To understand the complexities that the Health Insurance Portability and Accountability Act (HIPAA) has created for our nation's health-care system, one need look no further than what is required to change the format for one transaction in the typical state Medicaid computer system. For a start, data fields will have to be modified from a fixed length to a variable length. Then there's the requirement that all proprietary codes (an estimated 33,000 are currently in use) will have to be converted into standard codes. Flat files will have to become hierarchical. The changes and their implications go on and on.

HIPAA's regulations are aimed at dramatically improving the privacy and confidentiality of medical patient information and standardizing the reporting and billing processes for all health and medical information. These new standards should dramatically increase the electronic exchange of information and decrease the cost of processing the typical medical transaction. Compliance deadlines are spread out over the next several years, with implementation of some formats expected by October 2002 and privacy rules by April 2003.

Some experts believe we could see as much as $30 billion in savings once HIPAA is fully implemented by all health-care providers and payers. But doing that won't be easy or cheap. The U.S. Department of Health and Human Services (HHS) puts the HIPAA price tag at a modest $6 billion. However, private health-care organizations peg the final bill as high as $42 billion. Hospitals alone are expected to fork out $22 billion just to comply, according to the American Hospital Association.

What the bill will be for state and local governments is not clear. Correctional facilities and educational institutions, along with public-health agencies, will have to overhaul, reengineer and revamp their systems and business practices in order to comply with HIPAA. But it's Medicaid that will bear the brunt of this multi-billion dollar standardization effort.

Medicaiding HIPAA

With millions of clients and thousands of providers to manage, state Medicaid programs have to process massive numbers of transactions using legacy mainframe computers that run proprietary software. HIPAA is forcing state Medicaid agencies to stand that creaking system on end. In the bland, bureaucratic words of HHS, most states face a "quandary." Their legacy computer systems must be able to accept and store new formats and pieces of information and, at the same time, find new ways to generate the data that is missing from HIPAA's formats but is still required by the state for processing.

Not surprisingly, a host of vendors have stepped up to offer services that range from consultation to translation of codes to entire system overhauls. At the head of the pack are EDS, ACS and Unisys, each offering a range of expertise, services and tools. Then there are numerous firms with specific expertise in the health-care arena that are eager to help government agencies tackle the HIPAA problem. These include MedStat, BCE Emergis, Mercator and Physmark, to name a few.

Some states, including Georgia, have decided not to tinker with the old system and have contracted to have an entirely new system built that will meet HIPAA's compliance requirements for transactions and privacy. Security rules have yet to be set by the feds. For three years, Georgia's Department of Community Health, which handles Medicaid, has been working to meet HIPAA's requirements. It wasn't long before the agency realized that its legacy system just wasn't up to the task.

"We found our old MMIS [Medicaid Management Information System] was going to be too costly to remediate and we needed Web capabilities," said Barbara Prosser, deputy director of Systems Management for the department, explaining why the state opted for a new, multi-million dollar system built by ACS, rather than revamping the old one. The fact that the federal government has been providing funds on the Medicaid side for system conversion made the choice