HIPAA Compliance

pril 14 should be circled on the calendar of every health-care organization's CIO, privacy administrator, security officer and medical claims-processing manager. If it's not, the organization either is in really good shape or is scrambling. April 14,just a few weeks away,is the first deadline to comply with a key component of the Health Insurance Portability and Accountability Act, better known as HIPAA.

Unlike previous HIPAA deadlines, this one carries added significance. Barring an unlikely last-minute reprieve, health-care providers and benefits administrators cannot file for another extension. The April deadline requires that providers and payers have documented policies regarding how they will protect patient information. These policies must be made available to all patients. And make no mistake: Privacy advocates will ensure these mandates are enforced.

In addition to privacy, the health-care industry next month will be required to start testing transactions that validate interoperability of data exchanged between providers and payers. The deadline to actually implement those standard electronic data interchange (EDI) formats comes just six months later. Those organizations that did not file for extensions are already in violation, and many small organizations are in that boat simply because they didn't know how to file or weren't aware they had to.

"I think a lot of people are in scramble mode. All of our clients are actively working toward this," said Suzanne Duda, a health-care consultant at EDS, Plano, Texas.

The bottom line is this: Starting next month, health-care providers and insurance companies must assure patients that any information shared electronically will not get into the wrong hands. If it does, those organizations are subject to civil lawsuits and fines of up to $25,000 per breach.

That law could have proven pretty costly for the state of Kentucky, which discarded some old hard drives that had a database of thousands of patients diagnosed with AIDS and sexually transmitted diseases, a state auditor disclosed last month. And elsewhere earlier this year, a laptop was stolen that contained the Medicare information of 500,000 patients.

Indeed, the HIPAA privacy rules are aimed at making sure the health-care industry puts in safeguards so that such egregious breaches don't occur. They are also a first step in promoting the electronic transmission of data to make health care more efficient and ultimately less error-prone and costly. But the privacy rules address even more mundane concerns, which ultimately require better policy management processes and solutions.

For example, simply disclosing medical information to a family member without the patient's consent will become a violation. "I can say, 'I don't want my husband to see my health record.' The customer support rep needs to know that," said Elizabeth Wood, health-care national practice executive at IBM, which helps insurers and providers build processes to ensure patient privacy as well as deploys solutions such as policy management apps that use logon information to make sure individuals only have access to information they need. "It's a tremendous opportunity," she said. IBM offers the gamut of services, from conducting privacy and security audits to implementing solutions that address any holes it may find.

EDS, BearingPoint and Accenture,as well as those that specialize in health-care IT such as Cerner, Daou, Siemens, McKesson and Keane,are creating a big business in everything from conducting internal privacy and security audits to helping organizations convert their proprietary EDI links to those based on X12-standard data. Some companies are going as far as taking over all operation of medical billing and payment processing systems,in which case HIPAA requires a significant partnership between the customer and provider, said EDS' Duda.

That's the way Kay Holmes, chief administrator at the Delaware Health and Human Services agency, which administers the Delaware Medicaid system, describes her relationship with EDS. EDS took much of the burden off the agency's hands by managing a new Medicaid Management Information System (MMIS), which handles everything from processing claims to patient information, she said.

Holmes said the Delaware Health and Human Services agency was one of the few to get out in front of the HIPAA issue. HIPAA was signed by the Clinton administration in 1996 and enacted about two years later. Although the original deadlines were to take effect in 2000, many of the regulations were still forthcoming and the Bush administration had a different view of the privacy regulations. This pushed the deadline to 2002, allowing organizations to file the one-year extension that expires next month.

Few health-care CIOs were losing sleep in the late 1990s about HIPAA compliance. It came to Holmes' attention when Delaware was deploying a new system in the late 1990s and she was told that if it wasn't HIPAA-compliant, it could become obsolete well ahead of its time.

Holmes recalled her early concerns. "I knew HIPAA was coming. We made an issue that we had to incorporate HIPAA into any MIS bids we went out with," she said.

As a result, the request for proposal for the system EDS ultimately deployed required it could handle coding that would support HIPAA regulations as they were released. Last July, Delaware became one of the first benefits administrators to mandate that health-care providers submit claims electronically based on the HIPAA 837 data formatting standard.

At the time, this was new ground for EDS. The integrator developed software called Provider Electronic Solutions, which translates the different e-forms into HIPAA-compliant data formats. Delaware gave health-care partners the choice of becoming HIPAA-compliant and conducting compatibility tests or using the EDS software to bill Medicaid.

The Delaware Medicaid project set the bar for EDS, which now handles a number of state Medicaid and other commercial benefits plans. "Delaware placed a high priority on it," said EDS' Duda. "They took a little bit of risk in moving forward when there was still a lot of concern that the deadlines might change or the requirements might change."

When it comes to benefits administration, EDS has focused on outsourcing of payment processing and the standardization of transaction formats. In contrast, most of the business opportunities with security and privacy focus on audit and assessment engagements.

For example, before looking at the IT infrastructure, EDS walks its customers through a work plan by examining how information flows internally through a client's organization as well outside it.

"We look at potential points of vulnerability, where information could be accessed or could be disclosed, and we make sure there are business practices in place to prevent inappropriate disclosure," she said. "In a lot of cases, many of these kinds of business practices are already in place. It's just a matter of documenting."

Richard Duncan, CIO of Children's Medical Center of Dallas, said his organization began serious evaluations only last year with health-care integrator CTG Healthcare Solutions. "We were not one of the early adopters; we were waiting for the standards to unfold," Duncan said. One sticking point was the fact that although the privacy policies come due next month, the new security regulations were just released last month and don't have to be implemented until 2005 (see sidebar).

Most agree the current deadlines that deal with privacy and transactions will come and go with little incident. That's because the Centers for Medicare and Medicaid Services (CMS), the federal agency that oversees HIPAA, has already said it will only act on organizations about which complaints are filed,at least for the time being. But most observers also agree that no one wants to be the first accused violator to make the evening news.

For solution providers, bringing customers into compliance is every bit as much a legal and business process issue as it is an IT requirement, according to Patrick Arida, a senior security consultant at Symantec, Cupertino, Calif. By setting policies such as establishing trading partnership agreements and practices regarding how information is accessed and shared, solution providers can play a significant role in aligning the two.

"In a way, HIPAA is helping organizations put together a more structured security program," Arida said.

But the key is not to dangle HIPAA in front of customers to push boxes or software, said Bill Jensen, health-care marketing manager for firewall vendor Check Point Software Technologies, Redwood City, Calif. By his estimation, perhaps as many as 30 percent of Check Point's VARs see HIPAA as an opportunity to boost sales of security and VPN products. That's a bad way to look at HIPAA, he said. "It's not a silver bullet; it's an opportunity to help the health-care industry address some serious issues," Jensen said.

There's plenty of business not only for the big systems integrators, but also for a wide cross-section of VARs,from those deploying security and policy management solutions to middleware, e-mail encryption services and even document management systems.

On the transaction-processing side, customers generally have a choice of either using a clearinghouse or deploying a HIPAA accelerator,middleware that takes proprietary data formats and standardizes them on the X12 EDI standards, primarily version 4010. Sybase, Seebeyond, Microsoft, IBM and Mercador are among the vendors that offer HIPAA accelerators.

Picking the right middleware is perhaps the most significant decision a health-care integrator can make, said IBM's Wood. "The more intelligence they can have in that hub, the more flexible they will be in terms of later providing new products and services and response to market opportunities," she said.

Jeffrey Schwartz is Senior Editor for VARBusiness.

The health-care industry has waited for more than four years for the final regulations. As anticipated, a section in the original proposals requiring electronic signatures was removed from the final regulations. But to the surprise of many, the final regulations offer much more flexibility than anticipated.

Gartner analyst Jim Klein said the major change is that every section of the regulations is now specified as either "required" or "addressable." Twenty-two of the 42 implementation specifications that are addressable involve IT security technology, Klein said.

One of the things now addressable rather than required is e-mail encryption. But while the more flexible security regulations will reduce the costs of compliance by half,particularly for small organizations,they carry more risks, Klein said.

"The changes are more comprehensive than we expected, but I believe they will help health-care organizations focus on what needs to be done," said Elizabeth Wood, IBM's health-care national practice executive.

While that means there is less specificity regarding which solutions will be needed for certain applications, Bill Jensen, health-care marketing manager at Check Point Software Technologies, said it will actually give customers and solution providers more flexibility. For example, the draft regulation said if patient information is transmitted over an open network, it must be encrypted. "But it failed to define what an open network is," Jensen said. "It created a lot of confusion."

But eliminating the requirement to encrypt e-mail doesn't mean that those exchanging patient information shouldn't consider doing so. In a recent conference call, Tom Walsh, consultant at CTG Healthcare Solutions, told customers they have to determine the best way to secure shared information.

The new security regulations mean that customers have to decide what level of risk they want to take. The problem is, most organizations haven't conducted full risk and vulnerability assessments, according to Walsh. "They are giving us some flexibility in how you implement security, but it's all based on your risk analysis," he said. "What I have found is most organizations haven't even assessed their risk, let alone analyzed risk."

Jeffrey Schwartz is Senior Editor for VARBusiness.