An Idea Whose TimeBy Baselinemag | Posted 2002-02-04 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
The health care industry has been slow to comply with new federal requirements for the electronic exchange of medical data. So how did one cooperative find a way to complyfour years ago?Had Come">
An Idea Whose Time Had Come
The industry's foot-dragging can be hard to grasp when the benefits of electronic networks to hospitals and other institutions can be so tangible.
For years, the health care industry had calculated that transaction networks were the best way to trim spiraling administrative costs. For instance, of the $1 trillion spent on health care in the United States in 2000, more than $250 billion was chalked up to administrative overhead, rather than patient care.
Early attempts in the 1990s to create health care networks often failed because of the difficulty of creating and maintaining central databases from which a wide range of hospitals and insurers could retrieve and exchange information. Later attempts at deploying computer systems also worked against compliance with HIPAA. That was because many health care companies had relatively fresh investments in proprietary hardware and software. To create new systems for exchanging data could mean big write-offs on existing systemsand significant expense, to boot.
In 2001, almost a half-decade after HIPAA became law, medical insurers such as Blue Cross and Blue Shield (BCBS) were still arguing to the U.S. Department of Health and Human Services for more time, and were granted a 12-month extension for full compliance, to October 2003. Blue Shield companies that collectively provide health care coverage for more than 81.5 millionone in fourAmericans, applauded the extension.
"The one-year extension passed by the House and Senate," said BCBS CEO Scott Sereta, "will better enable the health care community to build, test and successfully implement the new transactions and code sets required by HIPAA." Among Blue Cross' (www.bcbs.com) concerns: That patients could object that the consent they give to sharing of their records does not cover the broad exchanges of data that are likely to occur electronically.
Even the extra time may not translate into compliance. A 2001 survey of the health care industry by consultancy Gartner Inc. found that fully 85% of hospitals and other health care providers had yet to complete assessments of whether they could even conduct basic electronic transactions with other institutions. In that survey, Gartner health care industry analyst Matt Duncan says he expects 70% of insurers who pay for health care will not be fully compliant with HIPAA standards on how transactions should be conductedeven by the end of Q3 2003. Conformance, he says, is often considered a "nuisance."
"It's (seen as) government sticking its nose in where it doesn't belong," Duncan said in October.
There's also the fear that medical networks, if they used a common format for exchanging data, could pose a security risk. Glaser says that what companies feared most was flunking what he calls the Boston Globe test. "No one wanted to wake up one morning and read on the front page of the Boston Globe that some hacker had broken into the patient-records database," Glaser says.
The logistics of safely exchanging such sensitive personal data in a common format seemed to all involved to be expensive, risky and organizationally overwhelming. Consequently, progress had been slow, halting, decentralized and largely ineffective.
"It came down to a matter of 'Okay, but you go first,' " says Glaser, the CIO of Partners HealthCare, a major Massachusetts health care provider.
Leaning over the balcony at the revelers below, Halamka and Glaser began to talk.
A few months earlier, Glaser had hired an El Segundo, Calif., consulting firm, Computer Sciences Corp. (CSC), to develop a fast and inexpensive way for Partners to automate its patient information and ramp up for HIPAA.
CSC partner Greg DeBor was there that evening, and joined the two men on the balcony. He told Halamka that CSC had been working on some promising middleware using Internet transmission protocols, but which worked over private networks. He believed these protocols, even if they originated on public networks, could act as a common bridge or gateway between Partners' legacy systems and health insurance payers or multiple hospital systems.
"We started to think, instead of trying to comply separately, why not do it together?" said Halamka.
Halamka and Glaser represented two of the Boston area's largest and most complex health care providers. And, each man brought to the table extensive credentials. Halamka, 39, was CIO of CareGroup, which operates six hospitals: Beth Israel Deaconess Medical Center, Mount Auburn Hospital, New England Baptist Hospital, Deaconess-Waltham Hospital, Deaconess-Glover Hospital and Deaconess-Nashoba Hospital. Halamka is also associate dean of the Harvard Medical School.
Partners HealthCare, where Glaser works, operates Massachusetts General and several other hospitals in the same area. He holds a Ph.D. in health care information systems and was the founding chairman of the College of Healthcare Information Management Executives.
Both men sought an efficient and affordable way to comply with HIPAA while at the same time fully automating the increasingly complicated and expensive relationship between providers and insurers, who were also represented on the balcony that night.
DeBor, Halamka and Glaser invited the other CIOs and CTOs sipping their drinks that night to a sit-down. They sketched out a plan on napkins.
Pen stroke by pen stroke, the sketch of a rudimentary network took form. What emerged was the picture of a relatively simple and secure "peer to peer" computer network, just like those that would soon be used to exchange music files over the Internet.
Under the plan, members would be able to maintain all of their existing systems, software and workflows. Members wouldn't spend a fortune on new software.
Companies would continue to maintain patient records on their own individual databases, avoiding the creation of a central storage spot that could invite scrutiny or hostile attacks from outsiders. Since the peer-to-peer network would operate over leased lines only, it avoided the main risk of the Internet: public communications lines.
The so-called Bourbon Street Coalition would return to Boston with what it felt was an achievable plan to form a medical records network built upon the x.12 standard. That standard specified the information that needed to be exchanged to complete transactions between providers and payer and, as a fringe benefit, would also bring each member into compliance with HIPAA mandates.
The system would be tested first by five companies: three health care providersCareGroup HealthCare System, Partners HealthCare System and LifeSpanand two payers, Harvard Pilgrim HealthCare and the Tufts Health Plan. The official name for the consortium would be the New England Healthcare EDI Network (NEHEN).