Looking for HIPAA Assessment Help? Here's a Short List

REPRINT*REPRINT*REPRINT*REPRINT*REPRINT*

Research Note
Markets
07 April 2000

Looking for HIPAA Assessment Help? Here's a Short List
M. Duncan

Many healthcare organizations have yet to begin or are just starting their HIPAA compliance assessment efforts. We identify several options for consulting assistance.

Core Topic

Healthcare IT Management ~ Industry Applications

Key Issue

How will HCOs best acquire and retain the IT skills and resources needed in an increasingly competitive healthcare and technology environment?

In its most recent issue, the electronic newsletter HIPAAlert announced results from its First Steps Survey (see Note 1). Perhaps the most significant finding of the survey is that two-thirds of provider organizations have not yet begun their HIPAA compliance assessments, and 20 percent of providers are waiting until at least August 2000 before beginning action plans. Despite delays in the publication of the final HIPAA privacy regulations, HCOs still face a two-year window for realizing compliance for the nearly approved standards (see Note 2); however, those not yet conducting assessments will use much of those two years for planning. Clearly, many of these HCOs will need consulting assistance.

Note 1

HIPAAlert and the First Steps Survey

Phoenix Health Systems (www.phoenixhealth.com), publisher of HIPAAlert, polled its subscribers on their plans for addressing HIPAA mandates. Of the 425 responding subscribers, 229 represented hospital organizations, 40 were payers, 40 were vendors, and the remainder were distributed among clearinghouses, government agencies, consultants and others. Respondents' job responsibilities included CIOs (85 respondents), compliance or security officers (57), senior management (60), other department managers (80), analysts (46) and consultants (37). It is important to note that the HIPAAlert survey preselected HCOs that have enough concern for HIPAA to have signed up for a very active list server. The actual population of all HCOs is likely further behind in assessment efforts.

Phoenix has also demonstrated early thought leadership in HIPAA awareness and developed methodologies and educational tools. Although only a 60-person consulting firm, it should be considered a valid assessment short-list option for hospitals and smaller integrated delivery systems.

Note 2

Mandatory Compliance Is Looming

While DHHS has extended its review period on privacy regulations due to overwhelming comments on its initial proposals, final approval of the other HIPAA standards is closer to reality. Compliance with EDI transactions, code sets and security standards will be mandatory by 4Q02 (0.8 probability), and compliance with claims attachment standards will be mandatory by 1Q03 (0.7 probability).

Many healthcare consulting and systems integration firms are rushing to build HIPAA practices, and most have transitioned resources from their year 2000 compliance practices. CHIM, a trade association in the healthcare IT industry, has built a Web site (www.chim.org/Advocacy/mbrcapbl.html) for its members to explain their HIPAA capabilities. HCOs will find this a useful tool to at least begin identifying firms that might help them. However, Gartner has identified several consulting firms that appear to be "ahead of the curve" in developing robust HIPAA service offerings.

HIPAA Consulting Organizations: Links to each firm's HIPAA offerings can be found on its main Web page.

Computer Sciences Corp., www.csc.com/industries/healthcare/prodserv/hipaaserv.html
Deloitte & Touche, www.deloitteconsulting.com/services/industries/health_care/index.asp
Ernst & Young, www.ey.com
First Consulting Group, www.fcg.com/services/HIPAA.asp
KPMG Consulting, www.kpmgconsulting.com
IBM, www.ibm.com
SAIC, www.saic.com
Superior Consultant, www.superiorconsultant.com

Although the HIPAA consulting market is too early in its life cycle for us to differentiate strengths and weaknesses of competitors and their offerings, each of the firms listed here has distinguished itself with key characteristics:

Strong healthcare-specific industry expertise (most target providers, payers and life sciences organizations).
Large parent organizations, with extensive staff and capital resources.
Specific experience and depth with security policy and technology consulting (and an ability to draw upon these skills from other industry practices).
Proven capabilities in designing and implementing e-business solutions.
Demonstrated thought leadership in interpreting HIPAA's impact on HCOs, via published articles, conference presentations, workshops and participation in summits and committees.
Formal methodologies for helping HCOs efficiently assess their HIPAA-related risks, vulnerabilities, opportunities (primarily cost reductions by standardizing and adopting electronic transaction sets) and compliance costs.
Solution kits or educational tools for communicating HIPAA's impact throughout HCOs.
Commitment to their HIPAA practice through dedicated resources.

All of these firms have at least a few clients for whom they are conducting assessment projects. They mostly follow a two-tier approach to assessments, usually beginning with financial and administrative electronic transactions and code sets (often calling this service "e-business enablement"), and following with a security and privacy assessment (see Note 3).

Note 3

Assessment Methodologies

These firms' typical HIPAA work plan encompasses a six- to 12-week project for each assessment phase, and fees are generally in the $100,000 to $150,000 range per phase (although this figure may vary depending on the size of the client). Deliverables usually include action plans for implementations, reports on risks and vulnerabilities, and cost/benefit analyses.

Acronym Key

CHIM Center for Healthcare Information Management

DHHS U.S. Department of Health and Human Services

EDI Electronic data interchange

HCO Healthcare organization

HIPAA Healthcare Insurance Portability and Accountability Act

SAIC Science Applications International Corp.

Bottom Line: HCOs that have not yet begun their HIPAA assessment projects should act quickly. Achieving compliance with security and privacy regulations will eventually require tremendous effort, but moving an HCO from largely paper-based systems to standardized electronic transactions and code sets (for which most current DHHS standards are unlikely to change) necessitates immediate attention. Fortunately, there are several third-party options with demonstrated early expertise to assist them.

This document has been published by:

Service	Date	Document #
Healthcare Executive and Management Strategies	7 April 2000	M-10-6889
PRISM for Healthcare Providers	7 April 2000	M-10-6889
PRISM for Healthcare Payers	7 April 2000	M-10-6889

Entire contents (C) 2000 by Gartner Group, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner Group disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner Group shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Please read the guidelines and policies for GartnerGroup copyrighted materials. Privacy statement.