HIPAA and MCOs: Administrative Simplification or IT Modernization?

Health Management Technology, Oct, 2001 by Jacob Kuriyan

A minefield of technology options is available to HMOs and health plans.

Title II of the Health Insurance Portability and Accountability Act (HIPAA), also known as the "Administrative Simplification Act," sends three different messages to the healthcare industry: become efficient by standardizing codes and using electronic transmission; eliminate fraud and abuse; and preserve patient privacy.

In the first set of regulations to take effect in October 2002, HIPAA specifies the format of certain electronic transactions (such as enrollment, claims, authorization) and forbids the use of anything but standard code sets. The second set pertains to privacy and will be in force by April 2003. Security issues are still being finalized with an estimated time for enforcement of 2004. The last part where payors, employers, providers and patients are assigned unique national identification numbers should take effect by 2006 or earlier.

Short-Term Solutions, Long-Term Risks

While HIPAA affects virtually every participant in healthcare, it is fair to say it will be payors, HMOs and health plans in particular who will first feel its impact. Providers, for example, can delay HIPAA's impact by merely resorting to paper transactions or using clearinghouses as intermediaries. Payors have no such option. If a provider sends a claim electronically to a payor in a HIPAA-compliant format after October 2002, HIPAA requires the payor to accept and process it.

This sounds simple, but many HMOs and managed care organizations use legacy systems to manage their business affairs and their COBOL and MUMPS-based systems lack the flexibility to meet HIPAA's requirements. Costs of changing legacy codes can be considerable and implementing changes can result in serious downtime, affecting production and raising costs. Moreover, HIPAA is not a singular event. HIPAA regulations will continue to appear over the next five years and the cumulative financial toll on legacy owners can be large if change is not planned and executed properly.

The focus of many "HIPAA scare conferences" seems to be on changing business processes to avoid fines and jail terms. Even when IT costs are discussed, they are limited to the first set of regulations--compliance with electronic standards of communication--and waved away as a simple matter of acquiring a "translator" or engaging a clearinghouse. Payors are in for a surprise if they analyze IT costs to comply with all the anticipated regulations from HIPAA.

What are the options available to legacy owners? How expensive are they? Is it necessary to abandon current systems? HIPAA is a five-year process of continual changes. How can business disruption be minimized? How can healthcare organizations maximize return on HIPAA-related IT investments? Some legacy vendors have realized the difficulty of complying with HIPAA and have sold their companies. Their abandoned users are virtually orphans and must switch systems. How can they win time for making such a complex decision?

Legacy Options

The HIPAA regulations contain a suggestion that health plans can meet the October 2002 deadline by using translators and clearinghouses. This is an over-simplification, and legacy owners who adopt this route will encounter serious and subtle problems.

Typically, a HIPAA transaction file has many more data fields than are found in legacy systems. Translators and clearinghouses will "drop" these extra fields because of the inability of legacy systems to accept them. Without these extra fields, legacy systems may not be able to reconstruct and transmit a HIPAA-compliant transaction. To store and have the extra fields ready for reuse is necessary but a serious technical challenge for legacy systems.

HIPAA requires that the codes used must conform to its standards, which may pose a challenge to legacy systems that use proprietary codes as a substitute for business or processing logic. Clearinghouses have adapted by offering custom interfaces to accommodate proprietary health plan codes and translators will be forced to customize as well.

An important factor often overlooked is that clearinghouses that provide such service will process more than claims and, therefore, cost more to health plans. Based on current market rates, health plans that use clearinghouses will spend an additional $1 to $2 per member per month. While this is not outrageously high, it will have a perceptible effect on bottom lines and there will be an urgency to finding a more permanent solution.

Given enough time and funds, it is possible to make a legacy system conform to HIPAA transactions. There are, in fact, many consulting organizations offering such services. But is this a good investment? Not really, especially if you consider what HIPAA has in store in the form of uniform identifiers.

When HIPAA's uniform identifier rules come into force (estimated around 2004), legacy system users will find it prohibitively expensive to comply because there are four fields that will change, both length and format, and each one will require a Y2K-like effort. Time is also an enemy. If, in a few years, the entire legacy system must be abandoned, how much sense does it make to invest in them today to meet HIPAA's transaction standards?