by / December 12, 2000
By Tod Newcombe | Features Editor

IF STATES THOUGHT Y2K WAS BEHIND THEM AND THE ROAD TO ELECTRONIC GOVERNMENT WAS WIDE OPEN, THEYD BETTER LOOK AGAIN. That fast-approaching object in the rearview mirror is an ungainly set of regulations known as the Health Insurance Portability and Accountability Act (HIPAA). Signed into law by President Clinton in 1996, HIPAAs full impact will be felt in two years when all health-care organizations, including state Medicaid programs, must comply with stringent regulations governing the electronic management of medical information or face severe penalties.

These regulations are aimed at dramatically improving the privacy and confidentiality of medical patient information and standardizing the reporting and billing processes for all health and medical related information. Like Y2K, there is a hard and fast deadline for meeting HIPAA requirements. But unlike the millennium bug, which was just a technology glitch, HIPAA has legal, regulatory, process and security issues, in addition to technology concerns, which must be evaluated and addressed over the next 24 months.

How big an issue is it? Most experts agree that HIPAA is the largest government action in health care since Medicare was introduced. Every health-care system, from the smallest practice to the largest hospital and insurance provider, will be affected by the new rules. A number of state and local government agencies and departments will feel the impact of HIPAA as well. No organization will be more affected than state Medicaid programs. "Medicaid is the big gorilla here," said Doug Schneider, vice president of The MedStat Group, a health information company based in Ann Arbor, Mich.

Not surprisingly, state officials are growing concerned. "Everybody is nervous," exclaimed Jack Frost, CIO of the Maryland Department of Health and Mental Hygiene (DHMH). "If all we had to do was change an automated system, that wouldnt be all that difficult. But were dealing with numerous other organizations that send or receive data, and we have to coordinate the interfaces between state agencies, HMOs and departments internal to Medicaid."

In addition to the headaches of trying to simplify a complex system for handling claims and transactions, states face a huge bill for the expensive overhaul they must undertake. The U.S. Department of Health and Human Services (HHS) pegs the conversion and related privacy costs for the entire health-care industry at a conservative $3.8 billion over five years. But the BlueCross BlueShield Association released a report last year that forecasts costs going as high as $43 billion for the same period. Other experts place the final bill at around $12 billion. But nobody really knows for sure.

The Gartner Group has told health-care payers, which include state Medicaid programs, that HIPAA-mandated changes could cost as much as four times their Y2K budget. For state agencies -- such as DHMH, which spent $9 million on fixing Y2K problems -- the final bill for HIPAA could be astronomical. And as Frost points out, theres no federal money earmarked to cover HIPAA. "This will come out of our hide," he said.

Giving Something Back

Congress may have rejected Hillary and President Clintons universal health-care plan in 1993, but they also knew Americans were in favor of improved coverage, greater privacy and lower costs for the nations health-care system. In an effort to give the public something in the wake of the health-care fiasco, Congress and the president agreed to a series of regulations that would:

* close gaps in health insurance portability;

* protect the privacy of personal health information;

* reduce fraud and abuse; and

* simplify the reporting and billing of transactions.

HIPAA was signed into law in 1996 and gave Congress a deadline of August 21, 1999 by which to set standards for information security, privacy and transactions. When Congress failed to meet its self-imposed, two-year deadline, HHS took over and issued its own regulations. The first nine standards were adopted in June 2000 and gave the health-care industry until August 2002 to comply.

Privacy standards, perhaps the thorniest issue from a political standpoint, have yet to be finalized. Proposed rules call for health-care providers and insurance companies to advise patients of their rights and tell them how personal medical information might be disclosed. HIPAA also limits unauthorized access to patient records and sets penalties that can reach as high as $250,000 and up to 10 years in jail when privacy is breached for financial gain. For state IT directors, complying with HIPAAs privacy requirements is primarily a matter of computer security, a task already under way as agencies conduct more and more business over the Internet. "Security of medical information is what we have to do for electronic government anyway," said Frost.

What excites most experts and concerns many Medicaid directors about HIPAA are the requirements for "administration simplification." By setting uniform national transaction standards -- based on electronic data interchange (EDI) -- for all health plans, employers, providers, payers and clearinghouses, HIPAA potentially could drive down the administrative costs of health care.

By stripping away many manual processes and using computer-to-computer transactions driven by EDI, health-care providers could save as much as $9 billion annually, while payers, such as federal and state governments, could save as much as $26 billion per year, according to the Workgroup for Electronic Data Interchange (WEDI). Other studies put the savings around $1.30 for every claim filed. Either way, HIPAA could squeeze huge savings out of the countrys enormous health-care system.

Besides cost savings, state Medicaid programs could also benefit from having standardized information, which they can analyze and compare with other states. "The data will allow states to compare different Medicaid plans, as well as compare themselves with the rest of the industry in a standardized way," explained Karen White, vice president of The Medstat Group. "The data will allow states to identify cost areas that are particularly high relative to neighboring states with similar demographic statistics."

Such comparisons will allow state Medicaid programs to more accurately evaluate which services and programs work and which ones dont, she added.

The reason states cant do that today has to do with the pervasive use of local codes. Because state Medicaid programs serve some of the most disadvantaged people in the country, they have to provide services that generally are not recognized by other payers. As a result, Medicaid agencies have created their own set of "local" codes to process claims for these unique needs.

Local codes used by state Medicaid programs cover a variety of claims transactions. More than 22 categories have been identified, including services for private nursing, mental health and emotional disorders, eyewear, free immunization for children, targeted case management programs, school-based programs and so on. The codes also enable the system to conduct more comprehensive fraud and abuse audits. Although these local codes provide Medicaid programs with a great deal of detail about these unique transactions, they have made it difficult, if not impossible, to compare data from one system with another, or to standardize the transmission of claims data from one system to the next.

All of these local codes have been eliminated by HIPAA and have been replaced by standardized code sets determined by HHS. "Medicaid has relied upon those codes tremendously in the past," explained White. "But under the new rules, they can no longer use them."

Under HIPAA, a code set is any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnosis codes or medical procedure codes. Specifically, HHS-approved code sets cover a range of medical conditions, such as diseases and injuries, or drugs and medical procedures.

But states are not about to give up their codes without a fight. Speaking before the HHS Committee on Vital and Health Statistics in July, Stan Rosenstein, assistant deputy director of Californias Medical Care Services, declared that the new set of standard codes set down by HIPAA "do not adequately support the current business needs of the Medicaid program.

Prohibiting Medicaid agencies from using local codes will preclude our ability to respond to providers and consumers, as well as hamper our ability to process claims and data efficiently," he said.

Rosenstein pointed out that, in California, local codes allow the states Medical system to:

* react faster in providing new treatments as they become available;

* promote stricter pricing controls;

* closely monitor the use of services on a detailed level;

* respond to legislative actions affecting Medical; and

* respond to court orders within a short period of time.

By dropping its local codes and switching to the new national standards, Rosenstein said the state would be unable to support the current business needs of the Medicaid program.

Emphasizing the same point, Lisa Doyle, a Medicaid information specialist of the Wisconsin Department of Health and Family Services, told the committee that local codes are integral to the business of Medicaid. "While the goal of standardization is logical in todays electronic world, it may not make sense in all situations."

For instance, no national standards have been set for so-called "closed-loop transactions," where Medicaid is the only source of payment for specialized services.

Coordination Challenges

In addition to the code problem, Medicaid programs face the onerous task of coordinating interfaces between various state agencies, providers and departments within state Medicaid programs. "There are well over 50 interfaces in Maryland," said Frost. "Its not likely they will be ready [by 2002]."

The technology that will underpin HIPAAs new standards for simplification is an EDI translator, which will convert old transaction formats into the new standards. But, as Frost points out, theres nothing off-the-shelf that will do this for the states. "Because theres a lot of home-grown codes out there, were going to have to write our own conversion programs," he explained.

Right now, Maryland is assessing its needs, trying to get its arms around what will soon become one of the most significant projects in the history of the Medicaid program. According to Medstats Schneider, states like Maryland are a bit behind others that have already established budgets to cover HIPAA. All indications are that states will be making a significant effort to be compliant.

Thats not entirely the case in the commercial sector. Less than 25 percent of hospitals and less than five percent of physician practices have initiated HIPAA-compliance activities, according to KPMG. Many providers and practices complain that Y2K has drained them of the resources necessary to cover HIPAA. Rumors are rife that some providers and physicians will revert completely back to paper, rather than comply with the new regulations. "If that happens, well have to gear up transcription services to handle the paperwork," said an exasperated Frost.

Despite the long and arduous task ahead, and the risks that go with such a system overhaul, most experts say the effort will be worth it. "There are significant benefits to receiving data in a standardized format," emphasized Schneider. Even Frost, who is unsure whether all benefits will pan out, said protecting medical information and improving the quality of the data is a benefit to everyone involved.

Still, theres a certain gnawing fear that HIPAA could overwhelm state resources as Medicaid agencies race against the clock to become compliant. "I dont know if well make it," cautioned Frost. "We might get bogged down in the complexities. Thats what scares me the most. Its like Y2K, but there are unending choices that have to be made."

Tod Newcombe Features Editor