HIPAA, HIPAA, wherefore art thou, HIPAA?

All things considered, Y2K ended up being a banner year for most healthcare systems manufacturers. But 2001 poses a new and more challenging odyssey for the healthcare IT industry, now that the HIPAA regulations have been finalized.

Between the pressures of managed care and improvements in the cost and quality of computer and communications technologies, much of the healthcare information "revolution" has seemed inevitable, and HIPAA is no exception. Designed to protect medical records (electronic and otherwise, it turns out) and other personal health information maintained by everyone except the consumer, HIPAA has been hailed as everything from a godsend to a boondoggle since being signed into law in 1996.

But what the actual impact of the HIPAA privacy regulations will be is still anyone's guess. In fact, it's still everyone's guess. The Department of Health and Human Services, which wrote the privacy rules and will be responsible for enforcing them, has estimated that it will cost the healthcare field only $3.8 billion to comply with HIPAA and that HIPAA will save healthcare providers $12.3 billion over 10 years. While the privacy regulations are expected to increase costs by $17.6 billion over the next 10 years, HIPAA's electronic claims processing component should offset this, saving $29.9 billion during the same period.

A convoluted calculation, to say the least. And one that does not bode well for anyone-even the insurance carriers. But the reality could be even worse, if you believe the findings of a survey conducted by First Consulting Group for the American Hospital Association. After interviewing 19 hospital organizations, FCG concluded that the privacy rules alone could cost hospitals more than $22 billion over the first five years.

Why the cavernous gap between DHHS's numbers and those of the AHA/FCG survey? The AHA asked FCG to provide cost estimates for three provisions not included in the DHHS projections: minimum necessary use of information, requirements for contracting with and monitoring business partners, and disparities between the new federal rules and existing state laws.

As many information systems providers and systems integrators are likely already discovering, however, the situation may not be as bleak as it appears. The HIPAA regulations are forcing hospitals to conduct comprehensive audits of all patient data created and maintained across the enterprise, change all internal computer systems to limit access to that information, and train staff in appropriate uses of patient records. FCG estimates that this component of HIPAA alone could prompt U.S. hospitals to invest some $20 billion in new and upgraded information systems.

While such figures are music to the ears of HIS vendors and integrators, in the long run the burden of complying with HIPAA will begin to erode the already depleted coffers of hospitals, clinics, and doctors' offices. The next two years should produce a HIS boom of sorts, but be prepared for yet another inevitability. Once these healthcare organizations have met the basic HIPAA requirements, they will likely return to their old habits.