You might expect IT managers to roll their eyes at the mention of new government regulations that force them to retrofit or even overhaul their systems. But some health-care industry IT practitioners say changes mandated by HIPAA are just what the doctor ordered.
The regulations that are part of the Health Insurance Portability and Accountability Act have raised awareness about IT security and privacy best practices, and they're driving transaction-format standards that are sorely needed. They've also forced insurers and health-care providers to set aside their age-old animosity and together devise plans for compliance.
IT pros on both the payer and provider sides of the fence agree that HIPAA has forced a re-evaluation of virtually every system under their control, not just patient databases. For example, Children's Hospital Boston, the largest pediatric medical center in the United States, wants to take advantage of the new HIPAA-inspired standards to swap more X-rays and diagnostic reports electronically with other medical providers, but few provider systems can accommodate the Netscape back end to its iPlanet e-mail system. So the hospital is moving 1,000 users to Microsoft Exchange by October 7. HIPAA "wasn't the only driver," says Children's CTO Scott Ogawa. "But it factors heavily."
Bruce Peck, information security manager at St. Vincent Hospital in Indianapolis, says HIPAA has strengthened his case for security improvements throughout the 1,200-bed facility. Peck's wish list has long included an authentication system that would let physicians sign on once via remote connections to all the applications that handle patient and lab data. Since these doctors are unaffiliated with the hospital and can choose any facility for their patients, it makes good business sense to attract them with such a system.
If the business case wasn't a good enough argument to add SecurID tokens from Security Dynamics Technologies and single sign-on management software from Computer Associates, the clincher was the HIPAA privacy rules that took effect in April. They require that employees have only enough access to patient data to do their jobs, and no more. For St. Vincent Hospital, role-based authentication was the solution.
Peck has also added an intrusion-detection system from Internet Security Systems to ensure compliance with HIPAA's data security requirements, which take full effect in two years.
"The HIPAA security regs are the stuff that we should be doing anyway," Peck says. "HIPAA just gives you the hammer to do it now."
The price tag for HIPAA upgrades is steep. Consultants we spoke with estimate that insurers and providers will spend between two and five times what they spent on Y2K remediation. For a large organization, that adds up to at least $4 million; some insurers will spend $10 million.
HIPAA accounts for the fact that not every health-care provider has the resources of a Children's or St. Vincent. Providers are directed to do what they can and then document what they did and why they did it. The key is making sure you have been diligent in the event of a lawsuit.
Even so, many providers, especially small medical practices that relied on their software vendors to provide HIPAA updates, won't be ready when the transaction and security deadlines hit, in October 2003 and April 2005, respectively. Many are expected to revert to paper forms--a nightmare for the insurers, whose work forces and IT systems are calibrated to process claims electronically.
Rather than update their software, many practice-management vendors have said they will sunset their packages and provide no further upgrades. "There is a prevailing wisdom that the amount of paper will move sharply upward," says John Dyer, marketing segment manager for health care at IBM, who expects small providers to outsource claims processing to clearinghouses, such as WebMD.
Perhaps the biggest challenge is standardizing the EDI transaction formats that insurers and medical providers use to exchange information about claims. The current systems are designed to send and receive small blasts of information, such as an inquiry into whether a patient is eligible for a certain procedure or a check on the status of a claim. Even though there are standards that define the format of those blasts--for instance, UB92 for Universal Billing--insurance companies such as Aetna, BlueCross and Cigna represent those transactions differently in their own systems.
Under HIPAA, hospital claims can also include up to 999 items called service lines, which are the specific supplies and medical services that make up a single claim for payment. This means accommodating more information packed into fewer transactions. Rather than perform Y2K-like remediation on mainframe applications written in COBOL and assembler--which can't handle files with so many service lines--many payers and providers are placing XML gateways in front of their back ends to turn proprietary formats into standard ones.
Children's Hospital built such a gateway to aggregate the blasts, package them into HIPAA-compliant transactions and route them to the appropriate payers. In reverse, the gateway continuously watches for returning transactions and converts HIPAA-compliant formats back into Children's native formats.
The gateway was implemented in accordance with standards developed by the New England Health Care EDI Network (NEHEN), a group comprised of hospital and insurance company CIOs and CTOs formed in 1998 to address HIPAA, which was passed two years earlier. The goal was to define standard formats and best practices in advance of specific direction from federal regulators, says Ogawa, who is a voting director of the consortium. The standards were developed with help from integrator Computer Sciences Corp.
To Ogawa, it was far preferable for Children's to go it alone rather than rely on its software vendors to provide HIPAA updates. It was also important to start early. "We couldn't just rely on what the vendors might do at some point," he says. "Like Y2K compliance, we knew we would be at their mercy if we waited."
Because HIPAA rules sometimes add new information and require new form fields, a gateway isn't enough. Remediation may be necessary so that old back-end systems can address the new fields. New applications are also necessary on the front end. Children's built a separate application to track privacy disclosures throughout the hospital, so that a patient who signs HIPAA forms in the reception area won't have to sign the same forms later. It wasn't optimal to build functions into existing apps for disclosure tracking; not all employees use the same apps, and some vendors prohibit alterations to their code.
North Carolina's Medicaid program chose to migrate to an IBM DB2 relational database from an old VSAM (virtual storage access method), which provided direct access to files. It added a gateway to translate inbound transactions into formats that the existing back end would understand and outbound transactions into standard formats. It also altered the back end because it couldn't accommodate the multitude of transaction types associated with Medicaid. Medicaid covers more treatments than commercial insurers usually do, including social work services, disabled day-care services and long-term care, says Cathy Waters, an EDS systems director who oversees North Carolina's Medicaid systems. EDS processes all of the state's Medicaid transactions, totaling $7 billion last year. Some 38 states contract with fiscal agents for Medicaid processing.
There's a movement afoot to eliminate local codes and standardize on a national system, which would impose a new burden on IT. Meantime, health-care IT managers should pay careful attention to HIPAA lawsuits. Experts say many of the regs leave implementation details open to interpretation. "The litigation piece will drive the next wave of what IT has to do," Peck says. "Until litigation is brought, courts make their decisions and then [Congress] goes back to clarify; it will be a constant change-and-update environment for the next few years. ... People who say they're 100 percent HIPAA-compliant are fooling themselves." --David Joachim
REPORTS
ANALYTICS
Follow 
