It's like the Chiquita banana sticker for healthcare software: "I'm HIPAA-compliant," the product claim calls out to anxious buyers.
But declarations by healthcare information technology vendors that their products are in sync with new federal regulations may be premature. That's the cautious view of many providers-and even some vendors-who believe the best phrase to keep in mind when shopping for new software is not "HIPAA-compliant" but "buyer beware."
As regulators continue to complete and debate provisions of the Health Insurance Portability and Accountability Act of 1996, the companies that provide information systems to hospitals are not waiting around. They are poised to pounce on a market that may need new computer systems to comply with the electronic data standards and privacy regulations set forth by HIPAA.
According to a raft of vendors at the annual meeting of the Healthcare Information and Management Systems Society held earlier this month in New Orleans, compliance with HIPAA's regulations can be helped along, if not entirely achieved, by using new software.
Many at the meeting urged a guarded approach to such promises, especially because some of HIPAA's regulations have yet to be completed.
"For (vendors) to say they are globally HIPAA-compliant would have to be an overstatement," said Pamela McNutt, chief information officer of Methodist Hospitals of Dallas and a HIMSS board member.
On behalf of its members, the American Hospital Association is beginning to evaluate the software vendors as well as the law firms and consulting companies offering compliance services.
Until it has completed that assessment, the AHA is "advising members to be cautious and to thoroughly evaluate a (vendor) proposal to make sure it meets their needs," said Melinda Hatton, Washington counsel for the AHA.
The degree to which software products can throw a lifeline to hospitals' compliance efforts may depend on the regulation, observers agreed. HIPAA's standards for electronic transactions, published in the Federal Register last August, are perhaps most conducive to a software-based solution.
"As far as the transactions and code sets, I believe many vendors can create a standard claim form," said Lisa Dahm, a healthcare lawyer and senior manager of HIPAA services and regulatory compliance at Deloitte & Touche consulting firm.
However, she added, "whether or not the vendor is collecting all the data required for that claim form is still questionable."
Dahm and others advised hospitals not to automatically accept a vendor's word that its electronic claim form can capture all the data providers need to document encounters and send clean claims.
HIPAA's more complex privacy regulations, which were made final late last year, are less likely than the electronic standards to be satisfied by installing new systems.
"There is technology available that can help people implement their policies pursuant to privacy, but there is no such thing as a privacy-compliant application," said Shannah Koss, solutions and strategy executive for IBM's HIPAA practice.
The privacy regulations require healthcare organizations to develop policies and procedures that protect patient confidentiality, restrict the information physicians can share with one another, and allow patients to review and request amendments to their medical records.
Providers' understanding of HIPAA regulations is growing, but there is still room for improvement. According to HIMSS' annual leadership survey, for which preliminary results were released at the group's conference this month, 30% of respondents said they are "highly knowledgeable" about HIPAA's requirements, compared with 13% last year.
Yet to be completed are HIPAA's security regulations, which will require healthcare organizations to strictly control access to patient files and install systems to authenticate the identity of caregivers before they view patient information.
"There are a lot of things in the security regulation that we want to do anyway," said Methodist Hospitals' McNutt. Common-sense measures, she added, do not require waiting until all the regulations are complete. At Methodist, McNutt is "proceeding full steam ahead" with security projects such as strengthening the cyber-armor around its computer network.
For those working on HIPAA compliance with vendors, McNutt advises a methodical approach.
"Smaller organizations without someone focused on HIPAA might be lured into the HIPAA stamp-of-approval approach and not spend much time or effort understanding the depth of the regulations," McNutt said.
Providers need to investigate vendors' claims, McNutt said, and get assurance that the product under consideration is available and installed at a customer site.