How do you spell trouble? H-I-P-A-A
The Health Insurance Portability and Accountability Act of 1996 is a good case study in the challenges of operating in the public sector. All the typical problems generated within a government environment are surfacing in HIPAA, including funding and compliance deadlines.
Briefly, HIPAA requires many agencies to exchange health data, and the rules will dictate data elements and formats'a big information technology headache.
Meeting the act's federal mandates will test a state's ability to overcome great odds.
The federal government made HIPAA into law in 1996. It took effect in 1997, but Congress set the rules to make it take effect in 1998 and continue through this year, next year and possibly beyond. To further complicate matters, states were arbitrarily given two years and two months to comply, regardless of the final rules or technologies required to handle medical information.
Add to this the overlapping timelines of various rules and you can appreciate the cumulative impact on demand for state information technology resource requirements.
How many IT initiatives can a state simultaneously pursue? Why can't the federal government finalize all the HIPAA regulations before forcing implementation?
The federal funding apparatus is also askew. States have been told the federal government will fund only the Medicaid component of HIPAA compliance, through the Health Care Financing Administration, recently renamed the Centers for Medicare and Medicaid Services. The social and human services components in state governments must drive technology other agencies must use.
My question is, why can't states receive funding to solve the entire HIPAA challenge, and not merely to strengthen one link in the health care chain?
This scenario frequently drives state agencies to go their separate ways, sacrificing economies of scale as well as the integrated solutions on which HIPAA depends.
Underlying states' problems is that HIPAA is commonly seen as simply an IT problem. Thus, a chief information officer might take a risk and try to coordinate statewide IT responses. But I estimate that administration, policies and process development consume 70 percent of the cost of HIPPA compliance. Therefore, the CIO is the wrong quarterback for HIPAA.
But CIOs and IT vendors aren't free of responsibility. The industry has been slow to market the technology necessary for HIPAA compliance. Does your middleware support HIPAA? Few states sought industry support back in 1996-1997.
This leads me to the old football analogy'no attention until the last two minutes of the half. As with the year 2000 challenge, HIPAA require stiff penalties and tight timelines to force states to engage. It seems no one is able to trust the other stakeholders. Why can't the federal and state governments work together as partners? Clearly, the process of establishing national programs must change.
Private-sector organizations are also part of the HIPAA issue. It will be interesting to see how federal and state governments deal with coordinating processes and technology links with private groups. CIOs need to reach out to these organizations now.
If all the stakeholders properly align their processes and technology to the HIPAA program, they'll achieve the hoped-for impact on the health care system. We can all declare success only after HIPAA stakeholders put aside their differences and start working together.Otto Doll, South Dakota's chief information officer, formerly worked in federal information technology and was president of the National Association of State Information Resource Executives.