In some ways this was more successful than COBRA, because until Federal subsidies were introduced only about 10 percent of departing employees purchased the insurance due to its high price. But HIPAA did not solve all the portability problems, to say the least.

HIPAA also established the amounts that an employee could set aside in a pretax medical savings account for employers with high-deductible plans. The Medicare Modernization Act, signed by George Bush in 2003, replaced these with health savings accounts, which have the advantage that money spent on qualified medical expenses is not taxed. This has probably contributed a fair bit to the slowdown in medical consumption over the past few years. When a patient has to pay high deductibles and copays out of pocket, he spends less and consumes less, even though the expense would be covered by the amount in his health savings account.

These three functional areas work, or are starting to work, reasonably well. The same cannot be said for the privacy protection provisions of HIPAA. I tried to read Public Law 104-191, but it is more than 72,000 words long. The law’s section 1177 privacy rule is only 121 words long, however, and is fairly clear in its intent to deter the “wrongful disclosure of individually identifiable health information” by fines of up to $250,000 and imprisonment for ten years. The Health and Human Services Secretary of the Department has wide authority to promulgate rules and regulations to carry out this and other aspects of the law. By 2003, protected health information had been defined to include both medical records and insurance information. This definition was eventually extended to cover any business entity that could potentially compromise the information. Complaints about violations accumulated, and the process began to yield significant fines and settlements. The evolution of electronic data sets, the internet, prevalent internet hacking, and the careless handling of private information has made this a surprisingly important part of the HIPAA law. Everyone agrees that protecting stolen medical information from nefarious uses is necessary, but there are more reasonable and cost-effective ways to do so.

Relatedly, Section 1347 of the law specifies the penalties for health care fraud, including financial penalties and imprisonment, and a life sentence if the violation results in the death of a patient. This part of the statute is elaborate, and assigns investigative responsibilities and specific budgets for the first few years. The fraud program has grown gradually since 1996. The 2013 combined HHS/DOJ annual report on Medicare and Medicaid fraud showed total recoveries, fines, damages, forfeitures, and so forth of more than $4.3 billion. Special task forces now work in specific sectors, such as durable medical equipment and home health care. Also, geographically defined task forces are at work in Miami, Los Angeles, Detroit, and Chicago. This was a major intent of the original statute and appears to have been reasonably well realized.

Section 192 of the statute requested a report from the Health Care Financing Administration about ongoing telemedicine services, with particular attention to their cost and a proposal for Medicare reimbursement for these services. Forbes estimated that the U.S. telehealth market will grow from $240 million in 2013 to $1.9 billion in 2018. Traditionally, individual states regulate licensure regulation and medical liability law; this creates some serious issues for Federal regulation of telehealth since these services often operate across state and even national boundaries. So far regulators have done little work on these issues.

While HIPAA dealt with physicians’ payment and patients’ access to insurance coverage, HITECH deals more with the actual clinical medical records. When HIPAA was passed, there was no expectation that follow-on legislation would overtake its central founding purpose, but that is what happened.

HITECH is found in Title IV of the American Recovery and Reinvestment Act. The bill contains very specific plans for private physicians, hospital base physicians, hospitals, critical access hospitals, and Medicare and Medicaid patients. The financial incentives for physicians are distributed over three years. The schedule of payments for private physicians is fairly specific, but those for hospitals and hospital-based physicians are subject to the discretion of the HHS Secretary.

The software must be certified electronic health records technology as defined in the statute and ultimately by the Secretary. The physicians using the records must demonstrate “meaningful use” as defined by the Secretary, a requirement that will become gradually more stringent. The Secretary may also require electronic exchange of health information and various clinical quality measures pertaining to electronic health records. ­

Almost all hospitals and large medical groups have adopted electronic health records because of the rebate incentives, which will be phased out after 2016. Furthermore, practices that don’t implement them will incur a 1–4 percent reduction in all Medicare reimbursement from 2015–17. There will be additional penalties for failing to meet clinical quality standards, which will be almost impossible to meet without having electronic health records. In 2019 and thereafter, a physician’s combined penalty for not meeting the various requirements will be a reduction of up to 8 percent of all Medicare reimbursement for that year. For larger groups there will be a third program, called the Value-Based Payment Modifier, which could bring the total penalty up to 9 percent for all Medicare billing for the year. The new modifier was mandated by section 3007 of the Affordable Care Act. The Secretary may increase the penalties if less than 75 percent of practitioners are meeting meaningful use criteria.

In 2013, the Centers for Disease Control and Prevention reported that 48.1 percent of office-based physicians had a basic system that could potentially meet meaningful use criteria, while 78.4 percent used at least some electronic records. Some 69 percent of them expressed an intent to meet the criteria. In 2014, the American Medical Association estimated that up to 50 percent of physicians will be socked with some Medicare penalty in 2015. Then there is certification. Medicare maintains a comprehensive listing of certified complete electronic health records and modules. As of 2014 there were about 1,400 office-based products available and 950 inpatient or hospital products available. Many of the products are just different editions by the same vendor that accumulated as the software developed. Earlier editions, however, are still being used by practices that implemented electronic records earlier.

Medicare does not rate or indicate the suitability of software in any other way. Physicians are left entirely on their own to pick an expensive, complex product for a task with which they are fairly unfamiliar. An American College of Physicians poll found that in 2012, 34 percent of respondents were very dissatisfied with their software, and 37 percent noted that it was not easy to use. Some physicians have completely abandoned systems they purchased. Now that the cash incentives have been phased out and the majority of physicians and hospitals have purchased their electronic records software, we can expect to see considerable consolidation. Medical Economics predicted that by 2018 20 companies will serve the majority of the market. In 2014, about 400 companies sold this software, and the top ten providers had 90 percent of the hospital market in hand. In the ambulatory or office sector, the top ten served only 60 percent of the market.

Meanwhile, HHS has parsed “meaningful use” into three stages: stage 1, in 2011–12, focused on data capture and sharing; stage 2, in 2014, deals with advanced clinical processes; and stage 3, in 2016, will focus on improved outcomes. Achieving meaningful use during stage 1 required meeting both “core” and “menu” objectives, which were different for hospitals versus physician practices. In 2013, 59 percent of physicians “attested” to complying with stage 1, and 67 did so by May 2014. Stage 2 is structured the same way, with core and menu objectives. One core objective that is particularly troublesome to physicians requires getting patients to sign on to the practices’ medical records website and view or download the information; at least 5 percent must submit a question or comment to the physician. While this would be a no-brainer for a practice dealing with teenagers and young adults, many seniors in the Medicare program don’t have computers or otherwise use the internet. So far the HHS response is that the physician should sit down with patients and show them how to use the internet— specifically this feature of it. Since this is a core criterion, a practice that fails to meet it could lose up to 5 percent of all Medicare reimbursement. According to early estimates, only 35 percent of hospitals were able to comply with stage 2 in 2014. Not all physicians had to comply in 2014, but they will in 2015. There is no final rule yet for stage 3 criteria, but it will likely feature the same core and menu structure, with increased percentage thresholds for many older criteria. It may incorporate a few new criteria and drop the requirement that patients use the patient portal.

When it comes to the electronic exchange of health information, implementation has been underwhelming. With 400 different software providers, 1,400 versions of office software, and 950 versions of hospital software, meaningful and legal exchange of health care information is practically impossible. Nevertheless, stage 2 requires that all providers provide patients a portal to medical records, and penalizes them if patients fail to use them sufficiently. Stage 3 drafts indicate that providers must give patients “relevant and actionable” office visit summaries in the form they prefer, which includes online. One can imagine a day when with an appropriate token indicating patient permission, electronic records from any source would be immediately available at any other facility. Both the Veterans Health Administration and the U.S. Military have prototypes of such a system, but difficulties have arisen in merging or sharing information between them. The military system is out of date, and replacing it with one that shares information well with its counterpart is estimated to cost $11 billion. Hapless practitioners may be required to fund this extravaganza in stages 4, 5, or 6.

There is more, much more. The Physician Quality Reporting System (PQRS) in 2010 allowed eligible professionals to qualify for an incentive payment for reporting via electronic records. In 2014, officials applied quality measures to multiple programs, including the electronic reporting option for the PQRS and Medicare’s electronic records incentive system.

For 2015 there are 256 specific measures and 233 groups of measures. This sounds comprehensive, but problems remain with specific, often highly specialized areas of medicine and surgery. Medicare is working with 12 specialty societies to develop measurement sets. In my specialty, ophthalmology, there are also very highly developed subspecialties. To keep it simple, our association has requested only 15 additional measures. Some of these measures can only be reported on an electronic “registry” managed by the American Academy of Ophthalmology.

By the end of 2015, Medicare will provide feedback to HHS on its progress. Most anticipate increasing percentages of reimbursement for Medicare and Medicaid to be tied to these quality measures. This, anyway, is one way to bring down costs: burden doctors with nearly impossible compliance demands, and then punish them financially when they can’t keep up. If too many seem to be keeping up, HHS can always heighten the demands or change the regulations in other ways.

Given all this bureaucratic minutiae, one could be forgiven for forgetting that privacy and security are the seminal purposes of these laws. HITECH contributed to these goals by establishing the Office of National Coordinator for Health Information Technology (ONC), which has developed elaborate security and privacy requirements for electronic health records and health care information technology. These requirements have in turn shaped quality measures and programs encouraging compliance with meaningful use standards.

HIPAA’s formidable penalties for hospitals and physicians are still in effect, despite the increased risk of data theft posed by hackers. Ironically, the proliferation of compliance rules has in some ways actually worked against protecting the privacy of medical data, because there are vastly more files and software systems to target. A recent hacker attack on Anthem Health Insurance’s database compromised the identities of roughly eighty million patients. Will the ONC hold Anthem responsible? We will soon find out.

Meanwhile, regulators allow the use of “de-identified” patient medical records in public health and medical research projects, which was a laudable goal specified in the original HIPAA statute. Market research also makes use of de-identified data, however. IMS Health, for example, collects de-identified data directly from the medical records of software vendors and health care providers. The company has compiled information on more than 33 million unique de-identified patients from 85,000 physicians around the world, which, it claims, allows it to analyze interconnections among patient care, disease progression, medical claims, and prescriptions dispensed.

The ONC places responsibility for securely de-identifying a patient squarely on the provider or vendor, but offers guidance. A list (really an algorithm) of 18 identifiers must be removed—or, in the case of zip codes and age-groups, lumped together so that a patient with an unusual disease could not be identified in a small group based on zip code or age. Clearly, large companies interested in this data for market purposes are in a much better position to use it than are medical researchers doing epidemiological work.

So what is the upshot of all this? Overall, HIPAA successfully has implemented electronic billing between insurance companies and providers of medical care. The electronic data interchange and associated code sets continue to evolve with reasonable effectiveness. A new diagnostic code set, called ICD-10, is scheduled for implementation this year. While its predecessor had around 14,000 diagnostic codes, ICD-10 will have 68,000. Providers will be able to make more precise code designations, but will have to search through almost five times the codes to find them. In order to do this in real time during a patient visit, a computer search algorithm is required. In subspecialties, even these detailed codes never seem to capture accurately the subtleties of disease variability and new disease categories.

The “official lists” approach, moreover, has encouraged the impression that medical services are a commodity rather than a personal service. Compensation is determined by the linkage of certain diagnostic codes to specific procedure codes. This approach to medical service billing invites gaming, and a whole industry of up-coding by hospitals and physicians and down-coding by insurers and other third-party payers has developed around this system.

Physicians have complained that there is no consideration here of medical expertise or surgical skill. A family practitioner, for instance, is paid the same amount as an endocrinologist for tending to a diabetic or hyperthyroid patient. The two to three years of additional fellowship training required to be eligible for board certification as an endocrinologist may help explain the present shortage of 1,500 professionals in the field.

The Affordable Cart Act, meanwhile, has largely superseded COBRA’s and HIPAA’s provisions for insurance portability. Insurers cannot charge higher rates or deny coverage for pre-existing conditions. Complete coverage for new or longstanding conditions can be purchased at any time despite a lapse in insurance or no prior insurance. Hospitals allegedly purchase insurance for non-covered indigent patients at the time of admission, and then allow the insurance to lapse after discharging the patient. Physicians see patients who present an insurance card issued a month or two earlier, during a hospital stay. The insurer does not confirm or deny coverage while the patient is in the office, but later declines to reimburse for services rendered because the patient has not made any further payments. The Affordable Care Act specifically forbids the provider to bill the patient directly in this situation. Apparently, the law has replaced a portability problem with an “un-report-ability” problem.

Health Savings Accounts, on the other hand, have been successful and popular. They encourage personal responsibility through tax deductions. In July 2014, 17.4 million people had one. This helped soften the impact of the new trend toward higher deductibles and copays for younger people who are basically healthy but would require a lot of medical care in the event of sudden illness or injury. Progressives and liberals argue, however, that these accounts are merely a tax shelter for the wealthy and middle-class and complicate efforts to promote what amounts to socialized medicine. Obviously, few individuals who live from paycheck to paycheck will be able to implement a health savings account.

HITECH’s privacy rule and security promulgation constitute an elaborate and still-evolving area bound up with the threat of cyberattacks, which large corporations and government agencies are barely able to manage. Individual practitioners and small groups have minimal resources to counter this threat, but the very diversity and isolation of small health care databases make them less interesting to ego-driven hackers. Hopefully, cyber defenses will be stronger by the time health care databases become even more interconnected.

Consider, too, the alarming news that credit card data now can be de-anonymized with just three or four pieces of information. Although there have been no reports of this in the HIPAA area, one wonders about the fact that pharmaceutical companies always seem to know which physicians are prescribing how much of their products. Crossing these personalized data sets with the de-identified data sets could conceivably de-anonymize them. It seems like a general benefit to allow health care researchers access to de-identified data and, perhaps, a necessary evil for professional societies to use registries to permit compliance with quality measures. Although most of us could accept restriction of commercial access to this database, it is difficult to imagine the commercial lobbies agreeing to that distinction.^[1]

The campaign against fraud and abuse in Medicare and Medicaid has been relentless. However, the balance between overzealous prosecution and inadequate enforcement of the statutes is obviously a central issue now. The actual statutes regulators have enforced include the False Claims Act, Anti-Kickback Statute, Physician Self-Referral Law, Social Security Act, and the United States Criminal Code. The Office of the Inspector General has the authority to exclude providers from HHS programs and to impose civil monetary penalties. DOJ and HHS have jointly formed the Health Care Fraud Prevention and Enforcement Action Team. Medicare has contracted audit and investigation with outside contractors in several different programs, including comprehensive error rate testing contractors; Medicare administrative contractors, which pay claims and enroll providers and suppliers; Medicare drug integrity contractors; recovery audit program recovery auditors; and zone program integrity contractors. Between 2008 and 2012 Medicare recovered $16 for every $1 invested in the effort. Recovery auditors’ payment is based on the bounty system, which has led to the perception that they are often overzealous. In 2013, Senators complained that the drug integrity program had been ineffective in detecting fraud and abuse in Part D and Part C of Medicare, since most of the investigations were referrals from a patient tips hotline.

The implementation of electronic health records is incomplete, fragmented, forced, expensive, and, in the end, more focused on rules than patients. Treating a patient requires a physician to synthesize a large amount of information gleaned from talking to the patient, physical examination, classical education, recent literature, interaction with peers, and personal experience. The better and more experienced a physician is, the more efficiently he or she can narrow the relevant priorities for diagnostic testing, differential diagnosis, treatment, and patient explanation. By contrast, most health records software is encyclopedic in nature. It involves entering huge amounts of documentation into computer templates that must meet the criteria of the “certified” software. Since most of this must be entered manually, this has had the effect of turning physicians into data entry clerks. Some physicians began to use “scribes” to enter data. At first Medicare forbade this, but eventually relented. No funds, however, are provided for this additional personnel expense by the physician.

Much of the “certified” electronic records must be “structured”; that is, they must consist of branching punch lists of medical history, physical examination findings, diagnostic codes, and procedure codes. Additionally, now that the government has seen that a reasonable fraction of physicians can handle this, they are adding more lists certifying specific quality measures and meaningful use. Physician judgment doesn’t fit into any of the boxes in the punch lists, and yet physician judgment is the most crucial element for successful treatment.

If doctors spend more time recording marginally relevant and irrelevant data while jumping over Medicare’s imposed hurdles, they have less time to interact with patients and consider higher-level judgments. Since decreasing payments have forced physicians to be more efficient, there is only so much time that can be spent on each patient. The whole process has been hugely expensive. Most practitioners have delayed implementation as long as possible. Incentives were offered for early implementers, but they will be phased out next year, and initial incentives are not enough. Providers think electronic records are an immediate money-loser with increasing loses the longer they are used. Significant penalties for not using them are to be implemented progressively over the next five years, and hospitals and physicians will bear the bulk of this cost. Electronic records have a significantly negative net present value, meaning that the individual is immediately poorer as soon he decides to proceed with the project.^[2] Many older physicians understand this and have decided to continue with paper records until the penalties drive them out of business.

The future is very uncertain. HHS is committed to ever more stringent meaningful use criteria, which will call for continued rewriting of the software. An enormous consolidation of software vendors is coming; what happens if your software vendor goes bankrupt or just loses interest? The provider is in the position of paying the software vendor to update the software and may need to buy a whole new system from a surviving vendor.

HIPAA is about insurance payment and coverage, accounting and electronic transactions, privacy, and the prevention of fraud. It was successfully implemented because these are all familiar functions of business, finance, and government. These familiar functions were easily adapted to the health care industry, Medicare, and Medicaid. It is essentially finished business.

HITECH is about the computerization of medical records, public health research, and improvement of medical care by enforcing standards set by the HHS Secretary. It is doing now what HIPAA thought it was going to do years earlier. HITECH is optimistic, grandiose, forced, and, to date, only marginally successful. By its very construction, it is vulnerable to administrative overreach and political whim. One can see how the relative success of HIPAA would lead bureaucrats and technocrats to believe that HITECH was the logical next step. If physicians can match up a list of diagnoses to their billable diagnostic tests, treatments, and procedures, surely they can match lists of symptoms, physical exams, test results, and differential diagnoses to the diagnostic codes. This line of reasoning is a common fallacy among public health physicians and others interested in “the big picture.” All the while, physicians were grumbling about fitting odd-sized diagnostic feet into standard-sized diagnostic shoes. Similar problems apply to the procedural code sets. Physicians and hospitals were paid well to go along with this charade, so they grumblingly complied.

Extending this line of reasoning to the actual management of patients is a step too far. “Meaningful use” of electronic records is debilitating to meaningful patient management. The “quality measures” often bear the stamp of public-health-style thinking. They are often trivial, mechanical, and superficial. Sometimes they hold physicians accountable for the behavior of patients that is really the patients’ own responsibility.

The overwhelming cost of this program is forcing physicians to retire early, abandon private or independent practice, and reduce capital investment in ordinary equipment needed for their practice. The costs are not monetary alone. They also make misguided demands on physicians’ time and require too much attention to list checking. This leads to shallower clinical effort and less personal treatment of patients.

HITECH is fascinating in many ways and has advanced the computerization of medicine greatly. However, a truly meaningful goal would be to slow the implementation rate and cut back its financial penalties while allowing computer technology to be adopted in a less regimented way. The program does not need to be completed in three years or by any specific deadline. Let us recognize the limitations of “cookbook medicine” and stop the trivializing “quality measures.” Physicians who actually see patients and suffer the consequences of this system should at least be equal in management authority with the non-clinical public health doctors and overreaching technocrats who, it seems, could not care less about actual health care.