IBM Introduces HIPAA Extension for WebSphere

Boasts canned support for HIPAA processes, integration with back-end systems.

• By Stephen Swoyer
• 10/29/2002

HIPAA, enacted in 1996, mandates the establishment of national standards for electronic health care transactions. The HIPAA standards assign national identifiers to health care providers, health plans, and employers. It also address information security and privacy concerns.

WBI for HIPAA currently provides canned compliance for 10 HIPAA processes, including enrollment, claim initiation, claim status, and claim eligibility. It's based on IBM's WebSphere Application Server (WAS), and benefits from WAS' extensive hooks into legacy, database and application environments.

"WebSphere Business Integration for HIPAA is the combination of our WebSphere platform for process-based computing along with pre-built data objects and process flows that are specifically in support of the HIPAA standard," explains Doug Brown, director of marketing for WebSphere business integration. "We're really targeting health insurers and payers who need to establish HIPAA compliance immediately, and we're giving them out-of-the-box data objects and process flows for ten specific processes around HIPAA."

According to Lauri Ingram, a senior program director with consultancy META Group's insurance vertical research group, IBM's announcement is a timely one. After all, Ingram points out, the extended deadline for compliance with the HIPAA Electronic Health Care Transactions and Code Sets standards is Oct. 16, 2003. (Healthcare providers have until April 2004 to comply with HIPAA standards for patient privacy.) This means that they have less than one year to develop, test and implement a HIPPA-compliant solution. "They have to start testing in the spring. If people aren't dealing with this by now, they have serious problems from a HIPAA-compliance perspective."

Even without HIPAA support, IBM's Brown says that WBI is a suitable platform for companies that need to HIPAA-fit their existing information systems. Integrated support for HIPAA processes simply enables them to do it more rapidly, he suggests. "[WBI] is applicable to healthcare payers in and of itself, but with this extension, they have the ability to deploy far more rapidly and therefore become HIPAA-compliant sooner."

Customers that exploit WBI's HIPAA support can "cut somewhere between 30 and 70 percent of the [development] effort" compared to doing it themselves, Brown claims. "It's a very simple installation of the WebSphere integation server, so customers don't have to do Java development. It's simply a matter of installing the pre-built collaborations." He acknowledges, however, that most customers may still have to code or tweak integration with other applications—particularly custom applications.

A typical HIPAA business process involves a bi-directional exchange of transaction data. The claim initiation process, for example, begins in the HIPAA model by an external party, which typically exploits an EDI value-added network (VAN) to gain access to a healthcare payer's environment, where it's received by a b-to-b middleware product. At this point, a customer could custom code a translation layer that transforms the HIPAA-styled transaction into a format that's recognizable to its existing systems. In IBM's model, however, HIPAA transactions are handed off at this point to WBI, which transforms the data and routes it based on a workflow model that is unique to that payer. Finally, after the claim is processed, it transforms the data to adhere to the HIPAA standard for communication back across the VAN to the initiating party.

IBM's Brown says that there's a silver lining to enforced compliance with HIPAA: Customers can approach it as an opportunity to revamp their existing business processes to make them more efficient. "The health care payers have an opportunity to improve their businesses beyond simply becoming HIPAA-compliant. Our offering … gives immediate compliance for HIPAA, but is a lasting business infrastructure that the payer can use to fundamentally change their business flows over time."

IBM expects to ship WBI for HIPAA by mid-December. Brown says that WBI will facilitate integration with existing systems, along with the transformation of HIPAA and other data. Big Blue's Tivoli Security Management Software, on the other hand, will ensure compliance with HIPAA's security and privacy regulations.

According to META Group's Ingram, a number of companies are probably behind on their HIPAA-compliance efforts. "[IBM] recognizes the fact that there are healthcare companies that are really behind where they should be," she says. "If folks haven't done their gap analysis, if they don't have a plan by now, they're going to have to scramble to meet the deadlines."

In this respect, she continues, the advantages of a pre-built framework such as WBI for HIPAA are legion. "The [EDI] ANSI standards are really complicated, and the advantages of any EDI translator is that a provider or a hospital can let someone else worry about keeping the formats up to date, and what they really have to be concerned about is linking their [existing] systems to the [WBI] middleware."

Amith Viswanathan, a senior industry analyst with consultancy Frost and Sullivan, says that HIPAA compliance is anything but a clear-cut matter. "The whole issue here is what exactly makes you HIPAA-compliant? Nobody can tell you that. If they do, they're lying. There are so many loopholes and ways to implement this in accordance with your organization."

As a result, Viswanathan speculates, IT organizations will expect IBM and its partners not to provide packaged solutions but rather consulting expertise. "As far as the policy and procedural review, which is probably 70 to 80 percent of the ruling text itself, that's where the problems are going to come into play. That's where … they need to work with some of their affiliated institutions, and leverage their consulting base to help customers make sense of this."

IBM's Brown says that his company will leverage its IBM Global Services unit to help customers build secure, compliant HIPAA infrastructures. "WBI is the core of the offering, but we have other things to complement it. We're offering the Tivoli Privacy Manager product, to handle the privacy enforcement that's required by HIPAA, as well as obviously consulting services and training services for implementation that customers need."