|
From the October 2001 Issue HIPAA and MCOs: Administrative Simplification or IT Modernization?
|
HIPAA and MCOs: A minefield of technology options is available to HMOs and health plans.
Title II of the Health Insurance Portability and Accountability Act (HIPAA), also known as the “Administrative Simplification Act,” sends three different messages to the healthcare industry: become efficient by standardizing codes and using electronic transmission; eliminate fraud and abuse; and preserve patient privacy. In the first set of regulations to take effect in October 2002, HIPAA specifies the format of certain electronic transactions (such as enrollment, claims, authorization) and forbids the use of anything but standard code sets. The second set pertains to privacy and will be in force by April 2003. Security issues are still being finalized with an estimated time for enforcement of 2004. The last part where payors, employers, providers and patients are assigned unique national identification numbers should take effect by 2006 or earlier. Short-Term Solutions, Long-Term Risks While HIPAA affects virtually every participant in healthcare, it is fair to say it will be payors, HMOs and health plans in particular who will first feel its impact. Providers, for example, can delay HIPAA’s impact by merely resorting to paper transactions or using clearinghouses as intermediaries. Payors have no such option. If a provider sends a claim electronically to a payor in a HIPAA-compliant format after October 2002, HIPAA requires the payor to accept and process it. This sounds simple, but many HMOs and managed care organizations use legacy systems to manage their business affairs and their COBOL and MUMPS-based systems lack the flexibility to meet HIPAA’s requirements. Costs of changing legacy codes can be considerable and implementing changes can result in serious downtime, affecting production and raising costs. Moreover, HIPAA is not a singular event. HIPAA regulations will continue to appear over the next five years and the cumulative financial toll on legacy owners can be large if change is not planned and executed properly. The focus of many “HIPAA scare conferences” seems to be on changing business processes to avoid fines and jail terms. Even when IT costs are discussed, they are limited to the first set of regulations—compliance with electronic standards of communication—and waved away as a simple matter of acquiring a “translator” or engaging a clearinghouse. Payors are in for a surprise if they analyze IT costs to comply with all the anticipated regulations from HIPAA. What are the options available to legacy owners? How expensive are they? Is it necessary to abandon current systems? HIPAA is a five-year process of continual changes. How can business disruption be minimized? How can healthcare organizations maximize return on HIPAA-related IT investments? Some legacy vendors have realized the difficulty of complying with HIPAA and have sold their companies. Their abandoned users are virtually orphans and must switch systems. How can they win time for making such a complex decision?
Legacy Options The HIPAA regulations contain a suggestion that health plans can meet the October 2002 deadline by using translators and clearinghouses. This is an over-simplification, and legacy owners who adopt this route will encounter serious and subtle problems. Typically, a HIPAA transaction file has many more data fields than are found in legacy systems. Translators and clearinghouses will “drop” these extra fields because of the inability of legacy systems to accept them. Without these extra fields, legacy systems may not be able to reconstruct and transmit a HIPAA-compliant transaction. To store and have the extra fields ready for reuse is necessary but a serious technical challenge for legacy systems. HIPAA requires that the codes used must conform to its standards, which may pose a challenge to legacy systems that use proprietary codes as a substitute for business or processing logic. Clearinghouses have adapted by offering custom interfaces to accommodate proprietary health plan codes and translators will be forced to customize as well. An important factor often overlooked is that clearinghouses that provide such service will process more than claims and, therefore, cost more to health plans. Based on current market rates, health plans that use clearinghouses will spend an additional $1 to $2 per member per month. While this is not outrageously high, it will have a perceptible effect on bottom lines and there will be an urgency to finding a more permanent solution. Given enough time and funds, it is possible to make a legacy system conform to HIPAA transactions. There are, in fact, many consulting organizations offering such services. But is this a good investment? Not really, especially if you consider what HIPAA has in store in the form of uniform identifiers. When HIPAA’s uniform identifier rules come into force (estimated around 2004), legacy system users will find it prohibitively expensive to comply because there are four fields that will change, both length and format, and each one will require a Y2K-like effort. Time is also an enemy. If, in a few years, the entire legacy system must be abandoned, how much sense does it make to invest in them today to meet HIPAA’s transaction standards? HIPAA demands efficiency, and automation is a necessary goal. While HIPAA does not prescribe any particular software or technology, a little known fact is that HIPAA’s privacy and security regulations will require specific technology features, including sophisticated control of access to data. Usually job titles and professional responsibilities will determine who can access data while the context of an inquiry (e.g., public health, law enforcement) will be used to define what kind of data (summary, anonymous or detailed) can be made available. HIPAA allows patients to discover the names of all parties who access their medical records. This means healthcare organizations must maintain an audit trail of all those who access patient records. Legacy systems will find it expensive to implement such access control and audits. Modern software technologies of fine-grained data access and virtual private databases can help meet the complex privacy requirements imposed by HIPAA. HIPAA requires many changes to IT, all of them in a space of five years or less. From a programmer’s point of view, this is a short time span. There is not enough time to re-do tasks. While it makes sense to tackle HIPAA requirements sequentially—transactions first, then address privacy, followed by security and uniform identifiers—it is best to find a solution that will allow one to build the next step of improvements over the previous one, without re-engineering. The Business Challenge If eventual replacement is the logical conclusion, HIPAA compliance by itself cannot provide economic justification. Clearly, an investment of this magnitude must result in other benefits. Traditionally, life in the legacy world includes a significant number of hybrid and sub-optimized manual processes. A replacement strategy must support a successful transformation to fully automated processes. While overall financial improvement may be the ultimate goal, satisfied customers (and employees) are the cornerstone to reach that objective. Operational effectiveness is the outcome of employees performing their jobs effectively and ultimately leads to satisfied and loyal customers. Financial success is the result of loyal and satisfied customers and leads companies to further invest in its employees, which in turn recharges the cycle of success. While the focus may center on technology, overall business transformation, reduced costs and improved satisfaction must be the result of a fully enabled HIPAA solution. This can be accomplished only through tangible, quantitative results. Without it, the zeal and intestinal fortitude to change will wane quickly. Therefore, the first step is to stipulate and define quantitative metrics to ensure that the organization is evaluating its current legacy environment in a comprehensive manner. Secondly, clearly stated performance levels for targeted business areas must be set that will identify lapses in current performance. The final step is to implement the system, to increase automation and efficiency and provide greater management control and insight—all the while allowing the organization to become HIPAA-compliant, truly a return on investment worth striving for. © 2001 Nelson Publishing, Inc |
|
|
HIPAA
Watch
for October 2001
By Jacob Kuriyan,
president & CEO of Physmark Inc., Dallas, TX. Contact him at 