HIPAA Deadline Comes And Stays

The following report, which will appears in the current edition of GovernmentVAR, looks at how Medicaid agencies worked with their integrators to come into compliance with the most challenging aspect to date of the Health Insurance Portability and Accountability Act of 1996. A study just released by Input reveals states will increase spending on health-care IT outsourcing by 17 percent. HIPAA will contribute significantly to that, according to Input analyst James Krouse.

Savvy IT health-care pros know the Oct. 16 date in no way signaled an end to the challenges surrounding HIPAA. For starters, not all providers, payers and state Medicaid agencies reached compliance, and now they are working overtime to get there. Also, many of those that did comply banded together to reduce costs and now face pressure to keep expenses in line going forward. Additionally, the Center for Medicare and Medicaid Services (CMS), which has jurisdiction over HIPAA, plans to revise the standards on an ongoing basis.

This second deadline was significantly more complex than the first one last April, which mandated the enforcement of privacy policies and required more process changes than IT overhauls. The most recent compliance obligation requires that patient data be exchanged electronically via standard x.12 electronic data interchange formats rather than using proprietary data interchange fields. Meeting this goal required years of work on various back-end systems by state Medicaid agencies and their government contractors, as well as their commercial counterparts.

Not surprisingly, many providers were unable to fully complete testing of their standards-based transactions by Oct. 16. That prompted the CMS last month to implement a contingency plan to accept noncompliant claims, citing the "unacceptably low number of compliant claims being submitted" as its justification.

"Certain provider groups and some billing [entities were] not going to be ready to submit compliant claims," acknowledges Ray Hanley, vice president of EDS' state health and human services (HHS) business. That will affect even those states that have been ready to handle HIPAA transactions for some time, including Delaware, Oklahoma and Vermont, Hanley says. "States need to help address the providers that are not billing HIPAA-compliant claims, whether that means providing workshops or technical assistance," he says.

In all, EDS has handled the HIPAA work of 17 states. "There's a lot of common architecture there," Hanley says.

A Team Effort

Some of the state agencies that managed to meet the deadline to implement the new HIPAA standards, also known as Transaction Code Sets (TCS), were able to do so because they joined together in a unique partnership with other states and their government contractors. This helped them navigate another challenge: The states have faced deficit conditions for two years and counting. And though the federal government funded much of the heavy lifting, keeping costs down over the long term is critical because states will have to foot the bill to maintain and update the systems for years to come.

Integrators and customers frequently compare the current HIPAA TCS readiness effort to the Year 2000 remediation efforts of the late 1990s. "It's the health-care version of Y2K," says Greg Baroni, president of Unisys' Global Public Sector practice. Those running IT organizations in state Medicaid agencies agree.

"I would say it exceeded Y2K by a factor of at least three," says John Calabro, CIO of the Oklahoma Health Care Authority (HCA). "It's a very significant project."

Oklahoma's HCA is one of several state Medicaid organizations that saved money by leveraging the work of other states. EDS reused much of the work it had done for other clients, including Delaware, Indiana and Vermont.

In another example, Unisys developed a system called Healthcare Payer Administrative Solution (Health PAS) for Kentucky. Based on reusable software components, Health PAS helped Unisys recently win a contract with West Virginia. "A number of states like West Virginia are facing budgetary issues, so they decided to compete, and they elected to go with us," Unisys' Baroni says. "We've basically given them access to our new custom-designed claims-processing system."

In Kentucky, Unisys was able to preserve an existing mainframe-based claims-processing system by building a midtier Web application based on Microsoft Windows 2000 Data Center Edition, using SQL Server and hosted on Intel-architecture computers. Another key component was Microsoft BizTalk Server with HIPAA accelerators, which essentially translates proprietary data formats into those based on the HIPAA TCS standards, using Web services.

Health PAS let Kentucky link its CICS transaction-processing platform and legacy VSAM files onto the PC platform. That was critical because Kentucky wanted to keep its Cobol-based systems, says Doug Fee, a senior engineer at Unisys, charged with administering the state's Medicaid management system. "All we do is take the Cobol code off the mainframe, recompile it on the PC server and, boom, more or less it was working," Fee says. Some changes, such as replacing the VSAM database with SQL Server, were necessary. In addition to sharing the application-development work, the servers for both states are hosted in a common data center Unisys operates in Salt Lake City.

Kentucky and West Virginia aren't the only states sharing app-development efforts and a data center for handling Medicaid transactions. In Oklahoma, EDS built a system called interChange Medicaid Management Information System, based on one deployed in Indiana, Oklahoma HCA's Calabro notes.

Subsequently, neighboring Kansas signed on with EDS, and the two states agreed to co-locate their infrastructures in Oklahoma, which reduced their costs and those of EDS. They share common data centers and network infrastructures, although they run separate application platforms.

In New England, meanwhile, Connecticut, New Hampshire, Rhode Island and Vermont are all EDS clients working in a shared environment, says Pat House, CIO for Vermont's HHS agency. Not only do they share a data center, but the states are collaborating on application development. House says the team effort reduced Vermont's cost of building a HIPAA-compliant system to just $8 million from $22 million.

While much of the work from state to state is reusable, it by no means is a cookie-cutter process. Although the four New England states are using the same HIPAA accelerator from SeeBeyond, the states have different back-end systems. Vermont recently switched from an Ingres database to IBM's DB2, while New Hampshire runs its system on Oracle databases.

One of the key decisions CIOs at HHS agencies have to make is on the HIPAA accelerator. Besides Microsoft, key providers of HIPAA middleware include Mercador, SeeBeyond and Sybase. The middleware assures that proprietary data formats are translated into HIPAA codes, and it links to other systems, including databases and CRM applications, says Richard Garcia, SeeBeyond's health-care marketing manager.

Many organizations are using HIPAA accelerators to link payers and providers directly, rather than go through third-party processing companies. Oklahoma is using Sybase's HIPAA Studio to handle compliance checking and standardize the format of the data. "In our internal systems, we completely made our system handle all of the data fields that are in HIPAA," Calabro says.

The agency, which is standardized on Oracle, had to modify many of the databases for the new fields, he adds.

Germane Issues

Meanwhile, another deadline for the secure transmission of medical information is set for April 2005. Some states, such as Oklahoma, have a head start because data already is exchanged over the Internet through a secure Web connection.

While firewalls and encryption are a given, there are ways to add extra layers of security. Kentucky is using Layer 7, or application-level, security, provided by Unisys, which had discovered a product called Teros-100 APS from Teros. The system can identify unusual behavior in any type of application data, regardless of what language the code was programmed in.

"We needed something that will help us on this front end to make sure we don't have any personal health information slip through the cracks," Unisys' Fee says.

The implementation of national provider codes is another issue, says Kay Holmes of Delaware, the first state to officially deploy a HIPAA-compliant Medicaid claims-processing system. There's also a need to replace local procedure codes with national ones. "Every state is trying to accommodate all these changes," Holmes says.

Looks like the market for HIPAA solutions will remain healthy for some time to come.