In-Depth

Case in Point: Charting a Course for HIPAA Compliance

The University of Michigan Healthcare System leverages an IBM solution to ensure HIPAA compliance

• By Stephen Swoyer
• 02/13/2003

Like any healthcare provider worth its salt, UMHS takes seriously its obligations under the Health Insurance Portability and Accountability Act (HIPAA), the first phase of which—governing the standardization of healthcare transactions and code sets—is due to kick in on October 16, 2003.

Enacted in 1996, HIPAA establishes national standards for electronic health care transactions and assigns national identifiers to health care providers, health plans, and employers. HIPAA also addresses information security and privacy.

HIPAA presents an enormous challenge for healthcare organizations. Providers must ensure that their systems—some of which host proprietary programs that predate the availability of packaged applications from specialty vendors such as McKesson HBOC, Sterling Commerce Inc. and others—can perform the necessary translation and mapping of HIPAA data to proprietary formats even as they guarantee the security of transactions that are sent over the public Internet. They must also safeguard the privacy of patient data on their own systems.

UMHS, in particular, had a lot to worry about. That’s because it supports more than 10,000 client computers, a mix of about 500 Unix and Windows servers—and an IBM mainframe.

The problem was compounded, says director of business and administration Dan Waltz, by the fact that HIPAA itself is so new that even specialty application vendors haven’t necessarily gotten a handle on it. “It’s such a new field. Certainly, the vendor solutions were very viable, and had we gone with those solutions, we probably would have been okay, but we would have sacrificed the total integration of our development platform and our enterprise integration software.”

Instead, UMHS opted for a new middleware offering, WebSphere Business Integration for HIPAA, from IBM Corp. Big Blue unveiled WBI for HIPAA in late October (http://esj.com/news/article.asp?EditorialsID=315), at the time promising canned compliance for 10 HIPAA processes—including enrollment, claim initiation, claim status, and claim eligibility.

For Waltz and UMHS, one of the most attractive things about IBM’s solution was that it separated HIPAA business logic from programming logic. Big Blue didn’t necessarily have the market cornered on this feature, however, he concedes: “The thing that was appealing was that Sterling [Commerce] and IBM had the business objects methodology in software, where you could have logic built into the software without programming, and route the various transactions.”

Another thing that tipped the scales in IBM’s favor was WebSphere’s canned integration support and proven hooks into a variety of different data repositories, Waltz acknowledges: “It appeared to us that we would be able to handshake with any conceivable situation.”

These features were important, he allows, but a strong case in support of IBM’s HIPAA offering was also made by UMHS’ front-end development team, which was intrigued by its architectural possibilities, especially in terms of facilitating real-time collaboration with partners. “Our redesign group was really pushing for solutions at the very front-end of our process. We have the McKesson Pathways scheduling project, and the front-end committee wanted to be able to check the eligibility with insurance right at the point of scheduling. As we got into this, it appeared that [WBI] would allow that more easily than other solutions.”

Since November, Waltz says that UMHS has completed several pilot programs with its M-CARE HMO, most significantly with insurer Blue Cross-Blue Shield. In addition, his organization will implement a WBI process to replace a custom-built eligibility-checking application. “Blue Cross-Blue Shield was going to terminate an avenue that we use to do eligibility checking in batch [with a custom application], so we found that we could use the same methodology in the WebSphere Business Integration as a batch process as well.”

IBM’s solution provided both functional and architectural advantages over its competitors, Waltz allows, but it also had a more agreeable pricing structure. He says that vendors that specialize in healthcare information systems wanted to bill UMHS on a per-transaction basis for the use of their HIPAA-compliant products. Because his organization processes tens of thousands of claims per month, a per-transaction fee added up to an expensive proposition, Waltz explains. “We process about 56,000 UB92 claims per month, and MCARE claims we process about 26,000 per month. So you can imagine that, depending on the transaction fee, it becomes very expensive.”

Neither Waltz nor IBM would discuss the pricing of the WBI for HIPAA solution, however. “We’re still in the process of paying for it, and it’s obviously a very large project. It will evolve in stages as the [HIPAA] standards themselves evolve.”

Since IBM announced WBI for HIPAA in October, says Jacqueline Shahin, Big Blue’s market segment manager for insurance, it has worked behind the scenes to augment its HIPAA offerings.

The result, she says, is that IBM in Q2 will introduce additional HIPAA features, including support for new processes and business flows. “We are … continuing to invest in that technology and we plan on releasing an enhancement in Q2 03. It consists of a series of process flows and data objects, to streamline for HIPAA compliance. Things like adding new business flows.”

Shahin suggests that organizations evaluating HIPAA options should be certain to partner with a vendor that has demonstrated both industry staying power and the commitment to develop its products in lock-step with HIPAA standards. “HIPAA regulations are always changing, and you can’t just buy a technology and be done with it. So IBM is making a commitment to make its HIPAA technology current as the regulations change.”

Laura Ingram, a senior program director with consultancy Meta Group’s insurance vertical, stresses that pre-built frameworks such as WBI for HIPAA aren’t a panacea. In most scenarios, she points out, organizations will still have to custom-code integration between HIPAA middleware and their existing systems.

At the same time, she suggests, a pre-built framework provides a good place to start and is a solid investment for the future. “The [EDI] ANSI standards are really complicated, and the advantages of any EDI translator is that a provider or a hospital can let someone else worry about keeping the formats up to date. What they really have to be concerned about is linking their [existing] systems to the [WBI] middleware.”