HIPAA no easy mandate

The Health Care Financing Administration

Complying with a federal law to standardize, manage and electronically share health care information will be much harder than making systems Year 2000-ready, experts told state officials Monday.

Panelists outlined what state governments need to do to meet the deadlines of the federal Health Insurance Portability and Accountability Act. The discussion came during a session of the National Association of State Information Resource Officers' midyear conference in Austin, Texas.

HIPAA was enacted in 1996 to ensure health insurance portability, reduce health care fraud and abuse, create national standards for health information, and improve the security and privacy of shared medial information. It affects all health plans and clearinghouses as well as all payers and providers, including states. It assesses penalties for non-compliance.

States must comply with data standards by October 2002. It's not going to be easy, officials say.

"It's like Y2K only much, much worse," said Richard Friedman with the U.S. Department of Health and Human Services, the lead agency overseeing HIPAA compliance. "Within health, it's everything in that area. It's not just changing the date."

He said states need to think strategically and that the issue goes far beyond a technology solution. It has to do with government policies and guidelines, he said.

One component of HIPAA is adopting national standards for electronic data interchange of certain administrative and financial transactions. That's intended to greatly reduce costs. In addition, privacy standards must be adopted by April 2003, and security standards are expected to be issued soon.

Lorrie Tritch, with Iowa's human services department, said that although everyone supports the goals of the act, the deadlines are unrealistic.

"These are all things we should be doing anyway," she said. "What we need is time to get there."

Several organizations — including NASIRE, the National Governors' Association and the American Public Human Services Association — support extending federal deadlines until all rules have been finalized so governments can take a holistic, rather than a piecemeal, approach to the issue.

Iowa chief information officer Richard Varn, who moderated the panel, said it would take roughly $3 billion for all 50 states to comply with HIPAA.

Seattle attorney John Christiansen said he was concerned that states would not budget adequately to comply. He urged state governments to devote more staff time to dealing with HIPAA and to consider outsourcing to meet demands.

William Cox, with North Carolina's health department, said his state has established a national Web forum — the Government Information Value Exchange for States (www.hipaagives.org) — to help other states with compliance efforts. He emphasized, as did the other panelists, that states should partner with each other and other public- and private-sector entities.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.