Law prescribes overhaul of aging system
By Sandeep Junnarkar
Staff Writer, CNET News.com
June 16, 2003, 4:00 AM PT
George Zimmerman reeled when he first considered the costs of a new federal law that required him to overhaul the network of health care facilities he maintained.
The Internet administrator faced stringent provisions under the Health Insurance Portability and Accountability Act, landmark legislation designed to, among other nontech-related mandates, force a reluctant health care industry into the digital age. The law, commonly known as HIPAA, sets new privacy rules for medical records kept in digital files and requires insurance companies and health care providers who process claims electronically to use one standard.
"Just the cost of the staffing and technology to address security and privacy were going to be astronomical and prohibitively ridiculous," says Zimmerman, of St. Peter's Health Care Services in Albany, N.Y. "Making it worse is that they hadn't given you a hard-and-fast rule--so just meeting guidelines is like trying to hit moving targets."
Thousands of hospitals, insurance companies and medical practices have shared his frustration since failing to meet HIPAA's main deadline last October and filing for a one-year extension. All have encountered widespread confusion over the legislation's schedule, and many have faced particular difficulties trying to install systems to electronically transmit medical transaction codes for insurance reimbursement.
But if the law has been an albatross for the health care industry, it has presented opportunities for information technology companies and consultants desperate for ways to dig themselves out of their prolonged slump. Companies from database manufacturers to dot-com survivors have vied for a piece of the business, the value of which has been subject to conflicting estimates that range from $1 billion to $17 billion.
The vast discrepancies in cost can be attributed in part to the fragmented nature of the medical industry, which makes it nearly impossible to collect accurate numbers for the entire sector. Moreover, the industry's notorious lack of technological acumen may have resulted in unrealistic estimates for complex technologies. Government agencies, meanwhile, have been accused of providing overly optimistic cost projections to win support for the law without federal subsidies coming into play.
"There's a lot of confusion about HIPAA," says Tim Chiu, a product manager at Mirapoint, which focuses on the security of electronic messages. "A lot of people are spinning different tales about what requirements people need to meet, what are the deadlines and how much it is going to cost."
The numbers don't necessarily get clearer at the level of specific projects. Struggling technology companies, for example, may be making impossibly low contract bids just to get the work.
Even if estimates for such initial work are true, they may be no more than a trickle compared with the overall costs for health care organizations to keep their systems up-to-date and free of glitches. As countless companies have learned the hard way, the cost of continued maintenance regularly exceeds the price of the original product.
"Application technology costs are only about 20 percent of the total project," says Russell Ricci, IBM's general manager for health care. "For about every dollar spent on application technology, you have to spend $4 on the services and the support."
HIPAA's proponents say the bloated and bureaucratic health care industry will eventually recoup its spending as new systems improve efficiency. For now, however, health organizations are struggling to meet the minimum requirements on time and hoping to increase their technology budgets as the economy recovers.
 | | | | |
special report
A bitter pill
Online medical industry
tries to cheat death
| | | |
State-run agencies are encountering some of the most difficult problems. Among state-funded Medicaid programs, 9 of the 51 state agencies, including Washington, D.C., will not meet the law's October 2003 extension, according to a study released in March by the inspector general of the federal Health and Human Services Department. Many of the programs cited a lack of funding from state governments, which have pared resources for HIPAA work as their tax revenue has declined in the faltering economy.
Facing such budgetary restraints, health organizations in both the public and private sectors are taking a piecemeal approach to HIPAA's requirements. Some, for instance, are delaying security improvements because the 2005 deadline for that work is farther off than more immediate requirements. The National Accounting Service Company (NASCO), formed in 1987 by several BlueCross BlueShield Plans to process benefits claims, spent at least $20 million in three years for transaction codes and other technology, but is leaving some of its security plans on hold.
"We did an initial study for security gap, but we won't be as aggressive this year on that," says Tommy Gurganus, director of regulatory compliance at NASCO. "There will be money budgeted toward security next year--none or very little this year."
Slower than the checkout line
Hospitals and physicians have long been on the technological cutting edge when it comes to medical procedures and lab research. Yet by comparison, they've been glaringly remiss in regard to information technology: It's not unusual for supermarkets to have more advanced infrastructures than hospitals.
"We think the industry is tech-savvy, but believe me, if you were to see most hospitals today, they would not be impressive," says Amith Viswanathan, an analyst specializing in health care IT for consulting firm Frost & Sullivan.
Some progress is being made, albeit slowly. Most of the technologies being adopted to comply with HIPAA are aimed at securing hospital networks and e-mail to protect patient privacy. A far more daunting task is the required overhaul of the way health care providers and insurance companies settle payments for medical service.
To expedite such work, HIPAA has established minimum standards for the transmission of data among the many disparate systems used by the industry, in hopes of avoiding the kind of conflicts that have so often stalled development in the high-tech industry. Major companies, such as IBM and Microsoft, have special divisions dedicated to rebuilding these systems or adjusting newer technologies to comply with regulations.
Projects cover a broad range of technologies that go far beyond traditional filing and accounting setups. IBM has worked with digital-imaging companies such as Agfa-Gavaert Group, Siemens and Philips Medical Systems to provide hospitals with storage systems that can handle X-rays, CAT scans and other graphic medical records securely. St. Anthony's Medical Center in St. Louis and the University of Chicago Hospitals and Health System have turned to IBM's networking and storage technology to keep up with growing demands.
Logs or audit trails that track the number of times patient information is reviewed can often balloon to 10 times the size of the original file being monitored. Covenant Health of Knoxville, Tenn., is harnessing a 7-terabyte IBM storage network to meet HIPAA's privacy requirements.
Never one to shy away from new business, Microsoft is pushing its BizTalk Accelerator to the health care industry, saying it will let health organizations integrate technologies and work across multiple systems while ensuring privacy. One important BizTalk customer is MedUnite, a consortium of large insurance companies that offers technology for electronic claims, payments and other transactions.
Security and staffing
Smaller companies have also tailored their services and products to help the industry fulfill HIPAA requirements. Check Point Software Technologies is providing firewalls and Virtual Private Network connections in systems designed to let physicians remotely tap patient databases at hospitals they're affiliated with. Check Point's technology also lets health care organizations establish audit trails that keep track of who logs on to networks, a critical step in safeguarding confidential patient information.
Other security companies, such as Qualys, audit and assess the vulnerability of systems, by scanning networks intermittently to gauge threats. This is especially critical as more and more hospitals connect their databases to the public Internet, a move that has raised security questions in banking and other large industries.
Security is also a big concern when it comes to electronic mail, which often contains confidential patient information. Storage is a factor, too--the sheer volume of e-mail gobbles up system space. As a result, companies such as Mirapoint, which offers dedicated e-mail servers, are pitching their wares to the health sector.
"E-mail is one major problem," says Kalpesh Unadkat, a network engineer at the University of Michigan Health System in Ann Arbor. "We have been working to ensure that any patient data leaving our network is secure, which basically means it has to be encrypted."
St. Peter's Health Care Services went as far as deciding that all e-mail must be secured with 128-bit encryption, the strongest commercially available cipher for e-mail. "It might be overkill, but at least that ensures that all traffic will be safe," says Zimmerman, the Net administrator at St. Peter's.
These ambitious new technology initiatives have forced health care organizations to try to determine the staffing needs involved in carrying out the federal mandates. So far, organizations have spent a large portion of their HIPAA budgets on consulting services and internal staffing issues, according to a survey taken last August by research firm Gartner.
Surveyed hospitals, large medical offices and other health care providers reported that 29 percent of their estimated HIPAA costs have involved staff expansion and training to ensure that employees understand new privacy and security processes. Insurance companies and others that pay for health care allocated 38 percent of their resources to these personnel areas. 
In addition, outside consulting services take up about 21 percent of resources among health care providers and around 31 percent among payers, according to Gartner. At the same time, the study found that 11 percent of payers and 13 percent of providers surveyed had not yet contracted consulting services by last fall.
"The longer an organization delays aggressive compliance activities, the more likely it is to require expensive outside assistance as deadlines loom," Gartner said in its report.
An ounce of prevention
Taking a dose of its own medicine, the U.S. government is among the largest entities that must comply with the new federal law, and it wants to set an example for the corporate world. Although HIPAA is primarily concerned with the secure processing of electronic insurance claims, the government is also concerned with the handling of patient records and other information on a day-to-day basis by doctors, health care workers and support staff. This could ultimately lead to greater safety at medical facilities, as well as to more business for tech companies.
In March, three federal agencies--the Departments of Health and Human Services, Defense, and Veterans Affairs--set forth the first uniform standards for the electronic exchange of health information by government organizations.
Although the government has extraordinary influence over the private sector--its Medicare program is the largest customer of health care services--such standards have not been legislatively imposed on private health organizations. If the standards are widely embraced, a new era could begin in which doctors, nurses and other medical workers gain access to records via pervasive wireless devices.
"It's important for the federal government to lead by example," Health and Human Services Secretary Tommy Thompson said in announcing the standards. "But we cannot do it alone."
The government could also, of course, force the issue through regulation. The Food and Drug Administration has proposed rules it hopes will improve patient safety by way of a technology that's often taken for granted: bar coding. The agency sees bar codes being used to track medications dispensed at hospitals and clinics.
The bar-coding technology would likely be similar to the type used by Gillette, Wal-Mart Stores and the U.K.-based supermarket chain Tesco, which this year teamed up to test new "smart-shelf" technology that lets companies track inventory levels in real time. The FDA regulations would mandate codes that identify drugs and note their strength and dosage for all prescriptions. Vaccines and over-the-counter products packaged for hospitals would also carry the codes.
The FDA forecasts that hospitals will invest $7.2 billion on bar-code technology, which the agency estimates could reduce the number of adverse drug reactions by nearly half a million over 20 years. In addition to improving the overall health of the U.S. population, the technology would save hospitals an estimated $41.4 billion in malpractice insurance premiums and on treatments they would otherwise have to provide to affected patients.
Regardless of the reason--for law, business or common sense--technology proponents believe that recent advances will be invaluable in improving the nation's overall health.
"Health care is a critical industry--we kill people everyday--but we don't bar code everything," IBM's Ricci says. "These proposed rules by the government will really drive information technology to increase quality, safety and cost-efficiency in the medical industry." 
| 
