By Alan Radding
A little over nine months ago, the final HIPAA security guidelines came out. In April, healthcare organizations were required to begin complying with HIPAA privacy mandates. The extended deadline for HIPAA transaction compliance came up this fall. Consulting firms with healthcare practices found themselves waging the HIPAA compliance battle on three fronts simultaneously. And few expect that the HIPAA action will subside anytime soon. To the contrary, it will become the springboard for much broader healthcare consulting engagements.
HIPAA, the Health Insurance Portability and Accountability Act of 1996, is intended to streamline the healthcare system by establishing standards for electronically transmitting healthcare and patient data while ensuring the security of that data and the privacy of patient information. It is broad in scope, applying to every organization that handles healthcare data, including insurers, healthcare providers, payment clearinghouses, and various middlemen in the healthcare delivery process.
Many initially perceived HIPAA as the Y2K of the healthcare industry — a mad dash for compliance with extensive federal government mandates. Many consulting firms expected HIPAA to become a cash cow that would give them an immediate rush of billings and drive their healthcare practice revenues for years to come. In truth, HIPAA has turned out to be both less and more for the consultants.
"HIPAA definitely is good for business, but it is more complicated than Y2K," says Ramesh Raghavan, vice president/healthcare practice at Cognizant Technology Solutions Inc., Teaneck, NJ. "HIPAA is more strategic than Y2K. It is more process-oriented. It involves a lot of business processes. There are both IT and non-IT parts to it," he explains.
For PwC, this past spring's deadlines represent the start of the real HIPAA work. "Now we are getting down to the reality. We will see what works and what is feasible," says Jeff Fusile, national partner-in-charge/HIPAA Advisory Services at PwC, Atlanta. For example, PwC helped its healthcare customers prepare to meet the privacy requirements. Now it is standing by, ready to make modifications for any client depending on the volume and type of privacy requests that pour in. "Over the next year or two, we expect to see people changing their strategies with regard to privacy," he notes.
At BearingPoint, McLean Corner, VA, HIPAA itself proved a disappointment from a revenue standpoint. "Many people overestimated the amount of work involved and the amount of money that would be spent," says Paul Buerstetta, managing director/healthcare. Healthcare companies from the outset resisted spending large sums in HIPAA compliance. Even before HIPAA, many healthcare organizations — especially providers — already were struggling financially.
HIPAA, however, turns out to be just the front edge of where healthcare consulting really should be going. "Healthcare consulting is about ways to drive costs out of healthcare and be more efficient in providing patient care," Buerstetta points out. The HIPAA mandates, particularly with regard to transactions, are expected over time to reduce costs.
That also is how HIPAA is viewed at PwC. "We see HIPAA as the key to understanding healthcare. The idea is to use standard data to drive efficiency," Fusile agrees.
Although HIPAA is a U.S. government mandate, it has global implications. "HIPAA is really part of a number of things going on worldwide, especially when it comes to privacy," says Robin Bloor, principal, Baroudi Bloor, a business and technology research firm. As Bloor points out, "Citizens are increasingly deemed to have fundamental rights to data and to privacy."
HIPAA's privacy mandates dovetail with even more aggressive efforts in Europe to legislate privacy and a person's right to control his own personal data. HIPAA and the privacy legislation elsewhere in the world will come together first at the large insurers — the healthcare payers — who increasingly operate on a global scale and will find themselves subject to an array of privacy mandates.
There are three primary components of HIPAA: privacy, security, and transactions.
The privacy component defines what must be done to ensure the privacy of the data from a policy perspective, and grants patients considerable control over how their data is used and to whom it is shown. It also defines what constitutes protected health information (PHI), a key concept that runs throughout HIPAA's security and privacy regulations.
"Privacy is mainly about policy and procedures, nothing technical," Fusile explains. Where privacy will get complicated, however, is when patients start taking advantage of the control HIPAA grants them to begin specifying who gets to see what data.
The security regulations generated considerable worry until the final version came out in March. From the earlier drafts, it looked like the government would issue broad, sweeping, mandated security rules.
As it turned out, all those rules are there, but they are addressable rather than required. Addressable means that the government isn't telling you how to do something, such as how to authenticate and authorize someone before accessing protected data. Rather, it tells you only that you must do something in that regard and leaves it up to you to determine what action is appropriate. Healthcare organizations with large, sophisticated IT operations, such as insurers, will implement the addressable security rules differently than small healthcare providers.
"If you remember that the original intent was to decrease costs, not drive up costs, then the rules are written at the right level," says Buerstetta. Because the security rules are addressable, organizations can implement them in the way that is most appropriate and efficient for them. The only required security rule appears to be the mandate to encrypt all PHI being transmitted over a network.
Finally, HIPAA transaction rules define a set of EDI transactions and code sets for the most common healthcare processing. The result, ideally, will be a national standard for the electronic transmission of patient-identifiable information from computer to computer. As a corollary, the rules prohibit nonstandard codes and formats used by some insurance plans and clearinghouses. The big insurers, in fact, experience the biggest impact from HIPAA transaction rules. Providers — especially small providers — generally turn to clearinghouses to transform the organization's data stream into the standard format. Consultants like Cognizant built significant practices around just converting data sets.
While the large consulting firms primarily serve the big insurers and healthcare providers and focus on business process improvement and strategy beyond what HIPAA mandates, the smaller consulting firms tend to focus on bringing their small and midsize healthcare clients into HIPAA compliance. "With a month to go, we are seeing a final push on privacy. After that, our clients will focus on security," says Tom Grove, vice president, Phoenix Health Systems, Gaithersburg, MD. But even Phoenix has targeted its main HIPAA efforts on management and business process consulting rather than IT work.
It appears to be the right move, especially given the addressable nature of the security requirements. "I don't think that the need for HIPAA technology consulting is going away, but the security consulting geeks certainly have been disappointed in the HIPAA rules," Grove continues.
But even the small consulting firms should enjoy a steady stream of HIPAA-related business for a few more years. "Just because we hit the deadlines, HIPAA is not going to go away," insists Grove.
For one thing, more HIPAA transaction standards already are in the works. And as the government sees the results of the first wave of HIPAA compliance, Grove expects changes that will trigger demand for more consulting services. In other cases, he expects clients that are now HIPAA-compliant to begin thinking about redesigning processes. These new processes, for example, will take full advantage of efficiencies enabled by the standardized transaction data sets.
Cognizant, too, sees an ongoing demand for HIPAA-related services. "There will be work on HIPAA transactions through 2006," says Raghavan. Meeting the new security mandates will take the next two years, he estimates. In addition, there will be some level of ongoing compliance auditing and training. And like Grove, he too sees some related business process work: "A lot of organizations have implemented HIPAA but have not put in best practices to go along with it." He sees that as yet another opportunity.
But HIPAA alone never generated enough revenue to support a consulting firm, and the firms that are successful going forward will be those that go beyond HIPAA compliance to provide broader healthcare consulting services. That has been the attitude of the large consulting firms all along.
Of course, the big consulting firms will be looking at how to help their clients use HIPAA to cut costs, but they will be looking outside of HIPAA as well. "Supply chain management is a major opportunity area," suggests Buerstetta. Healthcare providers, especially hospitals, consume enormous amounts of commodity supplies, from toilet paper to pens and paper clips. Consulting firms can help healthcare firms apply rigorous supply chain management to drive down the costs of these goods. Similarly, healthcare organizations can sharpen their supply chain practices to procure drugs at better prices.
There also is a need for advanced clinical systems that can streamline healthcare delivery. "They can use these systems to eliminate unnecessary services, shorten stays, and reduce medication errors," Buerstetta continues.
All consulting firms with healthcare practices should be ramping up to help clients leverage HIPAA to the max. With rising healthcare costs triggering a loud public uproar, consultants who can help streamline the industry and capture savings will keep themselves busy for quite a few years to come.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.