Complexity wont prevent insurers from meeting deadlines

By Matt Brady

As they enter the homestretch for becoming fully compliant with the regulations outlined in the Health Insurance Portability and Accountability Act, insurers are finding that, although still complex, the process is not an overwhelming task.

“Basically, this is an entire organization-wide change,” says Pushpendu Pal, chief technology officer at Anthem Blue Cross Blue Shield, Indianapolis.

However, Pal says Anthem is “very, very confident” that it will be fully HIPAA-compliant before the deadline, adding that the companys target date for full compliance is mid-February, well ahead of the official deadline of April 21, 2005.

Fred Laberge, a spokesman for Aetna, Hartford, Conn., expresses similar confidence, saying his company would “absolutely” be prepared for compliance in time.

HIPAA was passed in 1996, although it did not take effect until April 14, 2003. Much of the law is focused on ensuring the confidentiality of medical records and patient information, as well as helping to inform patients as to how their health information is being used and disclosed.

For insurers, HIPAA established new rules and regulations in five separate areas. Specifically, those rules applied to the electronic transfer of information, the code sets used by insurers to identify drugs or procedures, patient privacy, unique identifications for patients, and security, according to Laberge. Each of the different areas had a separate deadline for compliance.

After Congress and those crafting the rules had done their work, Pal says, “we did an assessment of what that means to us as an organization.” Based on that assessment of the different areas of business affected by HIPAA, Pal says Anthem established 8 separate projects for reaching compliance.

Among those projects was establishing an application inventory system. Although Anthem “spans across 9 different states,” as Pal notes, the company also has a significant amount of local level and area-specific applications. To better track exactly what is happening within the company, Pal says Anthem established a “very detailed application inventory,” which tracks where each application is based and who specifically “owns” that application. If someone at Anthem wants to use an application, “the applications owner will have to give access.”

On the security front, Pal says Anthem now encrypts all data that move outside of its system, including e-mail. Anthem, he says, has been working with an outside company to establish a high level of encryption for its system.

Most of the deadlines for companies to achieve compliance with the regulations of HIPAA have passed, with the April deadline for security the sole remaining major date.

“We are complaint with all of those,” Laberge says of the HIPAA rules already in effect. Aetna has established a chief privacy officer and a project management office with dedicated staff to ensure that compliance, he adds.

“We got a good jump-start on this,” he says, noting that Aetna began working toward compliance in 2000 or early 2001, when it realized the rules were likely being crafted.

Aetna did a “company-wide risk assessment against the requirements,” he explains, and the results “determined that we were already compliant with a lot of it.” There are still some “technical things that need to be done,” Laberge adds.

Neither Pal nor Laberge says they expected any serious problems as the companies prepare for HIPAA compliance. They have seen few serious bumps in the road as they have worked toward compliance in other areas.

“You can never say that you have no problems,” Pal notes. However, he also says that problems that were found were not especially serious. “It was a lot of details, but similar to any organization-wide transfer.”

Pal says that as Anthem worked toward compliance, it took a stance on technology that he summed up as “buy vs. build.” Effectively, he says, when Anthem discovered an obstacle blocking it from being compliant, the companys first move was to see if there was an existing solution that could be brought in to resolve the issue.

Pal notes that Anthems philosophy toward HIPAA compliance also played a role in its decision. As the company was absorbing the various rules and regulations involved with HIPAA, it made sure to take the most conservative stance possible on the requirements. This directive came from the top executive of the company, Anthem CEO Larry Glasscock, says Pal.

For Aetna, Laberge says that while there may have been some problems getting into compliance, none of them was especially notable. One of the main reasons for the smooth process now, he notes, is that insurers have been through the process of achieving compliance already. “Because this is the fifth of the five, weve figured out what were doing and what to expect.”

Looking forward, neither Pal nor Laberge expects any serious problems on their paths toward compliance. Pal notes that there is still time for the rulemaking bodies to fine-tune the HIPAA requirements and that Anthem was watching for “what other surprises are around the corner.”

Laberge notes, however, that another more technical problem could arise as insurers such as Aetna deal with claims. Some small hospital chains or physicians practices may not have the resources to achieve compliance with HIPAA, such as a dedicated IT department or a solid computer network, and may have received an extension of the compliance deadline from the government.

Additionally, Laberge notes that while HIPAA is a federal mandate covering the entire country, several states have added on their own rules. “Were a heavily regulated industry,” he says, “and we want to make sure were fully compliant.”


Reproduced from National Underwriter Edition, October 14, 2004. Copyright 2004 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.