Next year will be a watershed for health care organizations (HCOs) struggling to comply with the Health Insurance Portability and Accountability Act (HIPAA). Three deadlines loom, and many organizations have waited until the last minute to comply.

Opportunities abound for IT professionals with proven strategies for compliance, because much of the HIPAA work performed so far has been descriptive or analytical in nature, health care consultants say. The soft economy means most potential customers are looking for IT professionals who can help them comply without overhauling their systems.

“There hasn’t been a whole heck of a lot of solution implementation yet,” said Jim Allred, vice president of marketing for NetVision, Inc., in Orem, UT. “Hospitals, HMOs, and insurance companies are saying, ‘We don’t want another gap analysis. We want you to stop talking about our problems and fix this in a way that is not going to cripple our operation.’”

Much like banking law did 20 years ago for banks, HIPAA standardizes the way HCOs communicate through electronic transactions and mandates the privacy and security of patient information in those transactions.

The first HIPAA deadline was in October, but so many organizations filed for yearlong extensions that the deadline has, in effect, been moved to October 2003. Meanwhile, compliance with patient privacy rules is required by April 14. HIPAA security rules, the final component, will be published December 27, with compliance required a year later.

Here are the top skills and services IT consultants need to do this work, according to half a dozen HIPAA experts overseeing HIPAA remediation projects.

First of two parts

This is the first of two installments that detail the skills that IT consultants need to maximize HIPAA-related opportunities in the coming year. Next week’s article will detail some of the misconceptions that consultants may have developed about HIPAA.

Know the requirements by heart
A working knowledge of the three major components of HIPAA and an understanding of how HCOs work is the first step, said Kevin Haugh, who advised the U.S. Senate Labor and Human Resources committees and the Health Care Financing Administration and other government agencies while HIPAA was being drafted.

Consultants who can cite the code’s requirements directly will win the confidence of customers whose heads are spinning with conflicting assessments of what the law requires, Haugh said.

“There’s massive confusion about what HIPAA requires. A lot of health care organizations have not, frankly, made the kind of headway they should have because of the confusion,” said Haugh, vice president of product management for ProAct Technologies in White Plains, NY.

The part of HIPAA that establishes code sets for transactions for payment and enrollment into health insurance plans, eligibility checking, and billing is the first to go into effect. Haugh advised IT professionals to focus on the standards for how electronic data should be transmitted and received.

A good consultant should be able to target the issues and come forward with concrete solutions. “Don’t tell the customer, ‘You need to get a HIPAA conversion tool.’ Come to the table with some very specific ideas about how to address the problem,” Haugh said.

Knowledge of data flow
Consultants knowledgeable in analyzing data flow and data mapping also are needed, said Donna Gustafson, vice president of Covansys Global Healthcare Practice in suburban Detroit.

“The whole activity of identifying any local code sets and making them standard is a huge activity,” Gustafson said. “IT professionals who can go in and assist with data analysis and application modification are in demand right now.”

Most applications are going to need to be modified to ensure that patients’ records are secure and that health care employees see “only what they absolutely need to see,” she said.

For the last several years, Gustafson, who has overseen teams that have helped HCOs comply with HIPAA, has been up to her elbows in the fine points of the law. She jokes that she’s “definitely HIPAA-tized.” But she doesn’t require the same level of knowledge from the IT professionals on her teams.

“It’s important to have good IT people who understand technology and will be driven not just by compliance but also by strategic initiatives. I enjoy having folks as subcontractors who are not HIPAA jaded at all because they keep us clean. Not having lived HIPAA for the last few years can be a plus.”

The crosswalk
John Lilleston, technical supervisor for Verizon Information Technologies, Inc. in Tampa, FL, is supervising part of the HIPAA remediation work for Missouri’s Medicaid system. Lilleston will oversee a team as it installs on the state’s existing system a “translator” that will take HIPAA-compliant data and translate it into data the Medicaid claims system understands.

If he decides he needs to hire IT subcontractors, he’ll look for consultants who understand the transaction formats currently used by HCOs. The national standard formats for medical claims filed by doctors and the uniform billing format used by hospitals to prepare invoices for services are the basis of much HIPAA work.

“If you understand the old formats, then it is going to be easier to do the crosswalk between them and the new HIPAA transaction formats,” Lilleston said.

Can you talk HIPAA?
As the deadlines close in, more HCOs will grapple with HIPAA’s training requirement, Lilleston said. Every large to midsize organization is going to need someone to explain why new law is requiring them to change the way their information technology systems work.

IT consultants who can explain why health care workers must change their daily routines to comply with the new law will be extremely valuable, Lilleston said. In particular, HCOs will be looking for people to explain how the privacy and security rules affect the way they handle patient information.

Good communicators who understand IT, the law, and how much employees hate change will be in demand, Lilleston said. But IT professionals who want that work will have to be patient with their clients, he said, because they’re not happy about having to comply with the changes brought on by HIPAA.