A millennium scenario:
A gunshot victim arrives in bad shape, losing blood, and he needs to be surgically opened up. But the emergency department's air-cleansing ventilation system has shut down. Trauma surgeons hesitate because they are concerned about infection in the stagnant, clammy cubicle.
Within minutes, though, the patient's condition worsens, and he now needs major surgery. Doctors call for a courier to whisk him to the sixth-floor operating suite, stat. But none of the elevators budge. The patient bleeds to death.
Private investigators from a crack law firm flash subpoenas, make a beeline for the computer room and disconnect the hard drives.
With correspondence frozen, they scour e-mail for the trail of action or inaction preceding the microchip-triggered ventilation and transport problems. For the lawyers, the situation is a jackpot: The errors of omission and commission are a litigator's dream.
Hospital executives and board members comb their commercial general liability insurance and their directors-and-officers policies for evidence of protection from the fallout around them.
The bad news: They're covered only for events that happen by chance, not for predictable ones. And there's no way hospital executives can argue that they could not have foreseen year 2000-or its preventable problems.
That's just a taste of the grief that awaits healthcare systems if they don't start preparing comprehensively for the consequences of the faulty computer code as the millennium approaches, according to experts waving frantically to get the industry's attention.
The root of all year-2000 evil is a simple technical flaw multiplied countless times in computers, software programs and microchips embedded in all types of equipment.
The problem is that computers and other devices assume calendar years are in the 1900s, and they store years by their last two digits. That assumption will cause a wide range of miscalculations and programmed confusion when dates turn to 00 for 2000.
Most providers are only beginning to mobilize and budget for the vast undertaking of correcting the problem in information systems and medical devices (Aug. 10, p. 46).
However, at this late date, finding and fixing all the flaws would be impossible and insufficient to keep providers and their patients out of harm's way, experts warn.
Way beyond computers. "People are really starting to understand that they're not going to get everything done," says Joel Ackerman, executive director of Rx2000 Solutions Institute, a Minneapolis-based not-for-profit company specializing in millennium glitches in healthcare.
What people still don't understand, though, is the spillover of consequences into business issues, finances and liability, says Steven Goldberg, an attorney with Boston-based Cosgrove, Eisenberg & Kiley.
"Hospitals and their key decisionmakers may face malpractice claims; personal injury and wrongful death suits; actions against directors and officers; enforcement of licensing, accreditation and other regulations; and for publicly held corporations, shareholder suits," says Goldberg.
Most hospitals perceive and treat the Y2K threat as a technical problem, but it's a management problem of the highest order, says Michael Paskavitz, president of the Health Care Safety Institute in Beverly, Mass.
"Once you know what on your inventory is a potential problem, assuming you can trust your vendor's response or you've tested (the equipment) yourself, you've got to manage that risk-and that's 90% of the work," he says.
"Even the most proactive hospital is vulnerable to its dependencies (on outside vendors and affiliations)," Paskavitz says. "And our experience in working with hospitals thus far is that there is very little recognition of this."
With 13 months left until the big double-0, providers must choose their most important Y2K-related priorities, ensuring the completion of some tasks while handling less-critical problems as they arise, Goldberg says.
"You will not finish everything. You will have problems," he says. "You have to operate on that basis."
At the very least, systems need contingency plans to make the most important processes fail-safe and to back up potential failures with a rehearsed alternative, experts say.
An organized examination of operations and fundamental needs can spotlight issues that in retrospect could be considered obvious, such as the importance of elevators in a multistory facility and of ventilation systems in a delicate patient-care environment.
Leadership lag. However, a lack of direction and leadership has put the healthcare industry deep in the hole, according to a survey by the Health Care Safety Institute.
The institute polled 217 hospitals in nine states between May and September and found that only 25% of U.S. hospitals were taking the Y2K problem seriously. The survey also found that:
46% of hospitals had appointed a year-2000 project leader.
42% had appointed a year-2000 committee with executive representation.
31% had defined the scope of their Y2K project.
30% regularly discussed Y2K at board meetings.
21% had conducted a high-level inventory.
11% had completed an impact analysis.
1% had developed contingency plans.
To Gary Clark, a consultant on Y2K readiness, "it's not a good picture. . . . Everyone we work with is behind."
For example, Clark, president and chief executive officer of Los Angeles-based Clark Information Services, recently discussed the issue with a large HMO's Y2K project manager. He found that the health plan hadn't assessed any of its internal inventory, much less the status of its contract partners.
In another case, the chief of staff of a large healthcare organization was "completely in the dark" about how pending plans to assess biomedical equipment would affect daily operations. The physician didn't understand the Y2K bug's possible impact on biomedical equipment or the potential for removing many devices from service during the inventory assessment.
The organization had also failed to deal with the eventual replacement of hundreds of devices in the 80,000-unit inventory. Managers submitted their 1999 budgets before fully considering the Y2K costs of remediation and replacement.
"The healthcare industry will probably only be through the assessment phase by the end of 1998," Clark says. "I wish I could point to a leader, but they're few and far between," he adds.
Executives are sometimes so dismissive that it's comical. Paskavitz says he recently spoke to a woman who wanted to know what the term Y2K meant. "She had just been named her hospital's year-2000 project director by her boss, the CEO. She is his secretary."
In an industry where regulation usually runs rampant, no agency has emerged to prod healthcare groups into Y2K readiness, Paskavitz says. HCFA, for example, has well-publicized problems of its own.
"Hospitals typically have so many agencies and organizations telling them what to do through regulations and standards," Paskavitz says. "But with respect to Y2K, no federal or national organization has stepped forward to lead. There is no direction and therefore no perceived consequence for doing nothing."
Outside influences. Regulators in other industries and professions are not so reluctant. In fact, agencies in other sectors may be more likely to put provider organizations on the spot than healthcare regulators are-and soon.
Among the more aggressive is the Federal Financial Institutions Examination Council, the agency that prescribes uniform principles and standards for examining the fitness of the nation's banking system.
Working from a timetable that started in June 1996, lenders have completed an inventory of mission-critical computer applications and have planned the renovation of faulty systems.
By Dec. 31, renovation should be largely completed and testing under way, according to the council. In the past few months, the agency has shifted its attention to notifying laggard banks of Y2K-related deficiencies.
But in March, the agency also turned to borrowers' Y2K plans. It gave banks a Sept. 30 deadline for assessing individual customers' Y2K preparedness through "a due-diligence process that identifies, assesses and establishes controls for the year-2000 risk posed by customers."
At banks that are toeing the line, those assessments are already on file or being written, Clark says. Considering the embryonic stage of year-2000 plans at most healthcare organizations, the council's decree may threaten the credit ratings for those organizations, loan agreements and other financial arrangements, he says.
Clark adds that the agency is not a paper tiger: It recently closed three banks in Georgia because they didn't comply with Y2K directives. The same thing could happen to banks that don't evaluate and revise their book of business based on risks to collateral or repayment, he says.
The agency's guidance document includes a range of "mitigating controls" such as requiring more collateral and even early termination of agreements. Clark says the message to healthcare customers in extreme cases will be, "Produce your Y2K plans. If you don't, we'll call your loan."
Another agency weighing in on the Y2K issue is the Financial Accounting Standards Board, which tells accountants how to represent the value of an organization's fixed assets.
Clark says finance officers are being told that if any biomedical equipment can't be proved to be viable for 2000, it may have to be written down substantially as "impaired" after 1998. In establishing millennium fitness, he says, "the equipment is guilty until proven innocent."
Fixed assets are usually depreciated over a long period based on their useful life. But if their value suddenly drops to zero, millions of dollars in assets could disappear from an organization's statement of assets and liabilities, he says. "If assets are lower than liabilities, you're bankrupt," he adds.
Chief financial officers are suddenly facing a double whammy from directives, Clark says:
Healthcare organizations may have to accelerate their Y2K plans to satisfy their lenders, racking up millions of dollars of expenses.
The inventory assessment will likely create a long list of impaired assets, which must be written down, further eroding the organization's finances.
The price of negligence. Banking and healthcare differ, of course, because problems in a hospital can threaten human life. And the penalty for looking the other way can be stiff, observers warn.
"These are foreseeable and preventable problems," Goldberg says. That unarguable fact is the source of Y2K liability.
The scale of the problem could parallel the savings-and-loan industry's fiasco a decade ago, he says. Not only was the final S&L tally enormous-a $502 billion bailout in an industry with $900 billion in assets-but it exceeded considerably the original forecasts of $150 billion to $300 billion.
When the horror stories start, regulators and state attorneys general will look for organizations to hold accountable, Goldberg says. "The fact that they didn't tell you on the front end how to deal with it will not prevent them on the back end from trying to zing you," he says.
Goldberg maintains that much the same scenario has unfolded with the federal government's Medicare billing compliance efforts of the past few years: Enforcers are applying judgment criteria retroactively, and they're increasingly treating liability as criminal.
Because regulators may look at Y2K liability the same way, he says, the compliance guidelines issued by HHS' inspector general may help hospitals and systems head off any regulatory punishment cooked up retroactively for Y2K.
But the legal arena looms as the main battlefield for the Y2K problem in 2000 and beyond. "Some people have likened the problem to asbestos litigation," says Robert Marshall, an attorney with Chicago-based Christensen & Ehret.
With advance warning, however, executives can act now to limit their future liability and protect against damage, Marshall says. Just as important, healthcare organizations can begin to document their deliberations and prove they acted to head off as many foreseeable problems as could have been reasonably expected, he says.
In a just-published book called The Year 2000 Health Care Survival Guide, authors Audie Lewis and Victoria Weingart warn that courts won't be sympathetic toward hospitals or other providers that haven't educated themselves on the issue and acted.
"Procrastination could be viewed as negligence on the part of healthcare providers who did not acquire information that was available to the whole industry," the authors write.
But, they add, if providers take every prudent precaution to protect their patients' well-being, courts will take that effort into account. "Healthcare organizations that have demonstrated a high degree of attentive care will probably not be held as accountable for injuries or deaths resulting from unforeseen Y2K problems," the authors write. "Courts and juries will probably recognize that some year-2000 injuries and deaths cannot be completely avoided."
Showing due diligence. When the lawsuits start flying, that high degree of attention will need to have been documented comprehensively and judiciously, Clark says. An audit trail of actions taken to mitigate Y2K problems, clearly and carefully written, will serve as a defense against charges of negligence and explain to the courts the reasoning behind decisions, he says.
For example, says Goldberg, "Hospitals want to be able to demonstrate they exercised due care, which is a defense to negligence in a personal injury or malpractice action."
In cases related to Y2K problems, documentation explaining priority-setting, advice from consultants and test results "will be the first line of defense to show you exercised due care," he says.
Documentation also will be critical when directors and officers are held liable for their fiduciary responsibilities, especially in for-profit companies suffering from Y2K-related consequences.
Goldberg says if a serious problem arises from an issue tagged as a low priority, courts will want to know the company's criteria for setting priorities.
If a good reason is shown, a judge generally will not second-guess the decision even if he or she might have reached a different one in the same situation, Goldberg says. That "business judgment defense" is widely used in business to guard against harm that results from the decisions of directors and officers, he says.
And that defense could substantiate a board's decision to look past some aspects of the vast Y2K problem. "Courts will respect those decisions if they're rational and documented," he says.
Clark is skeptical of the documentation efforts in the industry so far, however. "We have not found an organization that has a due-diligence record that would hold up in court," he says.
In an audit of industry preparedness, Clark's company called 10 prominent healthcare organizations and asked for an accounting of their Y2K planning. Nine of 10 had no comprehensive Y2K communications program to describe what they had done, he says.
They had no point of contact and no systematic description of their work. Worst of all, many freely admitted a lack of organization-not a good situation to disclose to a lawyer laying groundwork for litigation.
At Medical College of Georgia in Augusta, a due-diligence documentation process has paralleled all efforts to prepare for the year 2000, says Dwain Shaw, the school's director of information services and its Y2K project director.
The project has included a study of the business impact-"the `what if' drills"-and an assessment of all inventory that has computerized functions, Shaw says.
The university's president will get a "statement of reasonable compliance" by Dec. 31, listing the problems that have been corrected and those unresolved. Payroll and budget systems have a target resolution date of February 1999, he says.
But preparations are far from over. Between January and October, the Y2K effort will concentrate on contingency plans that work around mission-critical failures. A separate contingency plan is being readied just for New Year's Eve 1999.
"The hard stuff is out of the way. The harder stuff is just beginning," Shaw says.
The documentation and reporting efforts associated with past and future due diligence are so important that an internal auditor was recently hired to "look over our shoulder and make sure we're doing this right," Shaw says. The auditor reports directly to the facility's senior vice president and president.
"Our No. 1 goal is no harm should come to patients because of what we have done or failed to do in our preparation for the year 2000," Shaw says.
In that regard, he adds, "anything that you do to prepare for the year 2000 is exercising due diligence."