The Health Insurance Portability and Accountability Act (HIPAA) is a sweeping piece of legislation that affects virtually every participant in the trillion dollar healthcare industry. A central question for industry participants, investors and financial analysts is how HIPAA will affect the business of healthcare. Who will be the beneficiaries? Who will need to make adjustments? Which companies can leverage HIPAA to improve their business?

Most of today’s concerns are focused on the changes to business processes and operations arising from HIPAA's privacy and security regulations. Armies of consultants and lawyers are working energetically "analyzing gaps" and offering "remediation." Mercifully, this will end by April 2003, when privacy regulations take effect. But how will HIPAA reshape healthcare information technology (IT), starting with the electronic transmission standards in October 2002 and ending with the introduction of uniform identifiers by around 2006? The next five years will bring an incessant need to modify and tweak software, with uniform identifiers alone requiring a Y2K-like effort. By anticipating and planning for HIPAA needs, software users can limit their costs and software vendors can increase revenues.

The segment immediately affected by HIPAA is payers, healthcare organizations like HMOs, health plans and third party administrators who accept, process and pay claims. Each is required to accept electronic transactions in HIPAA format. Most healthcare organizations use antiquated legacy systems that are difficult to modify. Many vendors who supplied their systems are no longer in business and each installation will require a unique custom programming effort to conform to HIPAA, making it both time-consuming and costly.

Yet there are a few adventurous organizations that have decided to "repair" their legacy systems, ignoring the fact that HIPAA's forthcoming uniform identifiers will be prohibitively expensive to implement. Why fix something if it is to be abandoned so soon? Switching to modern systems is an option but typically requires 24 months of extensive budgeting and planning. Reaching that decision is not swift and may not meet HIPAA's imminent deadlines.

Most payers are banking on the suggestion in HIPAA regulations that translators and clearinghouses can help accommodate the new electronic communication standards. There are two reasons why this may prove to be wishful thinking – and inordinately costly.

The first hurdle confronting translators and clearinghouses is the "extra fields" present in a HIPAA transaction that legacy systems have no room to retain but are needed to create a HIPAA-compliant transaction. Translators do not have the option of storing any data and, therefore, will fail to handle extra fields. Clearinghouses can in principle retain extra fields but this requires customization. Since clearinghouses use legacy technology, why would this fix be any easier than modifying payer legacy systems?

The other challenge for translators and clearinghouses is the presence of proprietary codes in legacy systems that handle business logic. It is estimated that Medicaid agencies around the country have 33,000 proprietary codes in use. Matching them uniquely with standard code sets defined by HIPAA is a complex challenge constructing "cross walks" to interpret the business intent. Translators, of course, do not offer that option and will fail to map standard codes to proprietary codes and vice versa.

Payers should also be aware of the cost of using a clearinghouse. Current experiences with clearinghouses are only for claims transactions, and costs range from $0.10 to $0.30 per transaction. When claims and eligibility inquiries are included, health plans may not want to pay on a "per transaction" basis and instead opt for a "per month" pricing to be able to budget their costs.

HIPAA privacy legislation has an unexpected and serious business ramification for clearinghouse users. Currently clearinghouses routinely sell patient healthcare data to other third parties claiming that revenue from such sales allows them to offer health plans lower transaction rates. Since HIPAA forbids such sales, isn't it reasonable to expect clearinghouse transaction costs to rise?

How does all of this impact a payer's business? Payer costs for meeting HIPAA's IT requirements will mount and payers will not see any immediate returns on investment in HIPAA activities. Absent new funding, payer organizations will have many difficult budgetary choices. As happened with Y2K, HIPAA investments may force postponement of many IT purchases, especially those not related to HIPAA. But Y2K was just a one-year phenomenon, while various HIPAA rules will continue appearing for the next five years or more. Imagine the havoc HIPAA will wreak on IT vendors if purchases are slowed for five years.

Providers, on the other hand, can easily side-step HIPAA's electronic standards by using clearinghouses or going back to using paper forms. While privacy regulations will affect providers, when all the interpretations are in, it will be no more serious than accepting current Medicaid contracts where similar rules are in force. Of course, uniform identifiers will affect physician and hospital systems, but they will have a few years to make the necessary changes to their software. In short, providers will not have a tough time complying with HIPAA rules. Costs probably will not be large, and compliance should not affect their bottom line seriously.

One would think that it would be the vendors in the payer segment who would benefit most from HIPAA’s IT initiatives. Unfortunately, most vendors have painted themselves into a corner: their software products rely on old legacy technology, and delivering HIPAA compliance is an arduous task. There is a legitimate fear that if the modified product is too expensive, customers may flee and purchase other products. Perhaps this is the reason why two established vendors of payer software have sold their interests and quit the market rather than invest to meet HIPAA's challenge. A third vendor bit the bullet and has announced the availability of a HIPAA compliant version of its product in which it has invested 275,000 hours (130 person-years). How much this new version will cost an existing customer is not known. Since the product still does not have uniform identifiers built into it, customers can expect another whopping bill in the next few years.

In short, HIPAA has the potential to drive legacy payer systems to extinction. Even without including uniform identifiers, legacy owners will be faced with a 50-150 person-year effort to fix their systems. Why not buy a new system with modern features with less of an investment?

There are other vendors who will benefit as well. Almost a dozen companies are offering translators. As pointed out earlier, vendors of translators will not be prime-time players in the HIPAA world because they are unable to solve the HIPAA issues of extra fields and proprietary codes. A considerable amount of programming effort is needed to build a data repository to store the extra fields, cross-walks to handle proprietary codes, and create links between HIPAA transactions stored in the repository and transactions in the legacy system. But they can still perform a secondary but useful function in creating HIPAA-compliant front-ends or assisting legacy users who are fixing their systems. For these reasons, and in spite of a favorable mention in the HIPAA regulations, the market for translators is limited.

The other business segment directly affected by HIPAA includes the clearinghouses. With the advent of Internet-based document transfer and languages like XML, pundits had pronounced EDI technology dead and clearinghouses as dinosaurs. But HIPAA embraced EDI affirming healthcare's comfort with old technology and breathing new life into the clearinghouse industry. But there are warning clouds on the horizon. Technical challenges and privacy rules may increase costs, and HIPAA may decide to endorse new web technologies, obviating the need for clearinghouses. The predicament of WebMD is unique and deserves mention.

Envoy, the clearinghouse purchased by WebMD from Quintiles will soon find itself in an impossible situation. The purchase agreement gives Quintiles rights to access all the data processed by Envoy, and the courts have affirmed these rights. Soon, according to HIPAA, Envoy will be forbidden to share patient healthcare information with Quintiles, without the express consent of each patient. Will Quintiles give up or be forced to give up its rights? Will WebMD be forced to abandon Envoy? Only time will tell how this plays out.

Clearly, HIPAA is of seminal importance with deep business implications. It will force changes to IT for the next five or more years that will take its toll on participants. But for the prepared, chaos offers an opportunity to forge ahead.

"Health Leaders EXTRA", at Health Leaders. Impact of HIPAA on the business of healtcare.

Retrieved November 20, 2001.