A Healthcare Y2K Starts to Hit Home
By Brian Fonseca
With a stroke of the pen, outgoing President Clinton raises the bar for automating outdated health care systems and giving patients more control over personal information
A MASSIVE UPHEAVAL OF the IT and administrative procedures of the health care industry is about to get under way as a result of President Bill Clinton's approval late last month of two-thirds of the proposed HIPAA (Health Insurance Portability and Accountability Act) regulations.
In a surprising move, Clinton extended the goal of HIPAA beyond creating standards for transmitting and securing electronic transactions of Americans' personal health information to include paper records and oral information.
To meet the mandated privacy and security guidelines, health care organizations will have to leapfrog to automated systems, industry observers said. This is likely to be an expensive and burdensome process, but many organizations have taken a more corporate, bottom-line approach that is expected to help ease the automation process, observers added.
The decision signals a decree by the federal government to remove antiquated internal and external processes of overseeing patients' privacy while also steering health care organizations toward a computer-based system, said analyst Dr. David Steele at Gomez Advisors, a market research firm based in Waltham, Mass.
"[The government] is taking this very seriously. The message here is, 'Don't mess with us,' " Steele said. "This is not something that's supposed to sit on your desk that you can ignore."
Violations of HIPAA's new strict patient-information privacy regulations can result in fines of as much as $250,000 and 10 years in prison for health care providers, hospitals, health plans, health insurers, and health care clearinghouses.
Most providers must be HIPAA-compliant 24 months to 36 months after the final part of the HIPAA proposal, the security and administrative piece, is accepted.
Steele said the HIPAA privacy regulations succeed in giving patients a sense of control that was not present before, allowing greater trust to communicate or disclose their health information online or in person.
"[Medical organizations] are going to have to invest in some of these new technologies -- digital certificates, authentication, [and] biometrics standards in the future -- to really make sure that those authorized to view something are the only ones that have access," Steele said. "These are huge up-front costs. The short term is going to be tough."
The privacy portion of HIPAA, along with the EDI (electronic data interchange) and impending security/administrative simplification regulations, was purposely designed to be technology-neutral.
Mandated regulations based on longevity rather than plugging specific technology holes in today's outdated systems will be beneficial in years to come, said David Yakimischak, CTO of Hillsboro, Ore.-based Medscape.
"[HIPAA] doesn't really start and end with technology. In fact that's [just] one component of what has to happen," Yakimischak said. "It also has a policy procedure. [Everyone] from marketing to sales, distribution, business development, editorial, executives [are all] involved, lawyers [are] involved. It runs across the board."
Medscape, which provides customers with applications and services to house patient information, will attempt to ease HIPAA compliance by enabling its service to be more conducive and consistent with the regulations, Yakimischak said.
Many physicians and medical experts say getting systems in line with HIPAA requirements will not reflect the last-minute mentality of some organizations' Y2K conversion efforts.
"We think that organizations should have done several steps already [to prepare]. It's not like there's a lot of time to wait," said Dr. Barry Hieb, an analyst at Stamford, Conn.-based Gartner.
Hieb said most information systems applications are going to require some form of revision to pass HIPAA specifications. Smaller entities will probably need a minor revision from a vendor, whereas larger entities will need a whole new piece of software or, in some cases, infrastructure changes.
Unlike times past when the field of medicine has been slow to change and adapt, the increasingly informed and technically savvy patient and corporate presence within the medical industry could spur technological revamping much more quickly.
"The thing that's different now is so many physicians are employed by networks where the CEOs [and] the CFOs of those places are used to, 'Hey, if the government says something, we jump,' " said Dr. Gordon Baustian, a physician at the Cedar Rapids Medical Education Foundation in Cedar Rapids, Iowa. "Medicine is just like the law and religion -- it's very slow to change.... Health care has yet to find that killer app."
Baustian said the improvements in EMR (electronic medical records) technology has changed the system from a "glorified depository" to a secure audit trail, capable of providing grounds for dismissing an employee if patient information is improperly handled. But smoothing patients' opinions about the nonpaper system isn't always easy.
"I know we've lost a couple of patients because we're using an EMR," Baustian said. "They're seeing too much [faulty security] stuff on 20/20."
Dr. Reid W. Coleman, medical director of LifeSpan/Physicians Professional Services Organization in Providence, R.I., said fewer than 10 percent of the physicians in his five-hospital system are using true EMR.
Coleman expects that number to double in the coming year as physicians are HIPAA-trained and the hospital's IT department provides needed tools for implementation.
"The advent of electronic communication has revealed a host of flaws and problems of how we handle paper records," Coleman said. "We're finding out a lot of our paper records were not very well-protected."
Coleman said his CTO-led HIPAA team has already made audit log tracking and network changes -- including hardwiring the entire hospital system for encryption -- in anticipation of what HIPAA would entail.
But like many of his peers, Coleman expressed concerns that if the implementation of the consent rules is overly strict, it will impede the necessary flow of health information to the detriment of patients. For example, a patient wary of transmitting medical information online could hamper normal hospital process, potentially putting his or her health in jeopardy.
"Our patients do not want doctors to make important decisions about their welfare when [the doctors] are sick, distracted, or scared. If HIPAA wants patients to make those decisions in the same state, it's a problem," Coleman added.
HIPAA standards apply to all consumers whether they are privately insured, uninsured, or participants in public programs such as Medicare or Medicaid.
The new regulation is designed to enhance the protections afforded by many existing state laws. In circumstances where the federal rules and state laws conflict, the stronger privacy protection would prevail.
Introduced to Congress in 1996, HIPAA regulations are projected to save the health care delivery system $12.3 billion by standardizing electronic claims processing, according to the Department of Health and Human Services.
As the health care industry absorbs the implications of HIPAA's privacy regulations -- particularly in light of Clinton's decisions to expand patient privacy protection to offline processes -- it's clear that all medical correspondence will be far more structured and regulated in the future.
Although the immediate result of Clinton's decision to expand HIPAA's privacy regulations beyond electronic medical information may seem overwhelming, keeping a focused course on HIPAA's true purpose --with additional tinkering still to come -- would suit everyone's best interests .
"I think [HIPAA] is going to definitely need tweaking," said Dr. John Durham, chief medical officer for ambulatory software provider Greenway Medical Systems, based in Carrolton, Ga. "If we try to rush things and try to do it all at once we're not going to be successful and there's going to be an outcry against it and some of those good points will be lost."
infoworld.com |
