The Coming HIPAA Crisis

HIPAA’s timetable has been known for years, but many organizations that the law covers are dawdling pitifully in preparing for compliance.
John Carroll


For the past five years, the Health Insurance Portability and Accountability Act has been chugging its way steadily through the corridors of power in Washington. Shepherded by two administrations against a well organized coalition of health care associations eager to amend and delay implementation of the act, HIPAA has been steadily gathering steam as it heads down the track toward the final deadlines for compliance.

But over the past few months — with the health care industry entering the final 12-month stretch before the first round of deadlines — it has grown increasingly clear that the timetable for implementation is likely to leave many companies far behind. It isn’t the portability aspect that is at issue; it’s accountability, specifically the technical transaction rules and also privacy and security concerns.

In survey after survey, the information technology experts — those supposedly marshalling forces and dollars to bring hundreds of software systems into compliance with a complex set of transaction and privacy standards — are replying in large numbers that they have yet to outline even a rudimentary plan of action for compliance. Just about the only center of intense activity can be found on Capitol Hill, where legislators and industry lobbyists again are lining up on opposing sides over a new effort to delay the electronic-transaction deadline by up to two years.

The health care industry has until Oct. 16, 2002 to prepare for the transaction and code-set standards, and until April 2003 to meet privacy rules. “Most of the industry won’t be ready,” warns Matt Duncan, health care analyst for the Gartner Group.

HIPAA had long been touted by Health and Human Services officials as a big moneysaver, a promise to standardize and streamline electronic transfers as it built a firewall of security around private patient information. It was also viewed by a legion of health care consultants and the swelling ranks of software vendors as a multibillion-dollar bonanza, as health care organizations were expected to rush forward to meet federal deadlines.

But HIPAA — 1,500 dense pages of rules bristling with hefty civil and criminal penalties — was far from popular in health care circles. Trade and professional associations for providers, managed care companies, and others armed their lobbyists with position papers outlining the steep cost of compliance. It’s a familiar litany: The Balanced Budget Act, with funding cuts, still weighs heavily on the industry; Y2K compliance is a fresh and financially painful memory; and HHS has been slow to issue clarifications of the rules. Added to the mix early this year was a widespread hope — if not expectation — that an avowedly business-friendly Bush administration would push back deadlines and soften requirements, scaling back the cost of compliance.

When the Bush administration stunned health care lobbyists with its decision to stick with the deadlines after all, analysts thought the industry would finally adopt a sense of urgency.

They were wrong again.

No direction from top

By the time the Gartner Group took the industry’s pulse on HIPAA compliance in July, the situation was borderline catatonic. More than 40 percent of payers and providers hadn’t even staffed their compliance committees to start drawing up a plan to meet mandated deadlines. Management was being left in the cold; fewer than half of those surveyed had accomplished the basic step of detailing compliance requirements for their CEOs. Only 1 in 10 of the organizations Gartner surveyed had begun contracting with vendors for what they needed to get in line with the new regulations.

“To not even have formed a compliance team at this late date is almost inconceivable,” wrote Duncan. The bottom line: “The health care industry will not be ready for HIPAA by the October 2002 transaction deadline.”

Since the summer survey was completed, says Duncan, matters actually have grown worse. In September, Gartner surveyed more than 100 chief information officers in state and local government agencies affected by the HIPAA regulations; 6 of every 10 said they were unaware of any statewide HIPAA-mobilization efforts.

Those “don’t know” responses are “the biggest indicator to me that they are so early in the process that most don’t even have a budget,” says Duncan, who sees it as yet another reflection of the widespread lack of preparedness.

Even organizations trying hard to achieve compliance will find themselves in a tough spot, Duncan adds. Most are expecting their software vendors to come up with the HIPAA-compliant upgrade patches needed to toe the new federal line. But from what he’s hearing, most of those vendors won’t be delivering until the first or second quarter of 2002. Big organizations with up to 150 software systems to test will find that they have little time for what will be a monumental task.

Add to that the demands of payer organizations that will need to test their links with providers, a group that is largely believed to be drawing up the rear in compliance efforts.

“It’s what we call the HIPAA ripple effect,” says Duncan. “There’s too much work for most of the industry to be ready.”

Duncan’s colleagues in the world of health care consulting are quick to concur.

“We think health care organizations should be a lot further along than they are,” says Kevin Malley, a HIPAA expert and partner at PriceWaterhouse-Coopers. “By and large, the efforts are very organization-specific and focused on remediation, which will delay the potential for achieving long-term efficiencies and savings.” Many are still organizing first-step efforts to see what needs to be done.

The few

But not everyone is sliding helplessly toward the deadline. Many groups, especially the larger, deep-pocket health plans, have invested the time and effort needed to understand how HIPAA works and what they must do to avoid sanctions. Nevertheless, precious few companies are attacking it in the pioneering spirit the federal government envisioned, by focusing on the long-term savings of higher efficiency through better technology, according to Duncan. With few exceptions, he says, the best that can be expected is a minimal effort aimed at avoiding sanctions.

In some MCOs, there may not even be enough money for the transition. A group of analysts at Conning & Co. concluded in August that “Even under the best of circumstances, many industry players will not be able to implement all the new privacy requirements in a timely fashion, especially because states are free to enact standards that are more strict than federal [regulations].” Conning therefore sees this legislation as “spurring even more industry consolidation, as smaller, less technically capable and financially constrained plans will seek merger and acquisition partners.”

HIPAA, says Conning’s Samuel Levitt, “really raised the bar significantly. I think people are quite amazed at what [HHS Secretary] Tommy Thompson came out with in July.”

But if health care companies have been sluggish to begin work on HIPAA, lobbying in Congress has once again flared into a full-scale assault now focused entirely on the deadline.

“Members are hearing from hospitals that deadlines are coming up too quickly,” says a spokesman for Senator Ted Kennedy. And that has pushed the powerful Massachusetts Democrat into a camp that is pushing a 6- to 12-month extension of HIPAA’s transaction standards. But Kennedy is fighting any wholesale retreat from HIPAA. Says Kennedy’s spokesman: “He has serious concerns about extending the privacy deadline.”

AHA’s interesting turnabout

Whatever hospitals are saying to their representatives, though, the American Hospital Association — which mounted a furious assault on the privacy side of HIPAA — says any attempt now to push back the transaction deadlines in 2002 would hurt hospitals that had already spent big on HIPAA.

“Because of their potential for long-term efficiencies and cost savings,” a coalition of hospital groups including the AHA wrote to lawmakers in late September, “Congress should not delay the electronic standards beyond the October 2002 compliance date.”

Smaller health plans have an extra year to achieve compliance, says the group, and if any health care company needs more time, HHS has the option of simply delaying enforcement.

The letter drew some quick and powerful support in Congress. A group of legislators including Charles B. Rangel, the influential New York Democrat, and Fortney “Pete” Stark, ranking member of the House Health subcommittee, circulated a letter of its own citing the hospital groups’ position and touting the administration’s estimate that HIPAA transactional standards ultimately would save the health care industry close to $30 billion over 10 years. “If these provisions are delayed … private payers and, ultimately, all Americans will needlessly continue to pay for the inefficiencies inherent in the current Byzantine system.”

AMA wants a delay

The American Medical Association and others are fighting back, gaining support and in some cases finding members in the House who are willing to consider a two-year delay. HHS has been too slow to outline specific rules for HIPAA compliance, they complain. And time is short.

“We know parts of the system aren’t going to be in compliance by the deadline,” says one Washington insider working for an extension. And the prospect of widespread violations is fueling much of the effort to roll back fast-approaching compliance dates.

Some of the analysts, though, say that any extension won’t be enough to get the health care industry ready for HIPAA. Moreover, if organizations aren’t working on the issue now, gleaning more time from Congress will do nothing to build a sense of urgency.

If HIPAA is delayed a for a year, says Malley of PriceWaterhouseCoopers, “Organizations should recognized it as a delay in the compliance date, and not a delay for initiating implementation efforts.”

Ultimately, though, if Congress doesn’t force an extension, the feds may just leave deadlines where they are and provide a de facto grace period. Come next October, the federal government may content itself by taking a poll of the industry to see how compliance efforts are coming along, says Duncan. Then it may step back for a few months and wait until 75 or 80 percent report compliance efforts to be complete — then send in the enforcers to select a few companies to punish as a public example.

For anyone caught in the cold of noncompliance, the pain could be considerable.

A big organization could face sanctions of “a million bucks or more,” says Duncan, who does see signs of a new sense of urgency in the industry. But it may well prove too little too late.

One thing is certain, says Levitt: Until Washington decides exactly whether there will be changes to HIPAA’s privacy and security provisions, it’s unlikely that many organizations will make the voluminous new set of rules a big priority.

“No one wants to start working on it if they’re going to change the details.”

John Carroll is a free-lance writer in Dallas.