Health care's paper tiger

By Karen Southwick
Staff Writer, CNET News.com
February 26, 2004, 4:00AM PT

Dr. Thomas Sullivan, president of the Massachusetts Medical Society and immediate past chair of the American Medical Association's e-Medicine Advisory Committee, is just the sort of physician technology companies drool over.

An avid proponent of information technology, Sullivan met recently with Microsoft at its headquarters outside Seattle to tell the software giant how it could better serve the $1.7 trillion health care industry. But back at his own cardiology business in Danvers, Mass., Sullivan doesn't exactly practice what he preaches: He still files claims on paper.

"I've never found a system that I really like for a small practice," said Sullivan, whose private practice continues to rely on middlemen such as a billing agency and clearinghouse to handle reimbursement claims and file them electronically with payers. "I will change once I see something that's affordable."

The gap between Sullivan's vision and reality reflects the halfhearted efforts by much of the health care industry to comply with requirements for technological improvement under the federal Health Insurance Portability and Accountability Act. A major goal of HIPAA, a massive boat of legislation that floated a number of mandates for health care, was to modernize the way claims are processed while improving privacy protections for patients.

But those administering the 1996 law were forced to delay the compliance deadline for the legislation's claims-processing section twice in the last two years because of widespread difficulties in installing the needed infrastructure and coordinating the transition. So many problems remain that the federal agency charged with enforcing the law, the Centers for Medicare & Medicaid Services (CMS), has extended last October's deadline indefinitely and allowed a dual-standards world to exist.

"There's not a lot in the budget for HIPAA policing activity by CMS," said Amith Viswanathan, industry manager for health care information technology at international consultancy Frost & Sullivan. "It becomes a paper tiger at some point."

Information technology is often held up as the answer to improve efficiency in an industry increasingly squeezed between cost-cutting measures and demands for higher-quality care. But in many cases, that technology hasn't provided the right answers for health care providers, especially physicians, or those answers have come at too high a price.

A recent survey of 631 providers, payers, companies and clearinghouses by the Healthcare Information and Management Systems Society (HIMSS), a Chicago-based trade group, revealed that only half had completed external testing for what is known as Transaction and Code Sets (TCS), which standardized what information must be contained in electronic claims and how it should be transmitted.

"For most of the physicians I come in contact with, HIPAA is a nonevent," said John Thomas, chief executive of MedSynergies, an Irving, Texas, firm that provides financial consulting services to doctors. "They see no reason to change."

Yet even without official enforcement, he and others believe that doctors will soon have a compelling incentive to comply with the law as claims bounce back when they do not follow regulations. That will hit physicians in a sensitive spot: their pocketbooks.

"We're very early in the TCS crunch," Thomas said, estimating that only 15 percent to 20 percent of physician claims today comply with the standard. As their accounts-receivable numbers balloon with unpaid claims, he added, "physicians are going to wake up to a four-alarm blaze."

Although CMS could fine the offenders, it has chosen to work informally to resolve the complaints. Last July, the agency began allowing "contingency plans," under which payers could accept noncompliant claims, as well as compliant ones.

"TCS represents an activity, the magnitude of which the health care industry had never attempted before," said Karen Trudel, director of the Office of HIPAA Standards at CMS. "You've got so many different moving parts that a lot of people underestimated the complexity of the process."

The agency has not set a time frame to end the contingency plans. Trudel said about two-thirds of the Medicare claims her agency receives are compliant today, an indication the industry is moving in the right direction.

So far, "we have received about 50 legitimate TCS complaints," mostly from providers against payers or clearinghouses, said Lori Davis, acting deputy of the HIPAA standards office.

Facing the human factor
The stumbling block is not so much technology as culture. Many delays can be attributed to simple inertia on the part of doctors and others routinely bombarded with demands that are deemed to be higher priority than technology.

"With any systems upgrade, the technology is probably the easiest part and culture change the most difficult part," said Joyce Sensmeier, director of professional services at HIMSS.

For one thing, the HIPAA mandate requires coordination among several parts of the complex health care industry. First is the providers--hospitals and physicians--who treat patients and file claims. These claims are typically scrutinized by clearinghouses and other middlemen en route to payers, which include insurance companies, managed care organizations, employers and federal and state governments.

Then there are sellers of health care software and services used to transmit claims and associated information. These include specialty companies such as Siemens, McKesson and WebMD--the largest clearinghouse in the market--along with large hardware and software makers such as IBM, Microsoft and Oracle, which offer customized systems for health care.

All these groups must be aligned for an industry standard to take hold. Instead, "there's been a lot of finger-pointing going on--everybody's saying the other guy isn't ready," Sensmeier said.

She did a little of that herself. "Providers are making progress, and vendors are lagging behind," Sensmeier said. Her organization represents both groups, so it isn't taking sides.

Physicians on the edge
The HIMSS survey showed that while 45 percent of providers and 56 percent of payers were ready to accept or transmit the standardized transactions, only 40 percent of the companies that make software for the industry were prepared. And that was down from an earlier survey, when 47 percent of these companies reported they were ready to handle the transactions.

Within the notoriously insular health care world, the technology mandate is viewed as a costly burden, one that's especially challenging for physicians with small practices like Sullivan. Hospitals and other large organizations are more likely to have a technology infrastructure already in place and resources to upgrade it.

		special report Intensive care for medical data Law prescribes overhaul of aging system

Frost & Sullivan estimates that providers--hospitals, managed care organizations and physicians--spent $1.2 billion between 2001 and 2003 on HIPAA products and services. Most of that spending was by what it characterized as "early adopters," often large organizations with resources to experiment with new initiatives.

But most doctors practice in small groups, representing the majority of the nation's 750,000 physicians. About two-thirds of physicians practice in groups of eight or fewer, according to Eric Brown, principal analyst for health care at Forrester Research.

		News.Commentary Health care tech to take off This year will bring accelerating tech adoption among health plans, care providers and life sciences companies.

Security deadline approaches
As if this weren't enough, the health care industry is facing another HIPAA deadline next year, the April 21, 2005 date by which providers and payers are supposed to meet the legislation's security requirements.

"You've got a huge financial issue coming" with the security standard, said MedSynergies' Thomas. "For a lot of physicians, disaster recovery has meant having someone take a tape home at night."

The security standard requires health care groups to assess their systems' susceptibility to unauthorized access and then put a policy in place to deal with that. Technology such as firewalls and authentication plays a role, along with administrative procedures like training staff and doing background checks.

CMS' Trudel doesn't believe the security standard will be as difficult a hurdle as the claims-processing provisions. "We deliberately built in flexibility" with security, she said. "We're saying you have to think about your risk and how you can best mitigate that risk."

Still, for an industry that likes everything spelled out, that very flexibility could prove difficult. "A lot of people," she noted, "are going to be asking us, 'Just what do I have to do?'"