| |||||||||||||
|
Home
|
For other articles and previous issues click here. January 14, 2002 MOVING
BEYOND HIPAA to e-health Title II of HIPAA, also known as the Administrative Simplification Act, was written essentially to address security of health information being sent electronically over the Internet, according to Richard Howe, PhD, president of eHealth Ventures and vice president of Professional Services at MedPlus, Inc. in Cincinnati, Ohio. Title II sends three different messages to the healthcare industry: Become efficient by standardizing codes and using electronic transmission; eliminate fraud and abuse; and preserve patient privacy. The new HIPAA regulations will be introduced and implemented in stages. In the initial step, HIPAA will strengthen security and privacy, protecting the critical confidentiality of patient data. This set of regulations pertains to privacy of patient data, and will take effect by April 2003. Next, HIPAA will introduce uniform transaction standards and code sets, eliminating the many diverse and proprietary data schemes in current use. In this set of regulations, expected to take effect in October 2003, HIPAA specifies the format of certain electronic transactions (such as enrollment, claims, and authorization) and forbids the use of anything but standard code sets. Security issues, which are still being finalized, are expected to be enforced by 2004. The last set of regulations, in which payors, employers, providers, and patients are assigned unique national uniform identification numbers, should take effect by 2006 or earlier. HIPAA is a sweeping piece of legislation that affects virtually every participant in the trillion-dollar healthcare industry. Jacob Kuriyan, president and CEO of Physmark, Inc., a Dallas, Tex.-based software company specializing in providing strategic information technology (IT) solutions for HMOs and health plans, explains that a central concern for industry participants, investors, and financial analysts is how HIPAA will affect the business of healthcare. “Who will be the beneficiaries? Who will need to make adjustments? Which companies can leverage HIPAA to improve their business?” he asks. The primary intent of HIPAA, as it was formulated in the mid-’90s, is threefold: to provide better access to health insurance, to limit fraud and abuse, and to reduce administrative costs. But there is a broader vision of what HIPAA is and what it can become, according to Jim Kelly, senior vice president and CMO at Optio Software, Inc., in Alpharetta, Ga. Basically, says Kelly, this broader vision is to bring the healthcare industry into the world of e-commerce. “Overriding everything that’s involved with security, auditing, and privacy is the desire of the government to bring efficiency to the whole healthcare system by bringing healthcare organizations into e-commerce. This is very important, because some healthcare organizations plan to become HIPAA-compliant by using paper. This can be done, but that’s really not the intent. As the HIPAA rules come rolling out, I think the hospital and healthcare public needs to understand that there is the intent to move into e-health.” The law covers four primary sections: transaction codes (passed in August 2000), privacy (passed in October 2000), unique identifiers (pending), and security (pending). Interestingly, according to Kelly, most organizations do not currently have a technology infrastructure or the policies or procedures in place to comply with HIPAA. HIPAA involves a combination of processes, procedures, and IT. It is an enterprisewide IT issue, affecting everyone in an organization. The payors have been the first to act on these mandates. Most provider organizations are just now starting to consider HIPAA issues with the majority still having too much to do and not enough time. Most of the current concerns are focused on the changes to business processes and operations arising from HIPAA’s privacy and security regulations, according to Kuriyan. He says hoards of consultants and lawyers are working zealously to analyze gaps and offer remediation. Another important concern, however, is how HIPAA will reshape healthcare IT, beginning in April 2003 with the privacy rules and ending with the introduction of uniform identifiers by 2006. During the next five years there will be an incessant need to modify and tweak software, with uniform identifiers alone requiring an effort akin to the Y2K preparation. In all likelihood, according to Kuriyan, the segment that will be the first to feel the impact of the HIPAA regulations will be payors, healthcare organizations such as HMOs, health plans, and third-party administrators who accept, process, and pay claims. Each of these entities will be required to accept electronic transactions in HIPAA format. He explains that providers can delay HIPAA’s impact by merely resorting to paper transactions or by using clearinghouses as intermediaries. Payors have no such option. If a provider sends a claim electronically to a payor in a HIPAA-compliant format after October, HIPAA requires the payor to accept and process it. In order for the providers and payors to figure out what needs to be done, there are four major tasks they must plan, according to Kelly. The first is to perform a gap analysis to understand where the gaps are—technology gaps, procedural gaps, policy gaps. Where are the security leaks? By identifying these shortcomings, a remediation strategy can be devised. The second stage is to implement the minimal HIPAA technology to be able to say that organizations have complied with the audit trails and developed security measures and passwords. The third strage is to embrace e-health and get into the e-health field with portals and related technology. After the remediation strategy is completed, there has to be the implementation of some kind of technology and/or some kind of process installation. The fourth part of the process is the actual transformation. Back in the year 2000, organizations had many options in their quests to become HIPAA compliant, Kuriyan points out. One option was to change their entire system to make it more modern so that they could eliminate these problems. The modern systems can handle translation problems quite easily. The other choice, he added, was to go back and try to fix their legacy systems. “That’s really a bad move, but you’d be surprised at how many big organizations are still doing it. This is a short-sighted solution, and it’s going to get worse.” As Kuriyan sees it, there are essentially three options. One is to use a translator to create whatever is necessary to comply with HIPAA. Another is to find a clearinghouse that is willing to do it for you. And the third option, offered by Physmark and others, is to build a full-fledged product rather than asking someone to create something from scratch. A translator will take data that are arranged in one specific format and rearrange them in a format acceptable to HIPAA. It takes the multitude of priority codes and specialty formats used by different institutions and translates them into one single, HIPAA-compliant format. A clearinghouse is an organization that has a translator within its own facility, so when data are sent to it, it will translate them. The clearinghouses, some of which change per transaction, take claim data, convert them to a HIPAA-compliant format, and forward them. Most healthcare organizations use antiquated legacy systems, which are the more traditional, difficult-to-modify information systems that have been around a long time. Many vendors who supplied these legacy systems are no longer in business, and as each installation will require a unique custom programming effort to conform to HIPAA, modification procedures will be both time consuming and costly. As the HIPAA deadlines rapidly approach, healthcare organizations are discovering that it will cost millions of dollars to make their legacy systems compliant. Despite these expenses, a few adventurous organizations have decided to “repair” their legacy systems, ignoring the fact that HIPAA’s forthcoming uniform identifiers will be prohibitively expensive to implement. Switching to modern systems is an option, but one that typically requires 24 months of extensive budgeting and planning. This kind of fiscal decision cannot be made swiftly, and may prevent the organization from meeting HIPAA’s imminent deadlines. Kuriyan notes that most payors are banking on the suggestion in HIPAA regulations that translators and clearinghouses can help accommodate the new electronic communication standards. While HIPAA regulations recommend translators as a means to help convert and format data according to specifications, this solution is insufficient for legacy system owners. They will be forced to create external databases that are linked to the legacy system, a monumental effort that requires experienced software engineers developing complex programs. Even more significantly, a permanent staff of programmers would be needed to support and maintain the software because of continuing changes in the healthcare industry. Unfortunately, this option essentially turns the healthcare organization into a software house. HIPAA regulations also suggest the use of clearinghouses as an “outsourcing” option. In this case, HIPAA responsibilities are transferred to an external group with costs ranging from $1 to $2 per member per month. Additionally, legacy owners will still need to store parts of their HIPAA records in a database and develop custom programs to link them. This is, at best, partial outsourcing with an untenable price tag. Kuriyan points to two other reasons why the use of translators and clearinghouses may prove to be wishful thinking. The first hurdle confronting translators and clearinghouses is the “extra fields” present in a HIPAA transaction that legacy systems have no room to retain, but which are needed to create a HIPAA-compliant transaction. Translators do not have the option of storing any data and, therefore, will fail to handle extra fields. Clearinghouses can in principle, retain extra fields, but this requires customization. “Since clearinghouses use legacy technology, why would this fix be any easier than modifying payor legacy systems?” Kuriyan asks. The other challenge for translators and clearinghouses is the presence of proprietary codes in legacy systems that handle business logic. It is estimated that Medicaid agencies throughout the country have 33,000 proprietary codes in use. Matching them uniquely with standard code sets defined by HIPAA is a complex challenge and involves constructing “crosswalks” to interpret the business intent. Translators do not offer that option and will fail to map standard codes to proprietary codes, and vice versa. Kuriyan points out that HIPAA privacy legislation has an unexpected and serious business ramification for clearinghouse users. Currently, clearinghouses sell patient healthcare data to other third parties, claiming that revenue from such sales allows them to offer lower transaction rates to health plans. Since HIPAA forbids such sales, it is reasonable to expect that clearinghouse transaction costs will rise. How does all of this impact a payor’s business? “Payor costs for meeting HIPAA’s IT requirements will mount, and payors will not see any immediate returns on investment in HIPAA activities,” explains Kuriyan. “In the absence of new funding, payor organizations will have many difficult budgetary choices.” Providers, on the other hand, can easily sidestep HIPAA’s electronic standards by using clearinghouses or reverting to using paper forms. The impact will be no different from accepting current Medicaid contracts, Kuriyan predicts. “Of course, uniform identifiers will affect physician and hospital systems, but they will have a few years to make the necessary changes to their software,” he says. “In short, providers will not have a tough time complying with HIPAA rules.” HIPAA has the potential to drive legacy payor systems to extinction. Even without including uniform identifiers, legacy owners will be faced with employing 50 to 150 people to fix their systems. “Why not buy a new system with modern features with less of an investment?” asks Kuriyan. HIPAA requires many changes to IT, all in a span of five years or less. >From a programmer’s point of view, this is a very short time. There is not enough time to redo tasks. While it makes sense to tackle HIPAA requirements sequentially—privacy first, then transactions, followed by security and uniform identifiers—it is best to find a solution that will allow one to build the next step of improvement over the previous one, without any reengineering. If eventual replacement is the logical conclusion, HIPAA compliance by itself cannot provide economic justification. Clearly, other benefits must be realized with an investment of this magnitude. Traditionally, life in the legacy world includes a significant number of hybrid and suboptimized manual processes. A replacement strategy must support a successful transformation to fully automated processes. “While the focus may be centered on technology, overall business transformation, reduced costs, and improved satisfaction must be the result of a fully enabled HIPAA solution,” says Kuriyan. “This can be accomplished only through tangible, quantitative results. Without it, the zeal and perseverance to change will wane quickly.” Kuriyan points out that there is no way an organization, even a payor organization, can justify investing the large sums of money required to make itself HIPAA compliant, and then wait five years for rewards when all these efficiencies will slowly start bearing fruit. Therefore, organizations should really be looking at HIPAA from other angles, not just from the point of view of conforming to the law. They should try to see if they can take advantage of some of the newer features that modern technology offers. For example, Oracle Corporation is undertaking an intensive initiative to encourage all organizations to use the Internet to do e-business. But, according to Kuriyan, healthcare has traditionally been very slow to adopt these new technologies. “This is an angle that people should be looking at because it surely does cut down on staffing,” he notes. A viable option for healthcare organizations seeking to become HIPAA compliant is the HIPAA Appliance from Physmark, Inc. For organizations that prefer to maintain control over their data while not becoming software houses, the HIPAA Appliance is a cost-effective alternative. It works as a front-end system to a legacy computer, essentially functioning as an internal and dedicated clearinghouse with custom features to satisfy HIPAA’s needs. Unlike the translator and clearinghouse options, the HIPAA Appliance, with its sophisticated Oracle database, has the added benefit of effectively addressing privacy and security issues. The HIPAA Appliance is a complete product than can work with a legacy system. It is not merely a programming tool, such as a translator or a service offered by a clearinghouse. While interfaces are still required to transfer data into and out of legacy systems, HIPAA requirements are met fully within the product and users need not engage in complex software development. It includes all of the custom programs to store and handle extra fields and complex crosswalks. If legacy owners are seeking a way to switch systems, especially as uniform identifiers become accepted, then the HIPAA Appliance is an excellent vehicle for migrating to new technology. It shares table structure and schema of Physmark’s PayerSoft application, designed to service the needs of health plans and other healthcare delivery organizations. Optio Software Inc. is also working on solutions to enable HIPAA compliance. The company is preparing to launch its new product, called HIPAA-Smart. “We facilitate the secure and private exchange of information to both internal and external patient care teams, internal and external to the payor or providers,” explains Kelly. “We have a translation tool for all HIPAA-required transaction codes. We can take information from legacy systems and translate it to make the codes HIPAA compliant. We also provide secure transmission of patient information in the required format. Our products offer efficient processes for storing and auditing HIPAA-compliant procedures and provide automation of all the privacy documents. And we have a flexible solution that we think can meet specific healthcare organization requirements. It also controls access to patient information.” How is all this going to take organizations beyond mere compliance to leveraging the regulations to further their own business by getting into e-health? A product, when launched, will have several phases or levels. One level is the basic security and privacy audit, while another level is going to have an audit viewer. “Either organizations are going to take our technology, which is capturing, transforming, and delivering the legacy transactions in a HIPAA-compliant secure and private way, into their e-health strategy, or they can take our advanced product and use that as their e-health strategy,” says Kelly. “We have a portal product by which users click onto a Web site, click on the patient information portal, put in their password, and get the information they want—baseline labs, current medications, admissions profile, primary care physicians, and specialists. They also can take any of that information and forward it to other people who are authorized to get it.” Kelly says almost all payors agree they need to take an e-health strategy. They’re seeing that, since the law requires that all their transaction codes be identical, they might as well get totally immersed in e-health so they can move information around completely electronically. For a provider wanting to move beyond HIPAA and take its strategic business goals into the e-health world, the key approach is to look at HIPAA and say: “I’m going to establish that strategic business goal because I need to do it from a business perspective, but at the same time, I’ll meet the HIPAA regulations.” This is looking beyond HIPAA to e-health. “There are two ways to look at HIPAA,” says Howe. “I can say HIPAA is a law with which I have to comply, and I’ll do the minimum necessary for compliance. Or, as a primary driver, I can accomplish some strategic business goals, and meet the HIPAA requirements at the same time.” Will the HIPAA requirements make it easier to initiate these strategic business goals? “It should make it easier because when you go to set up a system, you have to have security, the audit trails, and encryption,” says Howe. “You work these into your strategic business goal plan. If your business objective is to let your patients connect to your hospital, you automatically work the HIPAA requirements into that business goal.” Howe explains that a first strategic business goal could be to allow community physicians electronic access to your internal patient records systems. A second goal could be to allow the patients to have electronic access to your internal patient records systems. This could be expanded to a third strategic business goal that considers the possibility of eventually allowing patients to input or update any part of their personal medical record. “Once you set up your infrastructure to meet the HIPAA requirements, then you can start accomplishing those strategic business goals beyond just looking at HIPAA,” says Howe. “Don’t just look at HIPAA as a law with which you have to comply. Determine if you can accomplish some business goals at the same time. The ideal approach is to do both at once.” — Jerry Keister is a staff writer at For the Record. |
 |
3801 Schuylkill Rd • Spring City, PA 19475 Publishers of For the Record All rights reserved. |