While Congress worked this winter to pass a law to ensure the security and privacy of electronic health information, Intermountain Healthcare crunched the numbers.

The Salt Lake City-based healthcare system determined that in a "worst-case scenario," complying with one version of the bill would cost $250 million over three years, including $78 million for data-storage, $68 million for programming and $106 million for personnel and other maintenance costs. Much of the projected outlay would go toward complying with new accounting requirements to track, among other things, routine disclosures of information used to treat patients, billing for services and conducting operations.

"It's a very large number," said Joe Hales, one of Intermountain's regional directors of information systems. "Even if we're off by an order of magnitude, $25 million over three years" would swamp Intermountain's department of health information management, which spends about $12 million annually.

"This blows their budget," Hales said.

Enlarging the privacy umbrella also means that "vendors will have to consider new costs for them to comply [that] may change the nature of the relationship [between covered entities and business associates]," said Hales. "There will be new costs that we bear because of compliance."

Slow down, said Deven McGraw, director of the Center for Democracy & Technology's Health Privacy Project, an advocate for robust privacy protections.

"It is early for folks to be out there saying this will cost millions of dollars to implement when so many of the provisions that will be costly don't take effect right away," said McGraw. She noted that the actual financial burden the law imposes won't be known until the Department of Health and Human Services issues guidelines that will take into account the cost of compliance. That clarification won't be ready for months.

The American Recovery and Reinvestment Act of 2009, signed into law on Jan. 17, includes the most significant changes to privacy and security rules in the Health Information Portability and Accountability Act (HIPAA) since its enactment in 1996. Its tough new standards require more fastidious accounting of health data and demand greater accountability from individuals and organizations that handle, use or transmit electronically stored personal health information.

The intent of the new law is to instill public confidence in the security and privacy of health IT. Yet among some providers, payers and players in the health information delivery system, the law has generated some angst.

"We're all struggling to deal with all the complexities of privacy," said Jim Murray, chief information officer at the University of California's Irvine Medical Center, which is already subject to California's breach notification law, a model for the federal legislation. "They keep making things more complex. We are concerned about how we will move forward and how this will impact systems."

California could be the canary in the coal mine. It already has some of the country's toughest privacy and security laws, including significant fines for breaches of medical records. When the state's regional health information networks began to emerge a few years ago, healthcare organizations struggled to abide by regulations that cover a broad range of institutions, including health records of prisoners and residents of state psychiatric hospitals.

"This is something that we all are going to live with," said Dr. Eugene Spiritus, the Irvine center's chief medical officer. "It's hard to believe it will get more complex."

Privacy advocates concede that complying with stricter privacy and security provisions might bear some higher business costs. But that's simply the price of an advanced national health information system, they contend.

"It will require some changes in the way they do business," McGraw said of the affected organizations. "But if that is what it takes to build patients' trust and to move forward with a health information network, then that should be part of the equation."

Enforcement muscle

Until now, enforcement of HIPAA's security and privacy regulations has been lax. The new law provides muscle for enforcing tightened regulations, including more careful tracking of disclosures and an expansion of HIPAA's purview to include business associates of covered entities. It also gives individuals the right to access and receive electronic copies of information in electronic medical records, restricts dissemination of health data for authorized disclosure and limits the sale and marketing of that information.

To promote compliance, Congress will require HHS to have a privacy officer in each of its regions and a chief privacy officer in the Office of the National Coordinator for Health IT (ONC). Lawmakers also increased civil fines for violations, up to $1.5 million annually. Additionally, HHS is required to conduct periodic audits of covered organizations, and states' attorneys general are now authorized to enforce HIPAA.

Breaches involving unsecured health information will require mandatory notification of affected individuals. In the event of breaches involving more than 500 people, covered entities must notify HHS and "prominent media outlets."

Critics of the media-notification provision say it has the potential to undermine both the perception and the reality of security, first by alarming people and second by "telling hackers which systems are vulnerable," said Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS). "My personal feeling is that this increases overall risk."

Another major change in the new law requires business associates of HIPAA-covered organizations to bear responsibility for complying with security and privacy standards. Until now, associated organizations"claims processors, benefits managers, outside accountants, third-party plan administrators, transcription services, software programmers, collection agencies"entered into contracts that recognized the obligations of the covered entities (providers, payors, data clearing houses) to which they provided goods and services. But business associates were removed from direct oversight.

The arrangement was a "loophole that swallowed the rule "¦ a break in the chain of trust," McGraw said. "This is a big change."

Especially for business associates who have been less than diligent about compliance. "There are those out there who have built business models on the assumption that they would be covered entities under HIPAA at some point in time and those who didn't," said Steve Gravely, chairman of ONC's data use and reciprocal services agreement (DURSA) work group. "For the rest of the world that didn't structure their HIEs or RHIOs as covered entities, they will have to go back and put in privacy and security measures. For them the statute has an immediate impact."

Gravely is a consultant to MedVirginia, a regional HIE that recently linked a number of Virginia hospitals with the Social Services Administration (SSA). The resulting system speeds health records to SSA's benefits assessors to help verify claims applications.

Gravely does not anticipate disruptions resulting from the new law, largely because the arrangement with SSA honors a DURSA, a legal agreement that governs security and privacy obligations of organizations connected to the National Health Information Network.

Protecting data anywhere

Making more types of organizations subject to privacy rules shifts the intent of HIPAA toward the ideal of protecting data wherever it resides, inclu