The regulatory clock is ticking for health-care providers and their technology partners.
Late last year, the Department of Health and Human Services (HHS) published new standards intended to protect the confidentiality of "individually identifiable" health-care information. The privacy rules say how patient information can be used and disclosed within a health-care organization, and dictate how the information can be shared with other parties. The regs stem from the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA), which became law in 1996 (www.hhs.gov/ocr/hipaa).
HHS says a pressing need exists "for national standards to control the flow of sensitive patient information." Although the health-care community doesnt dispute the need for privacy standards, organizations such as the American Hospital Association (www.aha.org/hipaa/hipaa_home.asp) worry about the financial impact of the new rules and object to the compliance timetable. The implementation deadline is Feb. 26, 2003.
Integrators capable of helping hospitals beat the clock should find no shortage of work. To comply with just some of the rules, hospitals could spend as much as $22.5 billion over five years, according to First Consulting Group, which studied HIPAAs cost for the American Hospital Association. That spending projection assumes that hospitals will need to reconfigure or replace information systems in order to comply.
Jody Noon, a partner who follows health-care regulatory issues at Deloitte & Touche, believes such overhauls are inevitable. "We know they are going to have to redesign systems," says Noon, who adds that HIPAA affects every aspect of a health-care organization, from the caregivers to the IT department. "You really are looking at major organizational change."
Among the health-care entities tasks is to define which classes of individuals will have access to which subsets of medical records. Then theres the issue of external parties. Health-care groups will need to establish "internal controls on how information will be accessed and shared," Noon says.
Accordingly, HIPAA compliance calls for a strong dose of business process reengineering (BPR), which plays to the strength of consulting-oriented firms. But as BPR has emerged as a hot service, the actual implementation of HIPAA-compliant systems will have to wait.
"There really isnt anything there yet in the marketplace," Noon says, who recently tried to obtain price estimates for technical solutions. First Consulting Group reports that leading hospital systems products cant deliver all the functionality HIPAA requires. That shortfall could boost HIPAAs price tag beyond the consulting firms $22.5 billion estimate, because "more significant upgrades" would be required.
Noon says she expects the systems outlook to improve. In the meantime, shes working with customers to examine their HIPAA shortcomings with an eye toward designing a solution. A traditional approach would be to conduct a gap analysis and later embark on the technical solution. But todays timetable calls for "rolling up our sleeves and designing a solution."
Even so, consultants and integrators will be hard-pressed to help their clients meet the deadline. Welcome to the year 2003 problem.