Anyone working in health care informatics must keep up with the progress being made in implementing the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA directed U.S. Department of Health and Human Services (HHS) to issue rules standardizing and regulating the storage and electronic exchange of health care information. The first round of rules becomes final this year.

Recently Lee Barrett, a consultant and road warrior with Complete Business Solutions, Inc. (CBSI), gave a seminar on HIPAA. Barrett is also Chair and a longtime leader of the Workgroup for Electronic Data Interchange (WEDI) and Executive Director of the Electronic Healthcare Network Accreditation Commission (EHNAC). WEDI was one of the prime movers behind the enactment of HIPAA. Here is a summary of Barrett's thoughts as well as my comments as a participant in the field of health care information law.

Standardization has its Risks.

One of the first rule sets to become final will be a number of transaction standards. These rules will force a reduction from the estimated four hundred fifty standards currently in use nationwide, to one, and will be a great help in the management of administrative costs. One anticipated consequence is that this shift will require major retooling of the IT infrastructure for many organizations over the next two years. A number of organizations are already involved in this process, but others are at high risk of ending up handling their transition in crisis mode. Health care organizations which are already running on slim margins may face real difficulties with the need for yet another IT investment.

A longer-term risk arising from standardization is that it reduces the cost of illegitimate or even illegal information uses as well as that of legitimate ones. In a more "frictionless" IT environment, lowering the barriers to information uses will also reduce the burden hackers, malcontents and other miscreants face. Part of current security is the simple fact that working knowledge may not carry over well from one system to another. IT security has always been a major concern of WEDI and is a major component of HIPAA. Good security is necessary for efficiency in health care IT and must not be given short shrift as we implement HIPAA.

According to Barrett this simplification will be enhanced by the fallout from Y2k. He believes that not all of the current estimate of 2,900 physician practice management (PPM) vendors will survive Y2k. The combination of Y2k, HIPAA compliance, and the emerging trend of aggressive capitalization of a few leading health information companies does set the stage for a market shakeout and consolidation. If we should wind up with half a dozen PPM companies dominating nationwide, this would simplify the working environment, for both good and ill.

Information Flow Restructuring and Governance.

Barrett demonstrated the evolution of health care information exchange patterns from the current chaotic web to a sort of "hub and spoke" arrangement in which information passes among parties via a central "information services group." This is a compelling model and desirable from a legal and risk management perspective too. The real question is, how do you fund and govern such a thing?

There have been a number of attempts to create interorganizational health care networks, from the ill-defined Clinton/Gore proposal that health care reform should include use of the "Information Superhighway" through the abortive Community Health Information Network (CHIN) efforts. There are efforts under way to facilitate transfers of various kinds of information among a limited number of parties, and interorganizational data transfer is one of the core functions of many PPMs and all health care clearinghouses. But getting all the parties in an information exchange network to trust each other and give up information control is a daunting task. HIPAA may help catalyze such efforts as the various players begin using the same standards and become subject to the same regulations. I do not see any significant government funding becoming available for such projects, and HIPAA does not mandate that they happen.

Then how will these networks arise? By standardizing transactions HIPAA will make it possible for private entities to do so on a for profit basis. The standardization of transactions across the nation will allow any company which learns how to be good at health care information management in one market to replicate its success elsewhere, increasing returns on investment and making the business attractive to investors.

The corollary need for security may also catalyze this process. Barrett noted that some organizations have already appointed HIPAA compliance officers who are also the "fall guys" if something goes wrong. On an organizational level, it is probably in the best interest of information network participants to offload HIPAA compliance, and therefore risks, onto a designated, competent entity as much as possible. As a matter of efficiency something like a centrally coordinated "hub and spoke" interorganizational system will likely emerge and become the norm. These should have independent central entities, bound by contracts and policies which ensure that they are genuinely trustworthy, to manage the transactions. There may be an opportunity here for independent specialty vendors to perform this function in a number of markets.

Competitive Opportunities.

Other competitive opportunities are emerging from the implementation of HIPAA as well. Barrett thinks that over the next five years the key differentiating factor among health care organizations will be access to information, the primary benefit of which will be cost savings.

One Fortune 100 company saved several million dollars by daily interactive updating, instead of monthly, of its electronic health benefit enrollment procedures. Claims were reduced because the new system could catch enrollees who leave the company and gain other coverage during a given month. Once again security becomes a problem. More frequent interaction with data increases the opportunities for negligent or illegal handling. Barrett pointed out that the new health claim status and request notification standards will allow for interactive checking of claims status. This is generally perceived as a benefit for providers, but it could also be made available to consumers. As a health care consumer who frequently has to troubleshoot my family's claims, I would like this service very much.

Providers might benefit from the transaction standards for health care payment and remittance advice. Serving as an electronic "explanation of benefits," the same transaction could be used to trigger an electronic funds payment transfer, creating immediate revenue flow. With a creative approach to the transaction standards, a technologically competent health plan could realize some genuine competitive advantages.

Privacy: The Never Ending Tale.

The joker in the HIPAA deck is the privacy standards, which HHS is required to issue unless Congress enacts privacy legislation before the end of August 1999. Barrett's best guess is that Congress will not do anything substantive this summer, but, in order to forestall the Clinton backed HHS, will pass legislation giving itself one more year, putting the issue squarely into the election season. If privacy becomes a political football, we could end up with a far less workable set of mandates than HHS is pursuing.

Conclusion.

Barrett drew an important lesson from Y2k for HIPAA compliance: "Start sooner. Get senior management involved." How many organizations have learned this lesson or will learn it in time? I hope your organization has.

Ó 1999 Dean F. Sittig

The Informatics Review Thoughts - HIPAA Update Midyear 1999: A Review of a Seminar by Lee Barrett