Miracle Cure?

A federal health care mandate could generate billions in technology revenue, but don't get too giddy just yet.

The search for an antidote to the IT spending malaise has consultants and integrators targeting a controversial federal health care mandate.

The Health Insurance Portability and Accountability Act, commonly known as HIPAA, calls for sweeping changes in the way health care organizations do business. Those changes, some observers believe, could generate billions of dollars in IT-related expenditures over the next couple of years. The obvious comparison is with Y2K, although HIPAA may end up costing health plans and providers even more than the date-change fix. Gartner Research, for one, estimates that HIPAA could wind up costing health care companies up to 2.5 times more money than did Y2K.

HIPAA, like Y2K, also involves deadlines, the first of which health care companies will face in 13 months.

With a federal directive and time constraints working in their favor, IT services firms peddling HIPAA solutions would seem to have a major opportunity at hand. But pursuing HIPAA business is no simple matter. For openers, the regulations are multifaceted. HIPAA calls for streamlined claims processing and the adoption of standards for electronic data interchange (EDI). The regulations also detail privacy requirements and information security standards to protect patient data.

In addition, the entire HIPAA environment is somewhat unstable. Final regulations regarding standard transaction formats and privacy have been issued, but final security regs are still to come. Whats more, HIPAAs deadlines—unlike Jan. 1, 2000—may be flexible. Bills in Congress seek to extend HIPAA deadlines to give health care organizations more time to comply.

But of greater concern to would-be HIPAA solution providers is that the expected business has yet to materialize—at least not on a large scale. Consulting studies and compliance assessments are the rule today. The big-ticket implementation projects remain the stuff of conjecture.

"I dont have people call in and say I want to be HIPAA-compliant," reports Greg Verbosky, VP of the Western region at Breakaway Solutions, which pursues health care customers. "Its not the silver lining thats going to help everyone through this process."

"I think we are still on the front end of the bell curve," adds Larry Albert, senior VP and health care practice leader at Integic.

HIPAA may yet prove to be a boon to solution providers, but those seeking a quick revenue boost are likely to be disappointed.

Payers Go First

Among the various constituencies affected by HIPAA, health plans have done the most thus far to address the regulations. Those organizations—referred to generically as "payers"—represent the best near-term business prospects for integrators.

Payers have gotten off the mark faster because the regulations having the greatest impact on them—HIPAAs electronic transaction standards—have the earliest deadline. Unless Congress grants an extension, payers must be able to accept electronic transactions in HIPAA-compliant formats by October of next year.

"The payers are further along," says Jesse Bowen, who specializes in health information security at Accenture, noting that health plans have a "clear incentive" to comply with HIPAAs transaction standard. The carrot for payers: increased efficiency and lower transaction costs.

Suzanne Calzoncit, principal consultant at Electronic Data Systems, says HIPAA-related projects with payers started to kick in last fall. "A lot of clients were suddenly ready to begin the first phase of HIPAA compliance: gap analysis and assessment," she notes.

The gap analysis is not unlike the discovery phase of a Y2K project. Consultants help customers pinpoint where they fall short of the regulations and what remediation steps are required.

Assessment and gap analysis projects typically last four to eight weeks, which can provide a foot in the door for the integrators. The larger projects will occur in the remediation phase. Here, providers have two primary options: completely revamp their claims systems or purchase "translators" that bring existing systems up to HIPAA speed.

John Quinn, a principal with Cap Gemini Ernst & Youngs (CGE&Y) health care practice, says a complete systems makeover could run a payer from $50 million to $100 million. Yet some payers that are nursing aging systems may well take that plunge.

Accentures Bowen says he is aware of several large payers that see HIPAA "as an opportunity … to upgrade legacy systems." He adds, however, that many payers are weighing their options, considering lower-cost alternatives such as translators. He says software "wrappers" can translate a payers existing transaction codes into HIPAA-compliant formats.

But remediation work—in any form—has yet to materialize, industry execs say. Gartner Research backs this view, reporting that only 30 percent of the payers it surveyed in June had begun developing detailed implementation plans for remediation. More than half the payers surveyed had yet to even complete the assessment phase.

Providers Lag

Most health care watchers acknowledge that hospital systems, independent hospitals and physician practices—a group collectively referred to as "providers"—are lagging the payers. Integrators approaching this group will need a good deal of patience.

"When we look at all the providers in the survey, very few have finished even the very preliminary tasks," says Matt Duncan, a research director with Gartner Researchs health care unit.

"The providers are somewhat disengaged," adds CGE&Ys Quinn. "They know the dates are out there, but they are waiting for vendors to tell them what they are going to do."

Indeed, Gartner reports that more than 80 percent of providers (and a similar portion of payers) expect their software vendors to cover them for HIPAA compliance. Providers also are waiting for payers to set dates for transaction compliance. It makes little sense for providers to start filing claims in HIPAA formats before their payers are ready to process them, in theory.

Accordingly, providers are expected to place greater emphasis on HIPAAs privacy and security provisions, and less so on transactions. The Healthcare Information and Management Systems Society (HIMSS) says that 57 percent of the providers it surveyed identified upgrading security to meet HIPAA standards as a top priority, while about 30 percent cited EDI as a top priority. Superior Consultant Co. and Dell Computer sponsored HIMSS 12th annual leadership survey.

While providers have some EDI exposure, they will find the greater challenge in meeting HIPAAs privacy provision, Quinn explains. The providers to-do list includes developing privacy policies, providing notice and consent forms, and creating a mechanism for tracking privacy complaints, among other items.

"That [privacy] is the part thats going to be tougher," Quinn contends.

Much of the privacy work will involve policy and process, but some technology projects are bound to arise. Jody Noon, a partner who follows health care regulatory issues at Deloitte & Touche, suggests that organizations may pursue technical solutions to support HIPAAs opt-out provision. Under HIPAA, patients may opt out from having certain types of information disclosed that health care providers could otherwise legally use. Noon says custom software could help providers track opt-out requests.

Noon says business for privacy assessments is picking up and predicts a busy fall and winter. The deadline for meeting HIPAAs privacy guidelines is April 2003.

As for security, the health care segment generally has trailed such industries as financial services, says Bowen. "Health care traditionally … has not invested [as much] in technology in general and security in particular."

Final regulations have yet to be issued for security, but a number of integrators say the proposed regulations are on track with industry best practices. They expect few surprises once the final regs are published. "People are looking at security based on what they know is in the proposal right now," says Rosemary Abell, health care practice manager at Keane Inc.

Meanwhile, thousands of physician practices also figure in the HIPAA scenario. Those typically small practices, however, may be the least active when it comes to HIPAA. "I dont think a lot of our folks have even started," says Robert Tennant, government affairs manager for the Medical Group Management Association, which represents more than 9,000 practices.

Tennant says many members believe HIPAA is an issue that practice management software vendors will handle. And when it comes to transactions, smaller practices often send their claims to a clearinghouse.

Some practices, confronted with HIPAA compliance, may opt to stay stuck in the paper world, says Brian Fitzgerald, director of the health care practice at Edgewater Technology, who notes that HIPAA does not apply to analog transmissions.

Others will take a wait-and-see approach. But practices that wait too long may find their software vendors unable to deliver HIPAA compliance on schedule. Those practices may be ripe customers for application service providers (ASP), some industry executives speculate. To meet the HIPAA deadline, a practice could hire an ASP to rapidly deploy a compliant solution on a subscription basis.

Meanwhile, ASPs are checking to see if their applications are ready for HIPAA. EYT, for example, is "making sure we are comfortable" with its vendors position on HIPAA, says Leif Henecke, director of Lawson services at EYT.

Timing and Money

So when will payers and providers open their wallets for HIPAA implementation? Most executives agree that the money wont start flowing this year.

The HIMSS survey, for example, reports only modest budget increases for providers in 2001, suggesting that the larger projects will not hit until 2002 or later. Gregory S. Walton, chair of HIMSS and CEO of Carilion Health System, says providers are waiting to see if their current vendors will deliver on HIPAA.

"Therefore, it would seem logical for providers to conserve resources by purchasing solutions after theyre convinced legacy vendor HIPAA offerings fall short," he says. "This logic would enforce the notion of greater technology spending in 2002/2003."

Some integration executives expect an uptick in spending during Q1 or Q2 of 2002, but precisely when the wave will hit is anybodys guess. The ultimate compliance deadlines are still uncertain, with Congress still considering an extension.

And even when set, the deadlines wont be "dead-solid hard," says Wes Rishel, a research director at Gartner. Some health organizations may ignore the deadlines, despite the threat of penalties, executives argue.

CGE&Ys Quinn says HIPAA fines, in the worst-case scenario, would top out at around $200,000. Payers facing costly remediation projects may decide to take the fine, he suggests.

"So in fact, [health care CIOs] arent able to go to the board and say we face total disaster if were not remediated by October 2002," Rishel explains.

Nevertheless, health care organizations are expected to start budgeting for HIPAA projects. Integics Albert describes a difficult juggling act in which health care firms attempt to budget for HIPAA without freezing other major programs. "A lot of folks are just going through some painful prioritization," he says.

"If you recall Y2K, it seemed like there was buzzing for a long time before it suddenly became a three-alarm fire," adds Bob Fisher, CEO of Foresight, which offers a HIPAA certification service. In the meantime, says Fisher, "Were all dressed up with no place to go."