Privacy and Security of Health Information; Standard Transactions

Pursuant to the Health Insurance Portability and Accountability Act of 1996, or HIPAA, the Secretary of HHS has issued final regulations designed to improve the efficiency and effectiveness of the health care system by facilitating the electronic exchange of information in certain financial and administrative transactions while protecting the privacy and security of the information exchanged. Three principal regulations have been issued in final form: privacy regulations, security regulations, and standards for electronic transactions.

The HIPAA privacy regulations, which fully came into effect in April 2003, establish comprehensive federal standards with respect to the uses and disclosures of protected health information by health plans, healthcare providers and healthcare clearinghouses.The regulations establish a complex regulatory framework on a variety of subjects, including:

•  the circumstances under which uses and disclosures of protected health information are permitted or required without a specific authorization by the patient, including but not limited to treatment purposes, activities to obtain payment for our services, and our health care operations activities;

•  a patient’s rights to access, amend and receive an accounting of certain disclosures of protected health information;

•  the content of notices of privacy practices for protected health information; and

•  administrative, technical and physical safeguards required of entities that use or receive protected health information.

                    We have implemented the HIPAA privacy regulations, as required by law. The HIPAA privacy regulations establish a “floor” and do not supersede state laws that are more stringent. Therefore, we are required to comply with both federal privacy standards and varying state privacy laws. In addition, for healthcare data transfers relating to citizens of other countries, we need to comply with the laws of other countries. The federal privacy regulations restrict our ability to use or disclose patient-identifiable laboratory data, without patient authorization, for purposes other than payment, treatment or healthcare operations (as defined by HIPAA) except for disclosures for various public policy purposes and other permitted purposes outlined in the final privacy regulations. The privacy regulations provide for significant fines and other penalties for wrongful use or disclosure of protected health information, including potential loss of licensure and civil and criminal fines and penalties. Although the HIPAA statute and regulations do not expressly provide for a private right of damages, we also could incur damages under state laws to private parties for the wrongful use or disclosure of confidential health information or other private personal information.

The final HIPAA security regulations, which establish requirements for safeguarding electronic patient information, were published on February 20, 2003 and became effective on April 21, 2003, although healthcare providers have until April 20, 2005 to comply. We are conducting an analysis to determine the proper security measures to reasonably and appropriately comply with the standards and implementation specifications by the compliance deadline of April 20, 2005.

The final HIPAA regulations for electronic transactions, which we refer to as the transaction standards, establish uniform standards for electronic transactions and code sets, including the electronic transactions and code sets used for claims, remittance advices, enrollment and eligibility. The transaction standards became effective in October 2002, although covered entities were eligible to obtain a one-year extension if approved through an application to the Secretary of HHS. We received this one-year extension through October 16, 2003 from HHS.

HHS issued guidance on July 24, 2003 stating that it would not penalize a covered entity for post-implementation date transactions that are not fully compliant with the transactions standards, if the covered entity could demonstrate its good faith efforts to comply with the standards. HHS’ stated purpose for this flexible enforcement position was to “permit health plans to mitigate unintended adverse effects on covered entities’ cash flow and business operations during the transition to the standards, as well as on the availability and quality of patient care. We continue to work in good faith to complete the implementation of these standards with those payers who either were not ready to exchange files in the standard formats as of the compliance date, or who have varying interpretations of the requirements. Working with these payers requires that we continue to trade electronic claims files and payments in legacy formats, even after the compliance deadline of October 16, 2003.

On September 23, 2003, CMS announced that it would implement a contingency plan for the Medicare program to accept electronic transactions that are not fully compliant with the transaction standards after the October 16, 2003 compliance deadline. The CMS contingency plan, as announced, allows Medicare carriers to continue to accept and process Medicare claims in the pre-October 16 electronic formats to give healthcare providers additional time to complete the testing process, provided that they continue to make a good faith effort to comply with the new standards. Almost all other payers have followed the lead of CMS, accepting legacy formats until both parties to the transactions are ready to implement the new electronic transaction standards.

As part of its plan, CMS is expected to regularly reassess the readiness of its healthcare providers to determine how long the contingency plan will remain in effect. Many of our payers were not ready to implement the transaction standards by the October 2003 compliance deadline or were not ready to test or trouble-shoot claims submissions. We are working in good faith with payers that have not converted to the new standards to reach agreement on each payer’s data requirements and to test claims submissions.

The HIPAA transaction standards are complex, and subject to differences in interpretation by payers. For instance, some payers may interpret the standards to require us to provide certain types of information, including demographic information not usually provided to us by physicians. As a result of inconsistent interpretations of transaction standards by payers or our inability to obtain certain billing information not usually provided to us by physicians, we could face increased costs and complexity, a temporary disruption in receipts and ongoing reductions in reimbursements and net revenues. We are working closely with our payers to establish acceptable protocols for claims submissions and with our trade association and an industry coalition to present issues and problems as they arise to the appropriate regulators and standards setting organizations.

Compliance with all of the HIPAA requirements requires significant capital and personnel resources from all healthcare organizations, not just Quest Diagnostics. While we believe that our total costs to comply with HIPAA will not be material to our results of operations or cash flows, the potential need for additional customer contact to obtain data for billing as a result of different interpretations of the current regulations could impose significant additional costs on us.