ACROSS THE DIGITAL NATION

Although the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996, the effects of this monumental legislation are only now being felt across the nation. With Congress providing additional legislation and imposing compliance deadlines in 1999, HIPAA is a major priority for public and private health care organizations. There is now an April 2003 deadline for health care organizations to be compliant with the privacy components of the bill.Consequently, a few analysts have likened HIPAA to the year 2000 computer problem, requiring massive expenditures to bring organizations into compliance with the legislation.The major tenets of HIPAA are clear: improve health care delivery by providing standardized processes and formats for data exchange, and develop strict security measures for privacy and accessibility of patient information. The legislation is aimed at offering administrative simplification through data standards and electronic dissemination, development of unique patient identifiers, creation of privacy layers and boundaries for patient information, and penalties and enforcement procedures for those organizations that are not compliant after the deadlines have passed.Clearly, HIPAA's biggest impact in the state and local government marketplace will be within departments of health. These agencies are responsible for the vast majority of health-care-related tasks in the public-sector marketplace. In particular, HIPAA will affect the two largest public-sector programs: Medicaid and Medicare.However, the HIPAA footprint extends well beyond these two blockbuster programs and into other key agency areas, such as mental health, alcohol and substance abuse, and children's health services. The legislation also will affect other public-sector entities, from corrections to youth services to education.Despite the impact HIPAA legislation will have on government entities, there has been relatively little progress to ensure compliance. A survey conducted last spring of officials within state and local departments of health revealed the majority of public-sector organizations (70 percent) characterized their progress as just starting or uncertain. A handful of survey respondents (5 percent) indicated they have completed or are nearing completion of the first wave of deadline requirements. Only 25 percent indicated they are actively involved in compliance procedures.Still, a number of states appear to be making gains. A consortium of seven departments of health are working together to share best practices, research and processes for technology remediation, consulting and privacy guidelines. States such as Washington and Connecticut have developed an organized strategy to address the standardization, privacy and unique identifier issues of HIPAA.Washington, for example, has devoted significant space online to build a community of HIPAA participants, holds readiness forums and is developing outreach services to help local government compliance efforts. Connecticut also has established a coordinated procedure for participation across state agencies and estimates that HIPAA may affect more than 30 state departments.The public sector is not the only one moving slowly. Early data from private-sector organizations shows 85 percent of health care providers have yet to complete readiness assessments or gap analyses. More surprisingly, 84 percent of private-sector organizations expect vendors to supply compliance services under maintenance contracts.Additional data reveals 55 percent of health care organizations believe a one-year extension followed by a six-month transition period will provide enough buffer to facilitate compliance.Given this market dynamic, the true market size for opportunities related to HIPAA is unclear. The timing of these opportunities may be even less certain. In many respects, there has been a major uptick in legal action to delay and limit the HIPAA footprint.Despite these issues, there will be numerous requests for proposals by government agencies seeking assistance with HIPAA over the next two years. But the questions remain: Is HIPAA a tidal wave, and when will it hit the shore?