When Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996, one of its major objectives was to reduce health care costs by simplifying administrative and financial transactions across the industry. At that time, national health spending was heading toward the $1 trillion mark annually, and studies proclaimed that "administrative simplification" could save anywhere from $40 billion to $70 billion per year.

Six years later, HIPAA is proving to be much more costly-and difficult-than the government initially expected. In December, health plans, providers and clearinghouses were granted the option of applying for a one-year extension to comply with the transaction and code set requirements of HIPAA-yet the industry is still scrambling to comply with all the provisions of the law.

Insurers must assess and redesign their policies and information systems to address not only the transaction-related HIPAA rules, but also the privacy and proposed security rules. With the April 2003 privacy deadline looming-not to mention the final security rule expected to be released this year-the industry is required to make enormous procedural and technical changes within an 18-month timeframe.

"The majority of the healthcare industry will not even come close to compliance with the HIPAA transaction and code set regulations by the October 16, 2002 deadline," says Matt Duncan, research director, healthcare industry research and advisory, Gartner Inc., Stamford, Conn. Almost all payers will apply for the extension, he predicts, not necessarily because they won't be able to meet the deadline themselves, but because most providers won't be in compliance by that date.

Indeed, according to Gartner research, health plans are making progress toward transaction compliance, but providers are lagging. By December, 65% of payers had completed a gap analysis or risk assessment on their transactions and code sets, but only 26% of providers had done so.

Enormous Task

To comply with the mandate, health plans, providers and clearinghouses (covered entities) must transmit electronic (EDI) transactions-such as claims, eligibility verification, referrals, claim status inquiries, enrollment, and claim payment and remittance advice-in standard X12N ANSI (American National Standards Institute) formats.

Before they can do that, however, they must translate their custom transactions into the much smaller set of HIPAA formats. Then, they must test all types of data exchanges with all their trading partners before putting the HIPAA-compliant transactions into full production.

Obviously, that's an enormous task. According to one estimation, if there are one million physicians, 5,000 hospitals, and 3,000 payers working toward HIPAA transaction compliance, there could be at least 57 million data exchanges that must be tested before the deadline.

"It was essential that Congress grant the extension to allow the industry adequate time to prepare for HIPAA migration," says Jim Daley, HIPAA program director at Columbia, S.C.-based BlueCross BlueShield of South Carolina. If Congress hadn't acted, "there would have been a lot of people frantically trying to scramble to determine how to convert all their trading partners in such a short time frame."

BlueCross BlueShield of South Carolina is prepared to meet the October 2002 deadline, Daley says. But the extension will enable the company to transition its data exchanges in a much more reasonable time frame. "Instead of having to migrate all our trading partners en masse to the new formats and code sets (by October 2002), we will have an additional year to accommodate each submitter," he says.

SORTING IT OUT

At press time, Aetna Inc., Hartford, Conn., was deciding whether it would apply for the transaction extension. (Editor's note: The U.S. Department of Health and Human Services (HHS) was supposed to release the guidelines for applying for the extension late in March.)

"We're trying to sort out where everyone else is going to be," says Faye Dion, a member of Aetna's HIPAA project management office. "We can be ready to go, but if we have no one to play with, there's not much point to that. So we're looking at the environment and looking at the cost/benefit of one way or the other. And we haven't made a final determination yet."

Meanwhile, payers are busy translating their transactions to HIPAA formats. BlueCross BlueShield of South Carolina, for example, has upgraded its translator software to a single front-end solution, called PaperFree, from Sybase Inc., Concord, Mass. All electronic transactions coming into the company will be routed to the PaperFree system, where they will be translated to internal formats and routed to the appropriate back-end systems. The translator will transform outbound transactions back to HIPAA formats before sending them out to the company's trading partners.

Similarly, Mutual of Omaha-which processes 18 million claims and receives 900,000 claim status requests and 1.1 million eligibility requests per year-is deploying translation software from Wilton, Conn.-based Mercator Software Inc.

In January, implementation of Mercator's HIPAA Solution was 62% complete-ahead of schedule and under budget, according to Terry Christensen, manager of administrative simplification for the Omaha, Neb.-based insurer. Using a prototype that Mercator helped build, Mutual of Omaha had processed 32,000 ANSI 837 claims in about 75 minutes. The company expects to be HIPAA-compliant by the October 2002 deadline.

Although the original motive for adding standardized EDI transactions to the HIPAA bill was the potential cost savings that standardization would bring to the industry, legislators also surmised that standard transactions would increase the use of electronic transmission instead of paper. This prompted them to add privacy and security regulations to the HIPAA bill.

"The ultimate objective that nobody talked about back then-because it was still embryionic-was: If you could protect data much better and you used standards, then there's this great big free conduit out there that is largely untapped-and it's called the Internet," Gartner's Duncan says. "And if we can get people off these really expensive private networks and migrate them to the Internet, then that's when we're really going to see some explosive cost savings."

Indeed, industry observers are touting HIPAA as a driver for Internet healthcare applications that will transform the industry.

HIPAA's transaction and privacy rules are forcing health plans to overhaul their administrative processes, information systems and data-sharing practices, notes Forrester Research Inc., Cambridge, Mass., in a study titled, "HIPAA: eHealth's Trojan Horse." Smart health plans will leverage HIPAA to implement Internet-based technologies to improve administration and member relationships, optimize care delivery and create new products, according to Forrester.

leveraging the internet

"Plans should make Internet-based physician claims transactions their first foray into online administrative systems," the report states. Doing so could save up to $15 per claim by shifting the current 50% or more of paper-based claims to real-time systems. Web-based claims can reduce turnaround times from 15 days to 5 minutes, according to Forrester.

After that initial step, the report proposes that health plans should leverage the Internet to provide a higher level of customer service with:

* Applications that generate contracts and claims adjudication rules for employers selecting coverage options through online benefits marketplaces.

* Self-service capability on insurers' Web sites to provide preemptive information to members, such as new providers and practice-hour changes.

* Wireless technology for a system like GM's "OnStar," whereby members could push a panic button on a cell phone to alert the nearest network emergency room.

* Web-based personalized health plans that offer members early interventions and disease-management programs.

In addition to intending to reduce administrative costs, HIPAA offers the secondary bonus of additional privacy and security, Gartner's Duncan notes. And higher levels of privacy and security will increase customer confidence, which will enable health plans to take a more proactive role in helping members manage their health.

"Long-term, medical management is (insurers') best opportunity to get costs under control-to practice preventive medicine instead of reactive," he says.

But whether or not HIPAA is the Trojan Horse ushering in Internet-based healthcare is still debatable. In the Forrester study, 41% of payers surveyed said that HIPAA was accelerating their eHealth initiatives, while 45% said there was no relationship between HIPAA and their online health applications, and 9% said HIPAA was slowing their Internet efforts down.

A SQUARE PEG

Healthcare was already moving to the Web prior to HIPAA, says Daley of BlueCross BlueShield of South Carolina. "I don't think HIPAA is driving the Web at all. The business needs were driving the Web. HIPAA is just something we have to deal with," he says.

In fact, HIPAA is requiring the industry to use an EDI batch transmission format, which insurers are now forced to jury-rig to fit the Web, he says. "It's kind of like taking a square peg and trying to fit it into a round hole."

What's more, administrative simplification may not reap the savings the government promoted with HIPAA. The government underestimated implementation costs, made unrealistic assumptions about the growth of EDI without HIPAA, and did not consider the effect of technologies deployed after 1993, according to a study prepared last year for Chicago-based Blue Cross and Blue Shield Association by Robert E. Nolan, a Simsbury, Conn.-based management consulting firm. For example, Nolan found that large health plans would spend an estimated $10 million to implement HIPAA's transaction standards-ten times the $1 million figure that HHS estimated it would cost.

Similarly, the government also minimized the cost of HIPAA's privacy rule, according to another Nolan study conducted last year for Blue Cross and Blue Shield Association. HHS estimated privacy compliance would cost the industry $17.5 billion over 10 years, while Nolan found it would cost an estimated $42.9 billion over five years.

HIPAA's privacy standard requires covered entities to make reasonable efforts to limit the use and disclosure of personal health information to the "minimum amount necessary to accomplish the intended purpose of the disclosure."

The rule covers electronic, paper and oral disclosures, and it enables people to see copies of their medical records and request corrections. It also requires covered entities to obtain a person's consent before sharing information for treatment, payment and health care operations, as well as to obtain authorization before sharing information for nonroutine disclosures. People will be able to file complaints with a provider or health plan for violations to their privacy.

Practically speaking, the privacy provisions are 80% procedural and 20% technical, while the transaction rule is the reverse, Gartner's Duncan says. The privacy rule will require covered entities to reengineer many of their policies and practices, some of which will entail significant changes to their information systems.

AUDIT TRAILS

For example, covered entities, including payers, will be required to map out categories of personal health information that people are allowed to access to perform their jobs. After that exercise, they must change work processes and information systems for HIPAA-compliant access management and authentication.

They also must develop the capability to create audit trails for disclosures. Although some infrequent disclosure requests might be handled without an application designed for that purpose, tracking a large volume of frequent disclosures could involve system changes, says Daley of South Carolina Blues.

For example, the regulation mandates audit trails for disclosures that require an authorization. "You would need to show a request for the disclosure, that the authorization was granted, and what was disclosed to whom and when," Daley says.

Likewise, if a participant requests an accounting of the information a health plan has about them, the insurer must supply that information so the participant can inspect it, and correct it, if there are inaccuracies. "Extracting that information from a payer's system will require a technical solution," Daley says.

Currently, BlueCross BlueShield of South Carolina is conducting its HIPAA privacy risk assessment and gap analysis. By December, two-thirds of payers had not met this milestone, according to Gartner research. Although the industry will have two years to comply with HIPAA's security rule once it's published, the industry must comply with HIPAA's privacy rules by April of next year.

"We have to review the way we work within our business and the way we share information with other people," Daley says.

The industry will be pushing to meet the April 14, 2003 deadline for privacy, along with driving to test transactions two days later when covered entities are required to begin testing, says John Cerwin, president of HIPAA Accelerator, Banockburn, Ill. "Instead of being able to stagger this stuff out, the industry is getting hit all at once," he says.

Not surprisingly, his recommendation to payers is echoed by other vendors and consultants: Move forward with all aspects of HIPAA compliance despite the transaction extension. "Ultimately transactions will take longer than people think," Cerwin notes. "And privacy is going to take much longer than people anticipate too. There's much more to it, especially from a (technology) perspective."

Register or login for access to this item and much more

All Digital Insurance content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access