Nothing would make Glenn Pearson happier than to be dead wrong. But he's worried he might be right.
Pearson, executive vice president of the Georgia Hospital Association in Atlanta, fears that new federal regulations designed to protect confidential health care information, in part by regulating the way data is transferred electronically, might delay the reimbursement hospitals get from insurance companies. The law, known as the Health Insurance Portability and Accountability Act (HIPAA), seeks to limit access to patient information.
HIPAA has multiple components, but the rules that regulate information transactions are set to take effect Oct. 16. These rules will establish standard mechanisms for electronic data interchange (EDI) of patient data. Among other things, HIPAA stipulates wholesale changes in the way insurance claims are filed, putting in place nine standardized file formats and accompanying code sets. Consequently, providers and insurers are retrofitting their information systems to comply with the new requirements.
HIPAA also aims to streamline health care operations and winnow costs from the health care system, but administrators are wary. Compared with HIPAA, preparing for Y2K was a breeze, says Pearson. "Getting the transactions standardized is terrific, but the transition process could be a very huge mess. The reality is that, on Oct. 16, the way you used to do things is no longer [going to be] acceptable. We're working hard to put reasonable contingency plans in place, in case some transactions don't go through -- so our member hospitals and doctors can have cash on hand to continue operations and pay employees."
HIPAA does not apply only to health care providers and insurers. IT companies that manage patient information on behalf of providers and insurers also are affected by the law, which was passed in 1996. "If you transmit, store, or directly touch patient information, then you have to be concerned about [complying with] HIPAA," says Kevin Beaver, president of Principle Logic, an information security consulting firm in Atlanta. Failure to comply with HIPAA could result in fines or even jail time.
Between now and October, companies affected by HIPAA should be testing their systems and equipping their IT staff with the appropriate training, says Joseph Nichols, chief medical information officer of Paladin Data Systems Corp. of Seattle. Such preparations could include brushing up on EDI, or it might mean delving into EDI for the first time. "Anyone who is involved in paying bills, billing, reconciling -- moving funds around [in] health care -- has got to be very deeply involved in these EDI transactions," says Nichols.
Specifically, IT companies may have to budget considerable amounts of money for new technology tools. Complying with HIPAA may require you to spend $200,000 to $300,000 for a translator -- an engine that takes a common data set and converts it from a legacy file format into a HIPAA-required format.
Additionally, HIPAA could require you to spend a considerable sum on new applications development and coding that may be needed to make your systems HIPAA-compliant. "It may require significant new changes in code and infrastructure to support security and access controls," says Nichols.
Some companies are further along in their HIPAA planning than others, Beaver says. The complexity of your environment, and the amount and type of information you are protecting, will influence how much it will cost to comply with HIPAA. Companies with large computing infrastructures will spend more time and money revamping their systems.
"If you're storing tons of client data, like a hospital or insurance company, then HIPAA compliance is going to be a real beast," Beaver says. "If you're a small physician's office with one or two computers and maybe five staff members, HIPAA is, for the most part, going to be a lot easier for you."
HIPAA was created to help people who lose or change jobs keep their health care coverage. In addition to the transactional component, the bill spells out a range of other steps companies must take to guarantee the privacy and security of confidential patient information. The privacy requirements, which regulate access to data, took effect April 14. A separate set of security requirements must be met by April 2005.
FOR MORE INFORMATION:
>> Tip: HIPAA -- a bang or a whimper?