Learn how Harvard Pilgrim Healthcare (HPHC) is using technology to comply with HIPAA requirements for transactions, privacy, and security. Driven by Oracle technologies, HPHC's web portals integrate with existing transaction applications to serve some 760,000 health plan members, 22,000 medical providers, 2,000 employees, and a community of independent brokers. The article also includes: Q&A with Forrester Research's Elizabeth Boehm An introduction to HIPAA A discussion of Oracle's HIPAA-compliant, role-based security

As Published In November 2004

Healthy Compliance
By Carol Hildebrand

Technology Is the Foundation of HPHC's Efforts to Meet HIPAA's Requirements.

Although regulatory compliance and technology are tightly linked, successful fulfillment in many ways requires more than that vital connection. After all, there isn't a software suite yet that can be installed to deliver instant compliance—especially for healthcare agencies striving to comply with the United States Health Insurance Portability and Accountability Act of 1996, or HIPAA (see the "About HIPAA" sidebar).

Instead, to ensure compliance, healthcare companies must develop comprehensive programs that embrace institutional change: behaviors, policies, and—yes—technology.

"It's all about the employees in an organization understanding their responsibility with respect to security and privacy," says Lawrence Rapisarda, chief technology officer at Harvard Pilgrim Health Care (HPHC), a Wellesley, Massachusetts-based healthcare plan that provides coverage for more than 760,000 people in Massachusetts, Maine, and New Hampshire.

At HPHC, which has a history of using technology to lower costs and improve service, technology is an important foundation underlying HIPAA compliance. The company's information security officer, Ken Patterson, reports to Rapisarda, and has a significant role in developing HPHC's overall compliance program. In fact, HPHC goes a step further, building its business goals in tandem with HIPAA compliance.

Snapshot Harvard Pilgrim Health Care www.harvardpilgrimhealthcare.com Year founded: 1969 Annual revenue: US$2 billion (gross) Number of employees: 2,000 Oracle products and services: Oracle9i Database, Oracle9i Application Server Portal; Oracle E-Business Suite Payables, Receivables, General Ledger, Incentive Compensation, Payroll, and Time and Labor

Rapisarda divides the HIPAA program into three major areas: transaction compliance, privacy compliance, and security. The government gave companies two years to comply with each section, once those regulations were finalized.

"For transaction and privacy, the two years have come and gone, and for the most part, we feel certain that we are in compliance," says Rapisarda.

Security compliance, however, kicks in next spring, and HPHC is once again using technology to ensure compliance. Take, for example, the company's groundbreaking use of portal technology to boost customer service. The Web site, driven by Oracle9i Application Server (Oracle9iAS) Portal, integrates with the existing transaction applications and serves approximately 760,000 health plan members, 22,000 medical providers, 2,000 employees, and a community of independent brokers.

"Members can look at all kinds of general health information on the site," Rapisarda says, and it offers providers a wealth of resources—from payment and benefit policies to the health plan's "formulary," or tiered list of prescription drugs. "Before prescribing a medication, doctors can check to see if it's covered or has a less-expensive generic equivalent," Rapisarda says.

About HIPAA The United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates the creation of standardized methods to safeguard the confidentiality of healthcare- related data. Title II of HIPAA requires standard formats for all patient-health, administrative, and financial data as well as security processes to safeguard the privacy and integrity of that information.

Although offering this wealth of information makes perfect business sense, it also raises privacy and security issues that may be regulated by HIPAA. "The main tenet of both HIPAA privacy and security is the protection of protected health information [PHI]," says Rapisarda. "Therefore, it's very important in terms of security to protect our data and let only those folks who need access see it."

That's one reason HPHC chose Oracle's portal technology. "The portal technology provides role-based security for our internal Web portal as well as the external one," says Rapisarda. "The portal, as well as the database, gives us the ability to limit PHI access to just those people and particular job descriptions requiring it." For example, a case manager who does healthcare cases for HPHC subscribers needs access to PHI. An administrative assistant in HR, on the other hand, has no such need—and hence, no access.

The company also uses the security inherent in Oracle9iAS to ensure compliance, particularly with a major application called eCare, which was developed by Perot Systems for HPHC and is deployed through Oracle Application Server. This application manages patient referrals and authorization as well as, in some cases, case notes. For eCare, Rapisarda uses the security management within the Oracle technology to safeguard the PHI. "We have a security system that integrates the Oracle portal and application server with the Netegrity policy server and Novell LDAP (lightweight directory access protocol) server."

For more information about Oracle's solutions, visit: oracle.com/industries/healthcare oracle.com/appserver oracle.com/portal

HPHC also uses technology to underpin the educational aspect of its HIPAA compliance program. So much of HIPAA affects the way healthcare professionals exchange information during each workday that HPHC has instituted policies and procedures that establish the framework for compliance within the company. HPHC has a set of processes that direct how such policies are developed and how they are approved by the privacy and security officers. Rapisarda's group has built a portal-based application that helps streamline and automate the policy development process. "As the policy is developed, it can go into the review and approval process automatically," he says. "It also gives us triggers for when policies need to be updated and kept current. It's like a document management capability in terms of creating policy, and policy development and the policy library process are the foundation of our educational process."

In the long run, says Rapisarda, HIPAA compliance is merely codifying what HPHC has always taken seriously. "Members' data is a personal trust, and we never take that lightly," he says. "These are things we were doing before, but now we're being more formal about it. We take it pretty darn seriously."

Q&A TrendWatch: Q&A with Elizabeth Boehm, of Forrester Research, on 2005 Trends in Healthcare What business and technology trends should you look out for in healthcare in 2005? We spoke with Elizabeth Boehm, senior analyst, healthcare and life sciences, at Boston-based Forrester Research, for her insight. She advises business decision-makers and CIOs to think about the following issues. Profit: Healthcare is a broad marketplace. Which issues affect everybody? Boehm: We divide healthcare into three areas: providers, such as hospitals; payers, such as insurers and government entities such as Medicare; and manufacturers, including pharmaceutical, biotech, and medical device manufacturers. The business issues for each are very different. That said, if there's a broad concept overarching everything that's causing changes, it's the idea of consumerism. Profit: How do your define consumerism in the healthcare context? Boehm: It means that patients—the ultimate end users—have more final responsibility for what healthcare gets purchased. Patients therefore require more information and need to educate themselves to make smart decisions. It has different implications for all three players. Profit: What are those implications? Boehm: Well, let's start with the payers. The implication here of consumerism is that it's beginning to change the way they design health plans, shifting cost decisions onto the consumers and empowering them to make more-informed health decisions. The catchall term is "consumer-directed health plan." It basically gives consumers a pool of money in a tax-advantaged account, often with a high deductible. Consumers can choose expensive or inexpensive care, but it all comes out of that pool, and the consumers have to decide which trade-off to make. That changes things. On the systems side, the repercussions of this plan design are that a highly customizable plan means that payers must beef up customer service support programs and that some must be automated, or the costs will go through the roof. Payers need self-service systems that tap into archaic legacy systems. This causes a cascade of IT requirements that goes all the way back to the core systems. Profit: What about hospitals? Boehm: For hospitals and medical providers, consumerism means that whereas they previously negotiated with a health plan, now consumers are involved. They want to know what they're getting for their money, so there's a bigger push to justify differential payments. Hospitals have to show that they have better outcomes to justify their fees—it's called pay for performance. To do this, providers have to have the infrastructure to not only capture data but also to prove their outcomes and to put in place information-driven clinical systems to further enhance care. Providers will be selling to consumers, so they need really good data that's understandable to them. They need to give them the comparative data necessary to make decisions. And that gives the providers a real business case to make that commitment to information systems. Profit: What about the life sciences companies? Boehm: The least affected by consumerism are the life sciences companies—they can't change their products, but they can change, adjust, and get creative about the types of support built around those products. So pharmaceutical companies will shift away from what's called awareness-driven marketing, toward compliance-driven marketing. For example, people on long-term medications frequently just don't stay on—up to 50 percent of people, as a matter of fact. So, the companies might shift toward marketing designed to keep people on their drugs long-term. This all requires a pretty good information infrastructure to collect data, see what works, and make customized recommendations and changes that will result in the behavior changes you want. Profit: Is HIPAA still a factor for healthcare companies? Boehm: HIPAA has already had a big effect on healthcare IT investment, and it's now starting to settle down. Things such as standards for clinical data capture are still trickling through and being sorted out. SOURCES For more information and resources on regulatory compliance, please visit these IDG publications research centers: Laws & Compliance Understanding new legislation and managing regulatory compliance www.csoonline.com/research/compliance/index.html Government and IT Policy Research Center For insight into politics and policies www.cio.com/research/government And be sure to check out these recent articles from the IDG family of business/technology publications. You can find them at the Profit Resource Center at www.cxo.com/profit-resources/. "How to Keep Your Company in Step with Compliance Issues" "Building a Compliance Framework" Federal, state, and other mandates are sucking up far too many resources, and there's no end in sight. Companies that find ways to build compliance into their corporate cultures will save time and money for strategic tasks, and IT is well positioned to lead the effort. "Remote Offices: The Achilles' Heel of Regulatory Compliance" Backing up data in remote offices is a problem IT managers must solve if their companies are to meet regulatory requirements. Steve McCanne, cofounder and CTO of Riverbed Technology, explains one technology that's allowing companies to store data from remote offices in a centralized location. "Outsourcing Sparks Concerns over IT Controls to Meet Sarbanes-Oxley" IT auditors worry that outsourcers may not provide the documentation needed to comply with Sarbanes-Oxley. Oracle Resources A Better Solution for Healthcare Oracle's industry-focused solutions—including Oracle E-Business Suite, Oracle Healthcare Transaction Base, Oracle Database 10g, and Oracle Business Intelligence—automate key materials management, human resources, and financial and clinical processes, enabling healthcare organizations to meet their needs and deliver the right information to the right people at the right time. Read the EIU white paper, Efficiency Cure: Finding Cost Savings in Healthcare Administration. Visit oracle.com/start. Improving the Prognosis Read the executive brochure that details Oracle's approach to the healthcare industry and find out what our customers have to say. oracle.com/industries/healthcare/HealthCare_Brochure.pdf