Dr. Dobb's Journal November 2001
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a monstrous set of regulations that might very well match Y2K compliance in terms of resources and cost. For instance, while the U.S. Department of Health and Human Services originally pegged HIPAA compliance at $6.7 billion, Blue Cross/Blue Shield projects costs at $43 billion over five years (not that you can believe health-insurance companies any more than the government). Market research firm The Gartner Group seems to concur, stating that "for at least 50 percent of healthcare organizations, the time and money spent by 2003 on making their applications and processes HIPAA compliant will equal or exceed that spent on Year 2000."
So what's HIPAA all about? In a nutshell, HIPAA (http://www.hcfa.gov/hipaa/hipaahm.htm), also known as the Kennedy-Kassenbaum Act (Public Law 104-191), is intended to implement health-insurance portability, reduce healthcare fraud and abuse, guarantee the security and privacy of health-related information, and enforce standards for health information. As anyone who's had the sniffles knows, information processing in the healthcare industry is incredibly difficult, complicated, and costly. In fact, there are nearly 500 different health-insurance claim formats in use today — most of them paper based. Furthermore, paper-based healthcare claims cost $6 to $8 each to process. This is part of the problem HIPAA is intended to solve. It should be pointed out that HIPAA does not mandate that healthcare providers use electronic transactions, but if they do, they must adhere to HIPAA standards. However, providers who stay with paper-based transactions are responsible for converting paper forms into HIPAA digital formats and data elements via third-party clearinghouses.
In general, HIPAA aims for standardization in six areas: transactions (claims, enrollment, eligibility, payment, referrals); code sets (relating to diseases, procedures, equipment, drugs, transportation, ethnicity); identifiers (for providers, payers, patients); benefit coordination (when multiple health plans are involved); security/privacy (to protect information); and electronic medical records.
As you might expect, standardized data interchange and security/privacy are of particular interest here. Central to the standardized data interchange is ANSI Standard X12.837, which identifies hundreds of data elements and code sets that must be used when submitting electronic claims. (For a complete list of codes, see the HIPAA Data Element Dictionary, http://www.ihs.gov/AdminMngrResources/HIPAA/docs/ded4010.pdf. For details about the format itself, see http://www.com1software.com/c1088.htm).
Of greater concern to healthcare providers working towards HIPAA compliance, however, are the privacy and security requirements. For the most part, privacy under HIPAA is addressed in terms of regulations and administrative provisions, which presume that individuals must consent to disclosure of health-related information (see http://www.os.dhhs.gov/ocr/hipaa/).
Likewise, security is handled in flexible guidelines that do not mandate specific technologies for digital signatures, cryptography, and the like. Rather, the security guidelines require implementation of controls for access, auditing, and authorization, as well as data and entity authentication (biometric identification, passwords, PINs, telephone callback, and tokens). In short, HIPAA simply specifies that any organization that "maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards."
HIPAA will be implemented in stages. Healthcare organizations must be in compliance with the transaction and data set standards by October 2002. Compliance with privacy standards, on the other hand, doesn't have to be in place until April 2003. Deadlines for other categories (security, identifiers, and the like) have yet to be determined.
As you might expect, a cottage industry has grown up around HIPAA. As with Y2K, there are HIPAA conferences (National HIPAA Summit, http://www.hipaasummit.com/), newsletters (HIPAA Watch, http://www.hipaa-hsc.com/HIPAA-Watch-Form.htm), consultants, and toolkits based on everything from Java (HealthSuite; http://www.ramtechnologiesinc.com/Html/prodcont.htm) to XML (Redix XML HIPAA HealthCare Package; http://www.redix.com/xml_hipaa.htm).
In principle, HIPAA sounds like a good thing. Establishing and adhering to standards should lower costs and increase efficiency. Instead of $8 per claim, for instance, standardized electronically submitted claims cost only $0.17 to process. Overall, the Federal Register estimates that standards combined with electronic processing will yield a net savings of $1.5 billion per year for the first five years. Of course, the proof is in the penicillin. HIPAA is an enormously complex project that faces technological, social, and (gulp!) political challenges, and it will take years to iron out all the wrinkles. On the upside, if you're looking for a new job, try refamiliarizing yourself with that copy of Gray's Anatomy that's been propping up your desk. Why? Because, as with Y2K, IT jobs will go begging at hospitals, nursing homes, and the like. And when you apply, don't forget to tell them that the Doctor sent you.
Jonathan Erickson
editor-in-chief
jerickson@ddj.com