Legislative Analyst's Office Analysis of the 2002-03 Budget Bill

Health Insurance Portability And Accountability Act Compliance (9909)

It is uncertain whether the state will meet the deadlines for implementing the federal Health Insurance Portability and Accountability Act (HIPAA) because it is a significant undertaking affecting many programs and departments. The proposed funding reductions that are necessary in the current year could slow the state's efforts. Given the potential impact of these reductions on affected departments' efforts, we recommend that the Office of HIPAA Implementation report at budget hearings on the steps that are being taken in the current fiscal year to ensure departments' continued progress toward HIPAA compliance.

Background. The federal HIPAA was enacted in 1996 and set many goals for the health care industry. As we discussed in the Analysis of the 2001-02 Budget Bill, HIPAA's primary purpose was to improve the portability and continuity of health insurance for workers and their families. The bill also required the health care industry to take a series of actions to combat waste, fraud, and abuse; to improve access to health insurance; and to increase the efficiency and effectiveness of the health care system. Both private and public sector organizations that provide health care services and use patient or other health care data must comply with HIPAA.

To comply with these new protections, affected organizations will have to make some significant changes in how they conduct business that will result in substantial costs. For example, HIPAA requires national standardization of billing codes for medical procedures. The law also establishes requirements for the handling of certain health care information to ensure privacy of patient health care data. Figure 1 shows the compliance deadlines for the standards.

Failure to comply with these deadlines could result in significant federal monetary penalties against the state and potentially even the loss of billions of dollars in federal reimbursements in its health programs (primarily the Medi-Cal Program). Moreover, HIPAA authorizes both civil and criminal penalties for failure to comply with its provisions. At the time this analysis was prepared, federal authorities had not yet adopted rules that would determine the specific penalties for noncompliance with HIPAA.

Office of HIPAA Implementation Is Responsible for State Oversight. To ensure the state's compliance with HIPAA's requirements, Chapter 635, Statutes of 2001 (SB 456, Speier), created the Office of HIPAA Implementation (OHI) within the California Health and Human Services Agency. By law, OHI must provide oversight and monitor departmental progress on HIPAA and report to the Legislature on implementation efforts. In addition, OHI is responsible for statewide leadership and coordination of the effort, national representation, policy formulation, and training.

The Budget Proposal. The 2001-02 Budget Act and Chapter 635 included $92 million ($24 million General Fund) for various departments to fund HIPAA compliance activities. As shown in Figure 2, the Governor proposed in November 2001 to significantly cut current-year fundingby as much as 95 percent for one department. 

For 2002-03, the Governor's budget proposes to restore state HIPAA funding to the levels originally established in the budget act and Chapter 635. This should enable departments to fully resume work on HIPAA compliance activities in July 2002.

The OHI's Statewide Assessment. Each state entity, including state departments, boards, commissions, and other organizational units of government, was directed to provide to OHI a completed HIPAA assessment form by December 31, 2001. The assessment is intended to enable OHI to determine which state entities are subject to HIPAA and to obtain information about the status of HIPAA efforts for those entities affected by HIPAA. Once OHI compiles this data, it will have a better sense of the full amount of funding required to implement HIPAA and will be better able to determine if the state will satisfy compliance deadlines. Chapter 635 requires that OHI report the statewide results of this assessment to the Legislature by May 15, 2002.

Continuing HIPAA Implementation With Limited Resources. The OHI anticipates that departments' progress towards compliance with HIPAA will be somewhat delayed by the funding cuts in the current fiscal year. Some departments' progress will be delayed more than others by the reductions and at this time it is uncertain which departments will meet the federal deadlines.

Despite the funding reductions, we found that some departments are adjusting the scope of their efforts and proceeding with HIPAA-related tasks with their remaining funds. For example, DHS plans to continue to work on conforming its codes for tracking claims associated with various types of Medi-Cal health care services to the comparable national set of codes. The DHS also plans to conduct a baseline assessment of what needs to be done to comply with the privacy regulations. Another department facing such reductions plans to use its remaining resources to establish program and task priorities based upon its OHI assessment and intends to work within its resources on the most critical tasks based on management direction.

Last fall, prior to any HIPAA-funding allocations, some departments began HIPAA-related work by redirecting existing resources to HIPAA tasks. Some departments are considering a similar approach for the current fiscal year. For example, the Public Employees' Retirement System (PERS), which did not receive a HIPAA appropriation, plans to utilize existing resources to continue with HIPAA implementation.

The state's HIPAA workgroup, which is comprised of representatives from various state and county departments subject to HIPAA requirements, is currently considering solutions for proceeding with compliance efforts with fewer resources. It has suggested that departments proceed with planning efforts, draw on experience gained during the state's Y2K efforts when resources available for compliance often came from redirections of staff and funding, keep HIPAA rules in mind when making purchases, and consider opportunities to partner with private sector businesses to achieve progress. According to the workgroup, with these actions departments may be able to minimize project restart times and prepare to do some tasks.

Others have recommended that organizations take advantage of processes established during Y2K remediation efforts to lessen HIPAA compliance burdens. For example, departments had conducted Y2K information technology inventories that could serve as a starting point for developing the resource management and inventory process required under proposed HIPAA security regulations for medical information and transactions. Other efforts completed during Y2K remediation that could be useful now for HIPAA compliance are security risk analyses as well as data backup and disaster recovery plans to be used in case of information system failures.

Despite these potential solutions, a few departments have stopped all HIPAA work in response to the budget cuts. The Department of Alcohol and Drug Programs has no staff assigned to HIPAA and the Office of Statewide Health Planning and Development's one HIPAA-related position is vacant and will not be filled as a result of a state hiring freeze that is currently in place.

Federal Delay in Deadline Is Misleading. Federal legislation signed by President Bush on December 27, 2001 delays by one year, until October 16, 2003, the date by when organizations must adopt certain national standards established by the federal government. These standards relate to the electronic transmission of health-related data and codes identifying certain types of health care information, such as diseases and medical procedures. This was the first set of HIPAA regulations issued by the federal government. However, the delay is not automatic and, in order to obtain a time extension, entities must submit a compliance plan to HHS by October 16, 2002. The plan must include a budget, a schedule, a work plan, and an implementation strategy for achieving compliance. Given these requirements to obtain a time extension, departments would have to continue some level of effort during the current fiscal year to prepare to comply with HIPAA.

Analyst's Recommendations. Given the state's fiscal problems, we concur with the Governor's proposal to reduce funding in the current year by $74 million ($19 million General Fund) and restore this funding in the budget year. However, we believe that there are still steps that could be taken in the current year to make progress implementing HIPAA. Our findings are based on the actions being taken by some departments that are facing the resource reductions, as well as suggestions made by the state's HIPAA workgroup.

To ensure that the state meets the federal compliance deadlines (and avoids the loss of federal funds), OHI should take an active role in encouraging departments to continue to view HIPAA compliance as a priority. The OHI could encourage this response by conducting regular meetings with departments to discuss working with limited resources, preparing and distributing information that helps departments proceed with compliance efforts, and developing solutions to assist departments hindered by a lack of resources for HIPAA compliance work in the current fiscal year. For example, because OHI is monitoring the efforts of all affected departments in California and efforts in other states, it should be able to identify the most effective compliance strategies available and to promote those approaches to other departments. This could involve such activities as preparing guidelines to assist departments in designing work plans to comply with each of the rules and developing boilerplate agreements such as the employee confidentiality agreement required by HIPAA.

In addition, OHI should encourage departments to analyze their existing resources to determine how they could continue HIPAA implementation. Departments could also use the remainder of the current fiscal year to develop compliance plans and to otherwise prepare for the resumption of full activities in the budget year when funding would be restored.

Lastly, OHI should report at budget hearings on the steps it is taking in the current year to ensure departments' continued progress toward HIPAA compliance.