Stress Test

HIPAA review puts it projects on hold

The fate of a multibillion-dollar government-inspired jackpot for information technology companies sits in limbo as Tommy Thompson, the new secretary of Health and Human Services, revisits medical privacy rules formulated under the Clinton administration.

Thompson recently put on hold some regulations that are part of the Health Insurance Portability and Accountability Act (HIPAA), a sweeping 1996 law dealing with a range of health-care issues, that would have effectively forced many businesses that handle medical information to install electronic systems to ensure the confidentiality of patient records.

For example, HIPAA encourages insurance companies to let people change health plans online. It also seeks to standardize what is now a raft of insurance claim forms in digital formats and could enable doctors to sign off on prescriptions through the Web.

Estimates for implementing the whole of HIPAA range from $10 billion to $20 billion. The privacy piece of the HIPAA puzzle is expected to be the costliest and most complicated.

"There are 6,000 hospitals in the U.S. You could add to that at least 500 insurers. Then you have the whole next tier —the physician practices and home health-care organizations," said Mike McDermand, vice president of health-care solutions at Computer Associates International. "All of them need assistance."

The HIPAA-inspired mandate to go online has clearly benefited large consulting firms like Gartner Group, which has been particularly active in this area. Of the companys roughly 1,000 health-care clients, about 200 are actively pursuing advice about the law, and about 7 of the organizations health specialists are focused on HIPAA, said Matt Duncan, a Gartner research director.

For at least 75 percent of health-care organizations, Duncan said, by 2004 "the time and money spent on HIPAA is going to equal between one and two times the money and time they spent on Y2K." The average hospital spent between $10 million and $15 million on Y2K, he said.

Kristin Welsh, senior associate director of policy development at the American Hospital Association, said the rules are "enormously complex and prescriptive" and deserve a thorough vetting by the new administration. "Every dollar you are spending on HIPAA you are taking away from patient care," she said. "I think [Thompson] will be sympathetic to that."

Health-care companies may cheer Thompsons decision to open up the issue to a 30-day public comment period, but the public should mourn, said Janlori Goldman, director at Georgetown Universitys Health Privacy Project. The move, she said, "may be used to justify further delay or weakening of the implementation of the regulations."