May 11, 2001, 10:15 AM — After confronting the Y2K problem, IT managers in the massive health care industry
now face a new challenge: They must implement federally mandated privacy regulations
under the Health Insurance Portability Act (HIPPA).
HIPAA calls for sweeping changes in the way doctors, hospitals, health insurers,
and other health industry players handle patient information. The regulations
require changes in data transaction formats, as well as new privacy procedures
and security methods. Experts say that the HIPAA compliance effort will take
several years and that the job may be tougher to complete than the Y2K date
conversion problem that so preoccupied the IT industry not so long ago.
What makes complying with HIPAA so difficult for the health care providers
is the fact that sections of the industry are still replete with outdated equipment,
proprietary systems, paper forms, and the like. As with their handling of the
Y2K problem, some IT managers will be tempted to scrap aging systems and bring
in new methodologies. They will look to password and authentication systems
in order to provide the necessary level of privacy and security. Some industry
viewers even foresee a role for futuristic technologies like biometrics in ensuring
patient document privacy.
Though the industry is just now beginning its scramble as the scope of the
regulations comes to light, HIPAA has been in the works for a long time. Former
US president Bill Clinton signed the act into law more than four years ago.
Since that time, government administrators have worked to turn the law into
a series of regulations. Some were surprised last month when new Health and
Human Services secretary Tommy Thompson allowed HIPAA to take effect without
The regulations are designed to encourage the conversion of medical records
into electronic format. The law also includes provisions to ensure the privacy
of patients' records. HIPAA compliance will be phased-in by steps. Health plan
operators, health care clearinghouses, and health care providers will have until
April 14, 2003, to comply with privacy requirements, although additional time
will be allowed for bringing small and medium-size health plans into compliance.
These federal regulations are a challenge to numerous health facilities that
mainly use legacy systems that are 15 to 20 years old and not inherently interoperable.
And though the changes may save money in the long run, the short-term cost is
staggering. In a statement, president Dick Davidson of the American Hospital
Association said the cost of meeting the HIPAA requirements could reach $22
billion over five years.