Home > Medical
Billing Resource Center > HIPAA IT Costs for Government
A
Disaster Aspiring to be a Catastrophe
HIPAA
IT Costs for State and Local Governments
A
White Paper
By
Physmark Inc.
800-920-7060
www.physmark.com
September 2002
Copyright Physmark Inc.
Executive Summary
Many state and local government operations own and use old, otherwise known as "legacy", systems to handle patient healthcare data. They must now decide how best to address HIPAA's requirements. HIPAA regulations suggest the use of a "translator" to meet HIPAA's transaction standards but what is not made clear is that it also requires modifications to legacy software, creating a unique and expensive custom solution.
Most state HIPAA-IT efforts have been confined to Medicaid departments, primarily because the federal government’s CMS (Center for Medicare and Medicaid Services as the old HCFA is known now) has been funding and taking a lead in ensuring that state Medicaid systems are compliant in time. Led by various fiscal agents, there has been little interest in searching for low-cost solutions and state Medicaid agencies have bought into the fiscal agent line, "The Feds are picking up the tab. Why worry?" To expedite HIPAA compliance, CMS has been awarding these contracts on a sole source basis to Medicaid fiscal agents, in spite of the requirements of the Federal Financial Participation laws that competitive bids are needed when amounts are in excess of $1 million.
These sole-source and gigantic awards (over 20 times what CBO and OMB projected in the HIPAA regulations) have the unintended effect of legitimizing high costs for HIPAA compliance and state government estimates have also risen proportionately. With most state budgets frozen, the only way to meet these new costs is to raid other budgets, i.e., rob Peter to pay Paul. HIPAA costs will result in reduction of overall healthcare services. But if these estimates are unchallenged then they will also affect services rendered by other departments of state governments.
This white paper examines why these costs have risen and recommends what can be done both in a technical and operational sense to minimize costs. An obvious suggestion is to seek a statewide uniform solution, to eliminate redundancy and limit duplication. But the administrative challenge for a state, and a difficult one, is to create a "super department" that straddles the many state departments affected by HIPAA to coordinate and implement such a statewide solution. Since states are budgeting between $50 million and $200 million for HIPAA compliance, the projected savings can be a substantial incentive for operational changes in administration.
Mere theoretical discussions of potential savings can
be dismissed as wishful thinking by those involved in the current
expensive HIPAA
remediation efforts. Repudiating this criticism, Physmark's HIPAA Appliance™ serves
as a practical example of these suggestions to help state and local
governments achieve HIPAA compliance. Estimated cost savings vary,
but are substantial - about 50% to 90% of comparable translator-based
solutions.
The new federal healthcare regulations known as HIPAA (Health Insurance
Portability and Accountability Act) standardize the electronic transmission
of healthcare data, including billing as well as beef up security and
privacy to protect patients’ healthcare data. HIPAA transaction
sets take effect in October 2002 with organizations permitted to seek
a 12-month extension to become compliant.
What are the HIPAA-IT requirements faced by state and local governments?
Besides Medicaid, there are multiple departments in state and local governments, such as human services, aging, and mental health, that handle patient healthcare data and are subject to HIPAA. Computer systems in these departments currently use diverse and proprietary data formats, as well as unique local codes. All of these systems must be made HIPAA compliant.
More HIPAA regulations will be finalized soon, including for example, security and uniform identifiers, and they will require more IT changes for compliance.
What are the estimates of HIPAA implementation costs?
There is a consensus that the estimates by OMB and CBO in the regulations
were low but whether the error was deliberate or inadvertent is still
being debated. Regulations estimate that Medicaid compliance costs
will be $1 million but CMS is routinely approving $20 million plus
requests from fiscal agents in various states. Since this is a 20-fold
increase, it is not surprising that the $5 billion original total
cost estimate for HIPAA has now ballooned to $40 billion.
Why are these costs high?
In analyzing costs HIPAA regulations allude to the purchase of a "translator that reformats existing system outputs into standard transaction formats" as an alternative to system conversion.
However, a translator merely rearranges and presents data in a chosen sequence. A translator is the "engine" of a HIPAA solution; a full solution actually requires a great deal of programming. For example, HIPAA transactions have many more fields than in an old legacy system. What happens with these extra fields? Also, even when present the fields can be mismatched. What if the HIPAA "last name" field has 50 characters, for example, while the old system can only accommodate 15 characters? Mere truncation will not help in recreating a HIPAA compliant transaction, as may be needed.
In a scenario eerily reminiscent of Y2K, legions of consultants and vendors have latched themselves to this notion of purchasing a translator to "remediate" the old system, i.e., building extra fields and modifying mismatched fields. In the process they build a unique custom solution for each system. Instead of promoting the uniformity originally intended by HIPAA, these "custom" solutions preserve existing diversity at a huge cost.
CMS has inadvertently supported this extravagance by granting sole-source bids from Medicaid fiscal agents without seeking less expensive alternatives. For Medicaid HIPAA compliance, federal matching funds can be between 75% to 90% of costs. Therefore, fiscal agents have promoted their expensive solution using the excuse that "The Feds are paying" to discourage states from shopping for less expensive alternatives. By not seeking cost-effective solutions, both the federal and state governments lose, while fiscal agents profit. If CMS spent less on HIPAA, it would have more money to pay providers and expand its support of healthcare services. In a similar manner states have the option to reinvest any savings in critical healthcare activities, such as the children's health initiative, that are eligible for similar federal matching funds. There is harm in paying fiscal agents these large amounts. CMS and states can put these savings to better use.
An intriguing way of getting federal government to subsidize HIPAA activities within a state is seldom discussed. If the Medicaid compliant solution is a "shared" solution, then it could become the nucleus of a statewide HIPAA solution, with most (though not all) of the costs coming from federal matching funds. The federal government imposed HIPAA compliance on states and states have found a way to get it financed with federal funds. This may sound a little like poetic justice and will work in those states where Medicaid compliance work has not started or where only a small part of the allocated $20 million has been spent.
Why does it make sense to expect less expensive HIPAA-IT solutions?
Consider this proposition: the thrust of HIPAA is to foster uniformity and yet the remedies being offered are unique to each site, duplicating efforts and increasing costs. In the case of Medicaid, for example, if a fiscal agent services multiple states, and even allowing for some unique tweaks, why can’t a common solution be devised to implement across their client base? Probably because Medicaid and other organizations are imbued with the culture of being one-of-a-kind; the idea of using standard solutions has not yet taken hold. It gets more curious.
Fiscal agents service multiple states, often with the same outdated computer system, yet they are offering distinctive solutions to each state and charging each the full price of development. Unfortunately, CMS is playing along. One fiscal agent is charging five or more states $25 million each instead of devising a uniform solution that would cost $25 million for all of them. Do fiscal agents have a fiduciary responsibility to offer the "best priced solution" especially when they are "sole source" opportunities? Vigilance may be the only way to prevent such waste.
So also, if there are 15 departmental systems that must meet HIPAA
compliance, would it not make sense to look for one shared solution,
if that was possible, that can work with all these different systems?
How can these costs be reduced?
There are three ways to lower the cost of a HIPAA solution:
· Limit modifications to the old legacy systems, since this is an expensive
and resource-intensive option.
· Since HIPAA is all about uniformity, design a generic solution that
can be used with any system. These systems are called COTS (commercial
off-the-shelf) solutions and cost less because their development costs
are amortized over the entire customer base. Custom solutions service
one client and therefore, cost more.
·
When there are multiple systems that must be made compliant as in state
and local governments, a "shared" solution can drastically
reduce costs.
How will HIPAA costs affect state and local governments?
With states facing dwindling revenues and with federal support restricted only to Medicaid, it is evident that meeting HIPAA's compliance cost will require funds to be reallocated from budgeted items. It can result in reduced services, such as fewer children being immunized and less services for pregnant mothers. Because these reductions by themselves will not be able to offset HIPAA costs, other government services will also be affected. In some states this could mean less money for education and even reduced funding for road construction. In other words, HIPAA may be a healthcare mandate, but it has the potential of impacting many other state government departments.
Unlike Y2K which was a one-time event, HIPAA will continue to impact budgets for many years, due to the required changes in transaction formats and new regulations. Costs will continue to mount and a poorly designed solution may require major re-work, burdening future budgets as well.
What is the solution proposed by Physmark?
Physmark has developed a commercial off-the-shelf (“COTS”) software solution, called HIPAA Appliance™, that can work as a “front-end” to a legacy system to make it accept and transmit HIPAA compliant transactions. It requires minimal changes to the legacy system and causes no disruption to business. All HIPAA changes are restricted to HIPAA Appliance™, keeping future upgrade costs to a minimum as well. It is the economies of scale arising from multiple clients (as clients increase, unit cost decreases) that makes COTS applications less expensive. Physmark’s HIPAA Appliance™ uses Oracle Corporation’s relational database, application server and advanced development tools.
Because one HIPAA Appliance™ can front-end multiple legacy systems, state and local governments with their multiple departments can dramatically reduce their overall costs of HIPAA compliance.
How much will HIPAA Appliance™ save state and local governments?
Whether it is for Medicaid or other departments, Physmark's HIPAA Appliance™ costs considerably less than other competing solutions. In one case Medicaid compliance cost using HIPAA Appliance™ was projected to be less than $4 million when a competing fiscal agent bid was $14 million, a more than 70% reduction in cost. Similar savings will exist in non-Medicaid settings as well. Of course, these savings will vary but they will range anywhere from 50% to 90% of translator-based solutions.
How does it work?
Providers submit HIPAA transactions via the Internet through a custom portal provided by HIPAA ApplianceÔ which converts these transactions into ASCII format and custom programs specific to the payer used to upload into the legacy system. Any redundant data will be retained within HIPAA ApplianceÔ's tables with an appropriate link to the uploaded data fields. In the reverse process, data originating from a legacy system is converted to ASCII format and the corresponding HIPAA ANSI records created and made available at the portal for download by authorized providers.
How will this be implemented?
Physmark has assembled a team of highly skilled professionals from nationally recognized healthcare consulting organizations to implement and install HIPAA ApplianceÔ.
Data conversion and interface issues may be very time consuming and difficult. Even though it is a shared solution, interfaces must be built for data transfer to each legacy system. Redundant fields must be captured, linked and stored for future use. If the legacy system uses proprietary code sets, then "code set cross-walks" must be built with inherent logic to reduce the one to many mapping to a unique one. All of this takes time. And deadlines are looming.
What are the other HIPAA products and services from Physmark Inc.?
Physmark has created a product called the "HIPAA Gap Analyzer", an Internet based application that will assist a healthcare organization identify all the missing and mismatched fields in the various HIPAA transactions. A stand-alone version of Gap Analyzer is also available. States are running short of time and funds. Gap Analyzer allows internal staff to complete much of the mechanical aspects of gap analysis and relegates just the difficult work to experts. This tool can dramatically reduce the overall cost of performing a complete gap analysis.
Physmark, in partnership with other entities, will
soon launch a "HIPAA
Compliant Clearinghouse" to assist healthcare organizations that
wish to use a clearinghouse to comply with HIPAA's needs. Unlike normal
clearinghouses that cannot store transactions, this will offer both
store and forward services.
This article is property of Physmark, Inc.
http://www.Physmark.com - Contact:
Don Pierson 972-231-8000
