Week of May 1, 2000 From the Houston Business Journal

Medical mandate Hospitals face costly new rules after Y2K compliance Tanya Rutledge

Susan Stone and the rest of the compliance team at Texas Children's Hospital spent long hours preparing for the year 2000. And although Y2K came and went without a glitch, Stone's group had little time to rest.

The looming Health Insurance Portability and Accountability Act, dubbed HIPAA, is certain to become a further drain on resources of cash-strapped health care organizations.

The new HIPAA standards, expected to go into effect later this year, will require health providers to ensure the privacy of patient information that is transferred or stored electronically. They will likely force hospitals and other organizations to create complex encryption systems for health records. HIPAA may even require health care organizations to install new hardware and software and will likely change the way they do business, say industry experts.

"We couldn't even devote any energy to this until after Y2K because our resources were already tied up," says Stone, director of audit and compliance services with Texas Children's Hospital in Houston. "We didn't take a breather between Y2K and this. We literally started working on it (HIPAA) on Jan. 2."

The U.S. De-partment of Health and Human Services, which is implementing the act, estimates that the overall cost to providers and health care plans of complying with these new rules will amount to about $3.8 billion over the next five years -- about $400 million which will add up this year alone. Specific figures for the Houston medical community were not available.

Most Houston-area hospitals and health care pro-viders have al-ready turned their attention to the issue and say they are fearful of its financial impact on their already-struggling bottom lines.

Stone says Texas Children's was able to leverage its existing project management structure and key personnel which had been put in place for its Y2K compliance project. But she expects a further drain on financial, personnel and time resources once the HIPAA project gets into full swing by late summer.

FULL ASSESSMENTS HIPAA was actually passed in 1996, but the U.S. Department of Health and Human Services is only now determining the standards under which the act will be implemented. The first set of standards is expected to be released by late summer and will give health care organizations two years to comply.

"Twenty-four months to comply is actually not a lot of time," says Janet Covington, a manager with Arthur Andersen's technology risk consulting group in Houston. "There are going to be some pretty sweeping changes required."

Covington says a lot of the technology-oriented work that health care organizations did for Y2K can be leveraged to meet HIPAA requirements, but she points out that in addition to technology changes, a bigger piece of the pie will be re-evaluating the way business practices are carried out so as to protect health information.

Brenda Strama, a partner in law firm Vinson & Elkins' health industry group in Houston, points to nurses' stations, where payment and health information like crucial lab results is input behind a desk and is fairly visible to other patients. She says some health care entities may have to change the location where such information is input, or re-build the open areas to create more privacy.

That would be in addition to overhauling the hardware and software systems used to store and transfer the information.

"Companies are going to have to go through a full assessment of their current systems, from internal computer security, to policies and procedures that restrict physical access to information, to password access for electronic information," Strama says. "And it's incredibly ironic that an estimated $4 billion in expenditures is going to come at a time when I don't know of any hospital that's not hurting financially."

`BIGGEST FORCE' Many hospitals have indeed been bleeding red ink lately, due largely to the Balanced Budget Act of 1997, which significantly reduced the amount of money the federal government pays hospitals to treat Medicare patients.

"This is coming at a time when we are all trying to keep our health care costs down," says Connie Wallace, business practices officer at Methodist Health Care System, which hired a consultant last summer to help the organization deal with HIPAA. "One of our consultants has said that his firm believes this might cost three to four times what Y2K cost. It's difficult to predict at this point what impact the changes will have on us, but we believe they will be substantial."

In fact, Wallace says Methodist will have a full-time employee on board within the next few weeks whose job will be solely to deal with HIPAA.

And although the bulk of this year will be spent evaluating technology while awaiting finalization of HIPAA standards, health care officials say they are extremely worried about compliance issues. As a result, industry seminars on HIPAA have been selling out for months.

For example, a downtown HIPAA seminar sponsored last week by Vinson & Elkins was packed to capacity. Fifty attendees had to watch the seminar over closed-circuit TV, and another 15 people were on a waiting list.

And Eye on Info health care columnist John Morrissey recently called HIPAA the "biggest forced revamping of health care operations since Medicare."

Strama points out that health care won't be the only industry affected by HIPAA. Employers that deal with sensitive health information on their employees (which comes into play when an employee is appealing a decision regarding health care coverage) will also have to deal with certain compliance issues.

"This is going to require a change in the way we think about health information across the board," Strama says. "I think it's bigger than a lot of people in all industries realize."

http://www.bizjournals.com/houston/stories/2000/05/01/story3.html

-- Martin Thompson (mthom1927@aol.com), May 01, 2000