After confronting the Y2K problem, IT managers in the massive health care industry now face a new challenge: They must implement federally mandated privacy regulations under the Health Insurance Portability Act (HIPPA).
HIPAA calls for sweeping changes in the way doctors, hospitals, health insurers, and other health industry players handle patient information. The regulations require changes in data transaction formats, as well as new privacy procedures and security methods. Experts say that the HIPAA compliance effort will take several years and that the job may be tougher to complete than the Y2K date conversion problem that so preoccupied the IT industry not so long ago.
What makes complying with HIPAA so difficult for the health care providers is the fact that sections of the industry are still replete with outdated equipment, proprietary systems, paper forms, and the like. As with their handling of the Y2K problem, some IT managers will be tempted to scrap aging systems and bring in new methodologies. They will look to password and authentication systems in order to provide the necessary level of privacy and security. Some industry viewers even foresee a role for futuristic technologies like biometrics in ensuring patient document privacy.
Though the industry is just now beginning its scramble as the scope of the regulations comes to light, HIPAA has been in the works for a long time. Former US president Bill Clinton signed the act into law more than four years ago. Since that time, government administrators have worked to turn the law into a series of regulations. Some were surprised last month when new Health and Human Services secretary Tommy Thompson allowed HIPAA to take effect without major modifications.
The regulations are designed to encourage the conversion of medical records into electronic format. The law also includes provisions to ensure the privacy of patients' records. HIPAA compliance will be phased-in by steps. Health plan operators, health care clearinghouses, and health care providers will have until April 14, 2003, to comply with privacy requirements, although additional time will be allowed for bringing small and medium-size health plans into compliance.
These federal regulations are a challenge to numerous health facilities that mainly use legacy systems that are 15 to 20 years old and not inherently interoperable. And though the changes may save money in the long run, the short-term cost is staggering. In a statement, president Dick Davidson of the American Hospital Association said the cost of meeting the HIPAA requirements could reach $22 billion over five years.
Many organizations have yet to begin HIPAA compliance efforts. A recent survey by the Gartner Group indicated that only 27 percent of health care organizations have begun setting aside money for meeting the regulations.
Richard Peterson, HIPAA solutions director at Computer Sciences Corp. (CSC), warned that complying with the HIPAA regulations would be a long-term, business-process change.
"A lot of people think their vendors can solve this problem for them. We believe a vendor can provide a HIPAA-ready system, but only an organization can make it compliant. And it's not a one-time process like with Y2K. It's ongoing," Peterson said.
One of the challenges of HIPAA that IT managers face involves the authentication of patients' medical records. Only authorized personnel should be able to access the records, without sacrificing precious time.
Dr. Michael Kuperstein, founder, chairman, and CTO of Etrue, a start-up biometrics company, said the current design of health care systems is inefficient in light of the HIPAA requirements, because many hospitals have separate data systems.
"You've got the hospitals, the doctors with their separate offices, and the departments within the hospitals, and these three [computer systems] have developed independently," Kuperstein said.
CSC's Peterson agrees that linking information and keeping it consistent is a challenge for the health care system.
"The idea is that for continuity of care, you want to know everything you can about the patient. Unfortunately, none of us remain in one place or have just one doctor. There's trouble linking patient information," he said.
This is where some say biometrics may be a viable answer. Biometric devices allow users to sign on to networks via recognition mechanisms that utilize the distinguishing traits of an individual, such as fingerprints, facial features, voice, and eyes.
Kuperstein believes that biometrics could save money for health care providers by saving them time. "Biometrics optimizes the workflow and enables health care providers to have access across the system," he said.
Kuperstein further explained how biometrics could provide better access to the legacy applications that many health care providers use. Each application has its own password, which may change monthly. Often, he said, people forget their passwords, and time is spent trying to find them. When time is lost, patients aren't helped, and then money is lost.
Walter Hamilton, vice president of business development at Saflink, a provider of biometrics software, said that his company replaces passwords with biometrics technology. "We replace PIN numbers and passwords with biometrics, so that you don't have to remember all the passwords. It's more secure and convenient," he said.
However, Peterson of CSC pointed out that biometrics can be expensive, and that other options exist.
IDC analyst Chris Christiansen agrees. "Unless you're big enough, biometrics can become prohibitively expensive," Christiansen said.
Another upcoming technology that may help the health industry comply with HIPAA is smart cards. Smart cards have embedded chips that can act as keys to provide access to a network. While many IT managers are embracing smart cards as a solution for meeting HIPAA regulations, the cards do have disadvantages.
Mark Hays, CTO at Ingenix, a company that provides software and services to the health care industry, said that although his company will support the use of smart cards in its applications for customers if they prefer that, he would recommend biometrics. "Smart cards are not much better than passwords, because somebody could steal your card," he said.
Hays added that when you lose your card, you have to revert to using a password, which isn't very reliable. With biometrics, that sort of issue does not arise.
Biometrics can also be more economical than smart cards because it spares you the expense of supporting customers who lose their cards, he said.
Includes reporting by Jack Vaughan, editor at ITworld.com.