By Tod Newcombe | Features Editor

IF STATES THOUGHT Y2K WAS BEHIND THEM AND THE ROAD TO ELECTRONIC GOVERNMENT WAS WIDE OPEN, THEYD BETTER LOOK AGAIN. That fast-approaching object in the rearview mirror is an ungainly set of regulations known as the Health Insurance Portability and Accountability Act (HIPAA). Signed into law by President Clinton in 1996, HIPAAs full impact will be felt in two years when all health-care organizations, including state Medicaid programs, must comply with stringent regulations governing the electronic management of medical information or face severe penalties.

These regulations are aimed at dramatically improving the privacy and confidentiality of medical patient information and standardizing the reporting and billing processes for all health and medical related information. Like Y2K, there is a hard and fast deadline for meeting HIPAA requirements. But unlike the millennium bug, which was just a technology glitch, HIPAA has legal, regulatory, process and security issues, in addition to technology concerns, which must be evaluated and addressed over the next 24 months.

How big an issue is it? Most experts agree that HIPAA is the largest government action in health care since Medicare was introduced. Every health-care system, from the smallest practice to the largest hospital and insurance provider, will be affected by the new rules. A number of state and local government agencies and departments will feel the impact of HIPAA as well. No organization will be more affected than state Medicaid programs. "Medicaid is the big gorilla here," said Doug Schneider, vice president of The MedStat Group, a health information company based in Ann Arbor, Mich.

Not surprisingly, state officials are growing concerned. "Everybody is nervous," exclaimed Jack Frost, CIO of the Maryland Department of Health and Mental Hygiene (DHMH). "If all we had to do was change an automated system, that wouldnt be all that difficult. But were dealing with numerous other organizations that send or receive data, and we have to coordinate the interfaces between state agencies, HMOs and departments internal to Medicaid."

In addition to the headaches of trying to simplify a complex system for handling claims and transactions, states face a huge bill for the expensive overhaul they must undertake. The U.S. Department of Health and Human Services (HHS) pegs the conversion and related privacy costs for the entire health-care industry at a conservative $3.8 billion over five years. But the BlueCross BlueShield Association released a report last year that forecasts costs going as high as $43 billion for the same period. Other experts place the final bill at around $12 billion. But nobody really knows for sure.

The Gartner Group has told health-care payers, which include state Medicaid programs, that HIPAA-mandated changes could cost as much as four times their Y2K budget. For state agencies -- such as DHMH, which spent $9 million on fixing Y2K problems -- the final bill for HIPAA could be astronomical. And as Frost points out, theres no federal money earmarked to cover HIPAA. "This will come out of our hide," he said.

Giving Something Back

Congress may have rejected Hillary and President Clintons universal health-care plan in 1993, but they also knew Americans were in favor of improved coverage, greater privacy and lower costs for the nations health-care system. In an effort to give the public something in the wake of the health-care fiasco, Congress and the president agreed to a series of regulations that would:

* close gaps in health insurance portability;

* protect the privacy of personal health information;

* reduce fraud and abuse; and

* simplify the reporting and billing of transactions.

HIPAA was signed into law in 1996 and gave Congress a deadline of August 21, 1999 by which to set standards for information security, privacy and transactions. When Congress failed to meet its self-imposed, two-year

Tod Newcombe  |  Features Editor