Integrators Eye $3B for State Health Care Fixes

Compelled by new federal regulations to modernize health care information management, state governments are expected to spend $3 billion modifying or replacing existing health care systems, a complex effort that many officials liken to the year 2000 challenge. States will have to comply with three sets of rules for the Health Insurance Portability and Accountability Act that either already have been issued or will be issued shortly. States must comply with data standards by Oct. 16, 2002, and with privacy standards by April 14, 2003. Security standards are expected to be issued later this year.The regulations also will require hospitals and other health-related organizations to improve information sharing and management, with early estimates putting the private-sector cost for HIPAA compliance at $15 billion. "We think there is a tremendous amount of work out there," said Paul Ryan, president of business technology services for Affiliated Computer Services Inc. of Dallas, which is forming partnerships around opportunities in both the private and public sectors. Iowa Chief Information Officer Richard Varn, who moderated a panel on the topic at the National Association of State Chief Information Officers' midyear conference earlier this month, said states will spend an average of $50 million to $60 million to comply with the law.But these are early estimates, and many states aren't far enough along in the process to know how much they will be spending, said Carol Kelly, vice president and service director of electronic government strategies with the Meta Group, Stamford, Conn. The actual amount is likely to vary from state to state, said Susan Calzoncit, principal consultant for the health care global industry group at Electronic Data Systems Corp., Plano, Texas.The compliance work is expected to take at least three years and perhaps as long as seven years to complete if compliance is slow or implemented in phases, said government and industry officials. Both sectors face a formidable compliance challenge that is being compared to Y2K, although with a new twist. "This may be more narrow than Y2K, but for the industry it affects, the volume of work involved is much greater," said Ryan, referring to the fact that the regulations will affect only health and human services and not all agencies.To meet the data standards, states must modify their health care systems to adhere to an industry standard for basic transactions, such as claims and payment, eligibility, enrollment, referral certification and authorization. The privacy standards require departments and agencies to establish procedures for protecting patients' privacy and to train their staffs in the use and disclosure of such information. The security standards, although not yet issued, are expected to require states to protect information systems, establish physical security of medical information, create audit trails and use digital signatures and data encryption for transactions. While compliance with the data standards that govern transactions might be completed by 2003, security and privacy standards present a more complex challenge."The security and privacy issues do not stop with implementation," said Tom Evans, president and chief executive officer of KMK Systems Technology Inc. of McLean, Va., a company that provides HIPAA privacy, security and transaction implementation and compliance services."That's the big distinction between HIPAA and Y2K," he said. In March, the National Governors Association asked Congress to revise the schedule so that states would not be required to begin implementing HIPAA until all the regulations have been finalized. It also asked Congress to establish a single, uniform date of compliance that allows states a sufficient and reasonable amount of time for implementation once the regulations have been issued. The administration has not yet acted upon these recommendations, said government and industry officials.If these recommendations aren't adopted, states may have to schedule projects sequentially, said NASCIO in printed material distributed to its members at the conference.At this point, very few states have completed work assessments, and fewer yet have appropriated funds for the work. States will rely on integrators to provide assessments, business process re-engineering and traditional systems integration across the health care enterprise, said government and industry officials."It's an opportunity for old-fashioned systems integration," said Georgia CIO Larry Singer, who said integrators should develop packages of complete solution sets to offer the states.Integrators have developed business models but have not yet begun to roll out compliant systems to the states, said Varn.Because the privacy and security standards "are not pure tech plays," integrators will be looking to partner with other companies, Evans said. "An integrator can play a role if it is willing not only to do the technical side but also the human side," said Evans, who predicted that large consulting companies and large law firms also will want to get a share of the compliance work. ACS wants to be a one-stop shop for HIPAA compliance, Ryan said. He said the company is pooling its resources with other companies that will provide the necessary software, security solutions and legal expertise to form a complete compliance package. He declined to name specific companies. EDS has completed various HIPAA services in about 12 states, said Laura Wooten, a company spokeswoman. NASCIO is encouraging states to take inventory of all health care-related systems. They range from large Medicaid systems to smaller systems found in county health departments, public schools, state mental hospitals and correctional facilities. States with older systems may choose to fully replace their Medicaid system, while others will choose to modify existing systems, said Margaret Martins, a vice president with Maximus' consulting group.While federal funds may be available to help states bring their Medicaid-related systems into compliance with the new HIPAA regulations, those funds will not be available to modify systems for other programs, such as state employee health insurance, said government and industry officials.HCFA reimburses states for 90 percent of the cost of design, development and installation of a new Medicaid system and 75 percent for its operation, said Rick Friedman, director of HCFA's division of state systems. To obtain federal matching funds, states must submit advanced planning documents for work totaling more than $5 million, he said.Although Friedman said HIPAA compliance that affects or applies to Medicaid management information systems will be eligible for the federal match, state CIOs and industry officials are not entirely confident this will happen.States are already submitting advanced planning documents to HIPAA with hope there will be matching funds available for HIPAA compliance as it relates to Medicaid systems.Calzoncit noted that Idaho estimated the cost of statewide compliance at $45 million in an advance planning document it submitted to HCFA last year.Calzoncit said the percentage of matching funds likely will be determined on a case-by-case basis. "Some states may be able to get a lot [of the work done] under the MMIS umbrella," she said.