Wherever you turn, there's another consultant, trade association or technology vendor to remind you how much it will cost to comply with the Health Insurance Portability and Accountability Act of 1996.
Lately the focus has been on the likely expenses associated with several provisions of the regulations made final in April on privacy of personal health information. An oft-quoted analysis prepared for the American Hospital Association sets the five-year tab for the healthcare industry at $22.5 billion.
And that doesn't include the costs of preparing to send and receive eight standard insurance-related transactions electronically as mandated last October, or the expenses of imminent rules on securing personal data in computers.
Healthcare organizations with computer savvy, however, are looking for ways to fold those expenses into their ongoing operations, meeting compliance requirements on the way to other information-strategy objectives.
"We're not really looking at HIPAA," says Dan Weegar, director of technology services at Advocate Health Care, a nine-hospital system based in Oak Brook, Ill. "We're looking at information anytime, anyplace."
A Web-based network for clinical information is up and running throughout the Advocate system. That network has cost about $1.9 million to develop, but it comes with bonus benefits besides clinical-care improvement. Intertwined with the innovative access technology are security mechanisms that control entry to sensitive data, protect against intrusion and authenticate who's receiving information.
The network also avoids the cost of setting up separate units of service at each Advocate hospital. Instead, information is accessed and transmitted throughout the system over a secure "clear channel," which amounts to a protected tunnel in the Internet that prevents any unauthorized access, Weegar says. Additionally, the switch to the Internet tunnel-called a virtual private network-replaces a less reliable and higher-maintenance bank of modems that clinicians had to dial into for each use. The network is being operated at half the annual $230,000 cost of running the modem bank, he says.
The next step under way is to make the network available to physicians and other healthcare professionals from home or other remote locations through their personal Internet service provider or a direct dial-up connection, he says.
Advocate still has some gaps in security to plug-like many healthcare systems, it's undergoing a HIPAA "gap analysis"-but it doesn't foresee a substantial expense apart from plans already in the works, says Judith Miller, director of decision support and regulatory compliance.
"It's difficult to say what HIPAA costs, because we're doing this as part of our normal business," she says.
The way Richard Bagby sees it, the capital and implementation expenses involved in compliance with HIPAA are not nearly as extensive as industry estimates, which he calls "pure fantasy."
Bagby, chief information officer of PinnacleHealth System in Harrisburg, Pa., is more concerned about the costs related to waiting for information-trading partners to catch up. PinnacleHealth has been "aggressive" in preparing its information systems to send HIPAA-standard transactions and receive answers in standard formats, he says. But insurance-related transaction costs are likely to be higher during an industry transition period because some payers won't be able to receive the standard formats when PinnacleHealth is ready to submit them.
As a result, the healthcare system will have to pay healthcare claims clearinghouses to manipulate the information on bills according to the changing level of readiness among payers, he says. But those expenses will be short-lived, because as soon as payers are ready for standard claims data, billing transmissions can go straight through instead of detouring through a clearinghouse.
Varying degrees of readiness
HIPAA's impact, however, hinges on how much a healthcare organization has done already to consolidate, standardize and update business operations and information technology to support security and privacy improvement objectives.
The analysis commissioned by the AHA surveyed a cross section of hospitals and healthcare systems and found a wide disparity in the expected compliance burden, partly because of the range of anticipated changes to their information systems. The analysis was conducted by First Consulting Group, a Long Beach, Calif.-based healthcare information technology consulting firm, and covered five-year implementation and annual operating expenses of compliance with HIPAA's requirements for:
* Determining the minimum number of people and the minimum amount of information necessary to accomplish a medical treatment or business task using data that identifies patients.
* Ensuring that contractual agreements with business associates clearly require confidential handling of patient-identifiable information.
* Complying with state laws on security and privacy when those statutes are more stringent than HIPAA provisions.
In one case study, a six-hospital system planning fewer modifications than average to its information systems is expected to spend $411,000 per hospital, or nearly $2.5 million in all, to meet the privacy requirements. Because of its size and geographic spread over three states, a much larger coordination of effort is needed than in a typical single-hospital organization, but the healthcare system will be able to spread its costs across the six sites, the report noted.
By contrast, a large single-site hospital anticipating significant changes to a large number of information systems will have to spend $4.3 million.
The five-year cost to a midsize suburban community hospital anticipating significant changes to a moderate number of information systems was estimated at $1.5 million. For a small single-site hospital in the same situation, the projected cost is about $1.6 million.
PinnacleHealth and Advocate began their efforts several years ago to consolidate and modernize their healthcare applications and the communication networks that connect their many sites of care.
Under an outsourcing contract with Siemens Medical Solutions Health Services Corp., formerly Shared Medical Systems, PinnacleHealth merged three disparate information-technology infrastructures into one by creating a new system at one location with standardized files and processes.
Advocate executives recognized back in 1995 that the patchwork of information technology at its multiple locations throughout the Chicago area was very complex and hard to manage, says Bruce Smith, vice president and CIO. The healthcare system began to standardize its communications network in 1997, and subsequently it began standardizing core business applications.
Time is the enemy in compliance workload
Healthcare organizations that haven't done a lot of the basic foundation work won't have the luxury of implementing improvements over an extended period. In fact, some observers see the two-year window for HIPAA compliance as a principal obstacle to making the necessary improvements in a cost-effective way.
Information-technology projects have a natural life cycle of implementation, including measures to test their progress, make midcourse corrections and handle unforeseen complications, says John Houston, assistant counsel and data security officer at UPMC Health System, an 11-hospital organization based in Pittsburgh.
If a provider system has multiple implementations to complete or a long list of locations to include, chances are good that two years won't be enough to do the job in the normal deliberative fashion, Houston says. Shortening the deadlines would require substantially more staff and resources, increasing the cost disproportionately to the resulting benefit, he says. "If the deadline were a little longer, it would align the (projects and time frames) better."
Much of the compliance work would bring operational efficiency and business benefits to a healthcare organization, but the regulations would force spending just to meet compliance mandates, says Charles Steen, chief security officer for Catholic Healthcare West, a 48-hospital system based in San Francisco.
Steen says the dynamic is similar to the Y2K crisis, which brought significant gains to computer operations but at a high cost to CHW. "By the time we woke up to Y2K, which was about two years before midnight 2000, there was not enough time to do a coordinated plan on system development," he says. The same problem looms with HIPAA, especially in the area of standardized electronic data interchange.
CHW is consolidating business offices in several regions, and the best scenario would be to complete those consolidations in advance of the deadline for sending standard transactions, he says. That way the healthcare system could put in place whatever new information systems it had to purchase to match the new work processes while handling the HIPAA standards.
One consolidation effort, in Southern California, will be ready by this fall, but the others won't be completed in the time window of HIPAA.
That means CHW probably will have to spend extra money and energy on interfaces with a claims clearinghouse during a transition period before it can address the information system needs of the consolidated operations, Steen says.