HIPAA a hardship for health care companies

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2002/1021hipaa.html

By Paul Roberts
IDG News Service
10/21/02

A difficult economic climate may make it harder for health care
providers to comply with provisions of the Health Insurance
Portability and Accountability Act (HIPAA) in time for deadlines next
year, according to a report by the consulting company Frost &
Sullivan.

The independent report, "Effects of HIPAA in the U.S. Healthcare
Markets" studied three health care market sectors affected by HIPAA:  
hospitals, managed care organizations and physician practice groups.

The study found that, despite an April 2004 deadline for HIPAA
compliance on patient privacy, IT spending remains a low priority for
hospitals and health care providers struggling for survival because of
the economy.

"This is something that we've seen fomenting over time," said Amith
Viswanathan, senior industry analyst for health care information
systems at Frost & Sullivan. "IT is a last priority item for
hospitals. It's a question of 'do we buy a new car or do we eat?'"

The growing medical needs of the large population of aging "baby
boomers," those born between 1946 and 1964, has combined with cuts in
federal Medicare reimbursements and increased payroll and operations
costs to constrain IT spending by health care companies, according to
Viswanathan.

"Hospitals are dealing with all kinds of operational issues, and
they're cutting spending for anything ancillary to patient care,"  
Viswanathan said.

Enacted by the U.S. Congress in 1996, HIPAA establishes national
standards meant to ensure privacy in electronic health care
transactions. The legislation, which is enforced by the Department of
Health and Human Services (DHHS), affects health care providers,
health plans and private physicians.

Since it was enacted, HIPAA has pushed hospitals and other health care
organizations to shift from older, mainframe technology and
paper-based processes to more efficient and secure systems that
improve patient confidentiality.

Providers were supposed to comply with HIPAA regulations regarding
medical transactions and code-sets, which indicate what type of
procedure was performed on a patient, by last Wednesday. Organizations
that were not in compliance with HIPAA rules by the deadline were
required to apply for an extension by mailing or e-mailing a form to
the DHHS before midnight Tuesday.

There was a rush of applications from affected companies for one-year
extensions just before last week's deadline, said Allan Carey, program
manager at market researcher IDC in Framingham, Massachusetts.

Compliance with HIPAA guidelines on patient privacy is required by
April 14, 2003.

Despite the effects of the tough economy on hospitals and physicians,
however, the need to comply with certain HIPAA regulations, especially
those concerning patient privacy, is expected to keep demand for
certain HIPAA IT and consulting services strong.

"The biggest issue for providers is privacy. Accreditation
organizations like JCAHO (the Joint Commission on Accreditation of
Healthcare Organizations) as well as the Office of Civil Rights are
going to be very concerned with (privacy). It's also a major market
for ambulance chasers," said Viswanathan, referring to attorneys who
will use violations of HIPAA rules by doctors, hospitals and insurance
providers as the basis for patient lawsuits.

For companies that sell HIPAA-related IT consulting services, the
report finds good prospects for products that address high-value HIPAA
compliance areas, according to Viswanathan.

For example, companies selling electronic medical record (EMR)  
products to secure patient data and electronic data interchange (EDI)  
products that streamline billing and reimbursement are likely to find
a willing market among hospitals looking to comply with HIPAA rules.

"We see the EMR business taking off as a gateway application,"  
Viswanathan said. "Hospitals can use it to measure an audit trail,
measure a log, measure user authentication and issue biometric access
passes if needed."

"With EDI, we were surprised to find that hospitals that typically
remit payment information to clearinghouses are looking to take that
process in-house. They want to see where their transactions are
going."

Beyond that, Viswanathan recommends that companies delivering HIPAA
services focus on training in areas such as privacy -- a service that
is desperately needed, but that won't break a hospital's budget.

"Privacy issues are among the least understood areas of HIPAA. They
generate the most questions and loopholes, and are the area of largest
liability," Viswanathan said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.