HIPAA no easy mandate

• By Dibya Sarkar
• May 08, 2001

The Health Care Financing Administration

Complying with a federal law to standardize, manage and electronically share health care information will be much harder than making systems Year 2000-ready, experts told state officials Monday.

Panelists outlined what state governments need to do to meet the deadlines of the federal Health Insurance Portability and Accountability Act. The discussion came during a session of the National Association of State Information Resource Officers' midyear conference in Austin, Texas.

HIPAA was enacted in 1996 to ensure health insurance portability, reduce health care fraud and abuse, create national standards for health information, and improve the security and privacy of shared medial information. It affects all health plans and clearinghouses as well as all payers and providers, including states. It assesses penalties for non-compliance.

States must comply with data standards by October 2002. It's not going to be easy, officials say.

"It's like Y2K only much, much worse," said Richard Friedman with the U.S. Department of Health and Human Services, the lead agency overseeing HIPAA compliance. "Within health, it's everything in that area. It's not just changing the date."

He said states need to think strategically and that the issue goes far beyond a technology solution. It has to do with government policies and guidelines, he said.

One component of HIPAA is adopting national standards for electronic data interchange of certain administrative and financial transactions. That's intended to greatly reduce costs. In addition, privacy standards must be adopted by April 2003, and security standards are expected to be issued soon.

Lorrie Tritch, with Iowa's human services department, said that although everyone supports the goals of the act, the deadlines are unrealistic.

"These are all things we should be doing anyway," she said. "What we need is time to get there."

Several organizations — including NASIRE, the National Governors' Association and the American Public Human Services Association — support extending federal deadlines until all rules have been finalized so governments can take a holistic, rather than a piecemeal, approach to the issue.

Iowa chief information officer Richard Varn, who moderated the panel, said it would take roughly $3 billion for all 50 states to comply with HIPAA.

Seattle attorney John Christiansen said he was concerned that states would not budget adequately to comply. He urged state governments to devote more staff time to dealing with HIPAA and to consider outsourcing to meet demands.

William Cox, with North Carolina's health department, said his state has established a national Web forum — the Government Information Value Exchange for States (www.hipaagives.org) — to help other states with compliance efforts. He emphasized, as did the other panelists, that states should partner with each other and other public- and private-sector entities.