Calming the HIPAA Hiccups

While state and local agencies struggle to comply with HIPAA's deadlines, computer firms rush to offer helpful tools and advice.

by / April 16, 2002
To understand the complexities that the Health Insurance Portability and Accountability Act (HIPAA) has created for our nation's health-care system, one need look no further than what is required to change the format for one transaction in the typical state Medicaid computer system. For a start, data fields will have to be modified from a fixed length to a variable length. Then there's the requirement that all proprietary codes (an estimated 33,000 are currently in use) will have to be converted into standard codes. Flat files will have to become hierarchical. The changes and their implications go on and on.

HIPAA's regulations are aimed at dramatically improving the privacy and confidentiality of medical patient information and standardizing the reporting and billing processes for all health and medical information. These new standards should dramatically increase the electronic exchange of information and decrease the cost of processing the typical medical transaction. Compliance deadlines are spread out over the next several years, with implementation of some formats expected by October 2002 and privacy rules by April 2003.

Some experts believe we could see as much as $30 billion in savings once HIPAA is fully implemented by all health-care providers and payers. But doing that won't be easy or cheap. The U.S. Department of Health and Human Services (HHS) puts the HIPAA price tag at a modest $6 billion. However, private health-care organizations peg the final bill as high as $42 billion. Hospitals alone are expected to fork out $22 billion just to comply, according to the American Hospital Association.

What the bill will be for state and local governments is not clear. Correctional facilities and educational institutions, along with public-health agencies, will have to overhaul, reengineer and revamp their systems and business practices in order to comply with HIPAA. But it's Medicaid that will bear the brunt of this multi-billion dollar standardization effort.

Medicaiding HIPAA
With millions of clients and thousands of providers to manage, state Medicaid programs have to process massive numbers of transactions using legacy mainframe computers that run proprietary software. HIPAA is forcing state Medicaid agencies to stand that creaking system on end. In the bland, bureaucratic words of HHS, most states face a "quandary." Their legacy computer systems must be able to accept and store new formats and pieces of information and, at the same time, find new ways to generate the data that is missing from HIPAA's formats but is still required by the state for processing.

Not surprisingly, a host of vendors have stepped up to offer services that range from consultation to translation of codes to entire system overhauls. At the head of the pack are EDS, ACS and Unisys, each offering a range of expertise, services and tools. Then there are numerous firms with specific expertise in the health-care arena that are eager to help government agencies tackle the HIPAA problem. These include MedStat, BCE Emergis, Mercator and Physmark, to name a few.

Some states, including Georgia, have decided not to tinker with the old system and have contracted to have an entirely new system built that will meet HIPAA's compliance requirements for transactions and privacy. Security rules have yet to be set by the feds. For three years, Georgia's Department of Community Health, which handles Medicaid, has been working to meet HIPAA's requirements. It wasn't long before the agency realized that its legacy system just wasn't up to the task.

"We found our old MMIS [Medicaid Management Information System] was going to be too costly to remediate and we needed Web capabilities," said Barbara Prosser, deputy director of Systems Management for the department, explaining why the state opted for a new, multi-million dollar system built by ACS, rather than revamping the old one. The fact that the federal government has been providing funds on the Medicaid side for system conversion made the choice easier.

But few states are expected to go the route of Georgia. Instead, they are looking for ways to comply with HIPAA by grafting EDI (electronic data interchange) technology and the standards it adheres to onto existing systems without extensive modifications.

Parlez-Vouz HIPAA?
To date, the answer has been to use translator software that can convert electronic formats and data content so that it can run on existing systems. Translators are front-end software applications -- sometimes called middleware -- that can be used to re-format an incoming claim based on the X12N standard for HIPAA transactions so it can be understood by the state's legacy Medicaid system. The translator can also reformat an outgoing, proprietary transaction so that it complies with HIPAA.

The problem with translators is they cannot create data that doesn't exist. For example, translators cannot create new codes where none existed before, and yet Medicaid systems have nearly 33,000 codes, far more than the new HIPAA codes that replace them.

Conversely, HIPAA will add new fields to health-care transactions that haven't existed before. These extra fields will be necessary for completing HIPAA-compliant transactions and yet they can't be stored in the legacy system, but will have to be placed in a separate database. As one expert pointed out, handling these sorts of modifications are not trivial programming tasks.

Of course states don't have to mess with translators and all the sticky issues that go with customizing software to develop the necessary results. They can contract out the translation problem to a clearinghouse, which will process the nonstandard information into standardized information. Clearinghouses have been doing this for a while, accepting claims transactions from health-care providers and converting them into formats acceptable to payer systems.

Because of their experience, clearinghouses are adept at handling problems that arise when codes and fields are converted from one format to another. They know how to handle error problems and offer other services, including connectivity and communications with other health-care entities, trading partner interfaces, routing capabilities and so forth.

But clearinghouses also have drawbacks. Like the translator software tools they use, clearinghouses cannot create data that does not exist, nor can they eliminate proprietary local codes, the bane of all existing Medicaid systems that must become HIPAA-compliant. They also have limitations in communicating certain kinds of transactions, nor are they all able to support queries in real time. Most do their work in batch mode. They also will have to tackle the problem of HIPAA's privacy regulations. This is a particularly troublesome issue for some clearinghouses that sell or share patient data for marketing purposes.

Less COTS-ly Solution
Some firms are offering states a third solution to the HIPAA problem. Instead of tools or services, they are developing a complete software system that does what translators and clearinghouses do and more, but as a commercial, off-the-shelf (COTS) application. "The popular approaches of using clearinghouses or translators can be very expensive because special programs and data repositories will be required to handle the many new fields and field formats found in a HIPAA transaction," said Jacob Kuriyan, president of Physmark Inc.

Claiming that clearinghouse solutions could cost states tens of millions of dollars, Kuriyan believes a commercial software solution would be far less expensive to implement. "What we are offering is a finished package with just one interface to the legacy system." Physmark's product, called HIPAA Appliance, runs on Oracle's relational database and can accept HIPAA conforming transactions and code sets, as well as convert legacy data into HIPAA compliant transactions. More importantly, it has built-in audit controls that will help states comply with the forthcoming privacy regulations.

As Kuriyan and others like to point out, everything that HIPAA is mandating already exists in other sectors of the economy: computer-to-computer transmission of electronic data, privacy standards for divulging and protecting personal information stored in computers, even security controls. But despite it being the largest sector of America's economy at more than $1.4 trillion per year, the health-care industry is the least automated. And where automation does exist, it's woefully out of date. "What's being required of HIPAA is fairly minimal, but there are so many old systems out there," lamented Kuriyan. As a result, what should be routine in some industries has become a minefield of problems and challenges for health-care organizations, including those in state and local government.