Dr. Thomas Sullivan, president of the Massachusetts Medical Society and immediate past chair of the American Medical Association's e-Medicine Advisory Committee, is just the sort of physician technology companies drool over.
An avid proponent of information technology, Sullivan met recently with Microsoft at its headquarters outside Seattle to tell the software giant how it could better serve the $1.7 trillion health care industry. But back at his own cardiology business in Danvers, Mass., Sullivan doesn't exactly practice what he preaches: He still files claims on paper.
"I've never found a system that I really like for a small practice," said Sullivan, whose private practice continues to rely on middlemen such as a billing agency and clearinghouse to handle reimbursement claims and file them electronically with payers. "I will change once I see something that's affordable."
The gap between Sullivan's vision and reality reflects the halfhearted efforts by much of the health care industry to comply with requirements for technological improvement under the federal Health Insurance Portability and Accountability Act. A major goal of HIPAA, a massive boat of legislation that floated a number of mandates for health care, was to modernize the way claims are processed while improving privacy protections for patients.
But those administering the 1996 law were forced to delay the compliance deadline for the legislation's claims-processing section twice in the last two years because of widespread difficulties in installing the needed infrastructure and coordinating the transition. So many problems remain that the federal agency charged with enforcing the law, the Centers for Medicare & Medicaid Services (CMS), has extended last October's deadline indefinitely and allowed a dual-standards world to exist.
Information technology is often held up as the answer to improve efficiency in an industry increasingly squeezed between cost-cutting measures and demands for higher-quality care. But in many cases, that technology hasn't provided the right answers for health care providers, especially physicians, or those answers have come at too high a price.
A recent survey of 631 providers, payers, companies and clearinghouses by the Healthcare Information and Management Systems Society (HIMSS), a Chicago-based trade group, revealed that only half had completed external testing for what is known as Transaction and Code Sets (TCS), which standardized what information must be contained in electronic claims and how it should be transmitted.
"For most of the physicians I come in contact with, HIPAA is a nonevent," said John Thomas, chief executive of MedSynergies, an Irving, Texas, firm that provides financial consulting services to doctors. "They see no reason to change."
"We're very early in the TCS crunch," Thomas said, estimating that only 15 percent to 20 percent of physician claims today comply with the standard. As their accounts-receivable numbers balloon with unpaid claims, he added, "physicians are going to wake up to a four-alarm blaze."
Although CMS could fine the offenders, it has chosen to work informally to resolve the complaints. Last July, the agency began allowing "contingency plans," under which payers could accept noncompliant claims, as well as compliant ones.
"TCS represents an activity, the magnitude of which the health care industry had never attempted before," said Karen Trudel, director of the Office of HIPAA Standards at CMS. "You've got so many different moving parts that a lot of people underestimated the complexity of the process."
The agency has not set a time frame to end the contingency plans. Trudel said about two-thirds of the Medicare claims her agency receives are compliant today, an indication the industry is moving in the right direction.
So far, "we have received about 50 legitimate TCS complaints," mostly from providers against payers or clearinghouses, said Lori Davis, acting deputy of the HIPAA standards office.
Facing the human factor
The stumbling block is not so much technology as culture. Many delays can be attributed to simple inertia on the part of doctors and others routinely bombarded with demands that are deemed to be higher priority than technology.
"With any systems upgrade, the technology is probably the easiest part and culture change the most difficult part," said Joyce Sensmeier, director of professional services at HIMSS.
For one thing, the HIPAA mandate requires coordination among several parts of the complex health care industry. First is the providers--hospitals and physicians--who treat patients and file claims. These claims are typically scrutinized by clearinghouses and other middlemen en route to payers, which include insurance companies, managed care organizations, employers and federal and state governments.
Then there are sellers of health care software and services used to transmit claims and associated information. These include specialty companies such as Siemens, McKesson and WebMD--the largest clearinghouse in the market--along with large hardware and software makers such as IBM, Microsoft and Oracle, which offer customized systems for health care.
All these groups must be aligned for an industry standard to take hold. Instead, "there's been a lot of finger-pointing going on--everybody's saying the other guy isn't ready," Sensmeier said.
She did a little of that herself. "Providers are making progress, and vendors are lagging behind," Sensmeier said. Her organization represents both groups, so it isn't taking sides.
Physicians on the edge
The HIMSS survey showed that while 45 percent of providers and 56 percent of payers were ready to accept or transmit the standardized transactions, only 40 percent of the companies that make software for the industry were prepared. And that was down from an earlier survey, when 47 percent of these companies reported they were ready to handle the transactions.
Within the notoriously insular health care world, the technology mandate is viewed as a costly burden, one that's especially challenging for physicians with small practices like Sullivan. Hospitals and other large organizations are more likely to have a technology infrastructure already in place and resources to upgrade it.
Intensive care for medical data
Law prescribes overhaul
of aging system
Frost & Sullivan estimates that providers--hospitals, managed care organizations and physicians--spent $1.2 billion between 2001 and 2003 on HIPAA products and services. Most of that spending was by what it characterized as "early adopters," often large organizations with resources to experiment with new initiatives.
But most doctors practice in small groups, representing the majority of the nation's 750,000 physicians. About two-thirds of physicians practice in groups of eight or fewer, according to Eric Brown, principal analyst for health care at Forrester Research.
Practices like these may only recently have installed a computer, with an office manager serving as the entire technology support department. With no compelling reason to move forward--like a hard federal deadline and sanctions to back it--they'll drag their feet on a requirement that, at least in the short term, doesn't improve their bottom line and may damage it.
Security deadline approaches
As if this weren't enough, the health care industry is facing another HIPAA deadline next year, the April 21, 2005 date by which providers and payers are supposed to meet the legislation's security requirements.
The security standard requires health care groups to assess their systems' susceptibility to unauthorized access and then put a policy in place to deal with that. Technology such as firewalls and authentication plays a role, along with administrative procedures like training staff and doing background checks.
CMS' Trudel doesn't believe the security standard will be as difficult a hurdle as the claims-processing provisions. "We deliberately built in flexibility" with security, she said. "We're saying you have to think about your risk and how you can best mitigate that risk."
Still, for an industry that likes everything spelled out, that very flexibility could prove difficult. "A lot of people," she noted, "are going to be asking us, 'Just what do I have to do?'"
Sidebar: A healthy market
Health care spending on information technology is expected to reach $42 billion this year, according to Gartner Dataquest. Many companies that sell into the market are specialists, but the big guys are looking for a piece, too. In the HIPAA claims market, here are some examples:
Microsoft sells BizTalk Accelerator for HIPAA as an add-on product to the BizTalk server, providing prebuilt support for 12 mandated HIPAA transactions. Most sales are to large and midsize health care payers, including Blue Cross Blue Shield Association. On the market for two-and-a-half years, BizTalk Accelerator has about 250 customers, according to Microsoft product manager Julia White.
Oracle offers a database specialized for health care transactions that includes an HL7 (a standard for health care data exchange) adapter, "although we are very careful to say that we don't guarantee HIPAA compliance," said David Knox, an Oracle chief engineer in the information assurance center that serves government, education and health care customers. To date, Oracle has a total of 3,700 health care customers for this and other products in the sector.
Hewlett-Packard introduced HP Forms Automation System in November. It declined to release the number of customers but said the vast majority are in health care, generally hospitals or delivery systems with multiple member organizations. The system automatically converts data capture from paper into an electronic format and can be readily applied to HIPAA claims information. In addition, a broad range of HP products, from security devices to printers, can be customized for health care.
IBM also tailors a wide array of its products to health care, mostly running on its WebSphere or Tivoli software. Examples include the IBM WebSphere Business Integration Collaboration for HIPAA Transaction, which covers the lifecycle of HIPAA compliance, and WebSphere Data Interchange, which includes a manager for the HIPAA code set transactions. Other products include privacy, work flow and messaging managers. The company declined to specify how many health care customers it has, except to say it has "thousands, covering the gamut from hospitals to payers to small medical offices."