eBusiness Strategies in Healthcare

“Bridging the Enterprise to the Internet”

By David Sweigert

Medicine is a pioneering industry of technology. Modern medicine is pushing the very limits of technology and discovering new ways to heal. However, the irony of healthcare is that most of the technology resides only within the hospital. When a patient is cured and the recovery is complete, doctors, providers and payers are relegated to a paper system to process claims and wrap-up the details. Healthcare organizations are now looking to the Internet and eBusiness initiatives to solve this technology gap.

eBusiness bridges the participants of a business transaction. In essence eBusiness provides the technology to establish business relationships and complete transactions via the Internet. Unlike traditional contracts, where parties may meet in person to complete a transaction, eBusiness parties may never meet. Indeed, the power of Internet technologies may bring together parties from either end of the globe to transact business and exchange information.

eBusinesses and eMarketplaces use Internet technologies to bring users together in an environment specifically designed to meet their needs. For instance, large HMOs maintain directories that include listings for their suppliers and contractors, as well as authorized purchasing agents for the company. Rather than have representatives search through purchase agents and rummage through paper catalogues to locate suppliers, parts and merchandise might be catalogued in an electronic database. The idea behind eBusiness is to make that database accessible to parties inside and outside the company. With that database connected to the Internet, it now becomes accessible, regardless of location. Even more, this database can be opened up to the suppliers so they can update information and even include merchandise listing with prices. Now this database becomes more than just a directory, it becomes a hub of information.

The main motivation for enhancing these “directories” is cost savings. The Internet can literally save companies millions of dollars and thousands of man-hours. Within the healthcare market, some have estimated that the cost of a healthcare claim increases by $50 each time a different individual accesses or makes changes to a healthcare claim. Paper-based claims, whether mailed to a payer, handled by individuals, photocopied, stored, or eventually lost, are extremely inefficient when compared to electronic claims. The business case paints a clear need to move towards an eBusiness environment; however, special circumstances warrant attention with health care organizations.

HIPAA

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is being called the “Y2K of healthcare.” HIPAA represents the most sweeping national legislation to impact the health care industry in more than 30 years. Although HIPAA appears to be a hurdle for healthcare organizations to jump, it will eventually save the healthcare industry billions of

dollars. HIPAA establishes government-mandated standards for electronic healthcare transactions and mandates practices for privacy and security of electronic patient data. The U.S. Department of Health and Human Services has developed and will enforce standards related to data security in all electronic healthcare transactions. Until now, many organizations have paid little attention to these regulations and proposals However, now that the final rules are being published, healthcare organizations must find ways to become HIPAA compliant within the next 26 months or face stiff penalties. Failure to accommodate HIPAA may subject an employee of a healthcare organization to criminal penalties of up to ten years in jail and fines of up to $250,000.00.

The proposed rule applies to health plans, health care clearinghouses and any health care provider that transmits healthcare information in an electronic format. The entity receives health care transactions from health care providers or other entities, translates the data from a given format into one acceptable to the intended payer or payers, and forwards the processed transaction to appropriate payers and clearinghouses. Because the health care system involves complex business relationships involving multiple parties, the proposed rule requires that, with certain exceptions, covered entities enter into contracts with the business partners they hire for assistance and with whom they will share protected information. Those business partners include lawyers, auditors, consultants, third-party administrators, health care clearinghouses, data processing firms, billing firms and other covered entities.

Planning the eBusiness initiative

Before engaging in an eBusiness initiative, organizations need to identify all of the entities and users of the system and define the roles of how those users may interact with the organization. The organization must fully understand the needs of its users and decide upon what data and privileges to provide amongst the different parties.

Issues to be addressed:

Who owns the information- Is this information proprietary to my organization or does it belong to the patient, care provider or supplier?

Who administers this information to the users- Is the IT department responsible for dictating access and delegating authority or does the process remain in the hands of traditional management? (administration)

How many servers connect the system- Will I have to replicate data and access codes on each server and CPU? Will all data be synchronized throughout the network after each change or must it be done manually? (distribution and replication)

Does the information need to be replicated- How will I ensure that I have redundancy in the records and a protected archive of the data? (replication)

Who can modify the information- Can users access and alter their information or will changes need to be made by the IT department. If so, what must their role and level of access be to allow those changes? (user authentication and access controls)

What tools or protocols are used to transact information in the database- Are my transaction standards universal? Will new technology be easy to integrate into the existing system? (integration)

What are the operations and their performance criteria of the new initiative- How many users will the eBusiness suite be able to handle? How long will each transaction take to perform? What is the upper limit of the system and can it grow with the enterprise? (performance)

Individual database administrators and IT managers may justifiably resist the idea of interconnecting sensitive databases to the Internet. The most common fears include that data may become vulnerable to hackers and unauthorized access. Also, with thousands or millions of users accessing a system, if information inadvertently becomes available, the damage can be catastrophic. Even more, patient information is so sensitive that the legal repercussions for unauthorized access would quickly discourage eBusiness initiatives. Any proposed eBusiness solution must provide security features that completely address concerns of every party involved in the initiative.

Who is visiting the site?

Unlike a face-to-face business encounter, eBusiness transaction parties almost never meet. Therefore, having a means to “authenticate” users is critical. An appropriate system for recognizing and authenticating is the foundation for determining user access and privileges. Implementing commercial-quality protection mechanisms that provide features such as end user authentication and identity-based access controls are recommended not only to protect the organization, but also to satisfy and conform to the HIPAA requirement for authentication.

Determining those who are accessing the site not only provides a method for maintaining security, it provides the mechanism by which information and access is delegated to the user. The key to the eBusiness venture is to provide each user with the information they desire and the transactions they need in order to drive them to the site.

Now that the organization has determined the identity and roles of those who will use the site, the organization must determine what information and transactions to provide those users. For example, a provider could be given privileges to access his patient’s information, which may include benefits, claims information or even medical records. Patients could be given the ability to view benefits information, claims status and history and view or even change their PPO.

Infrastructure

The architecture for eBusiness infrastructures typically follows one of two methodologies, Hierarchical or Mesh infrastructure. Both structures have benefits and drawbacks and are typically chosen based on user needs and security requirements.

The hierarchical infrastructure (see diagram below) is typically used in highly structured organizations. Most healthcare insurance organizations have clearly defined roles throughout the organization. From insured to provider to plan manager to supervisor, every role is defined and is

assigned a position in the “chain of command.” These positions can then be translated into the electronic structure of the organization. In this type of implementation, the eBusiness would cascade down from a central, restricted access server. This structure allows the system to control directory requests based on user identification or class. The structure also provides a moderate level of protection against compromise of protected information. Configurations like this can provide an incremental approach to directory protection. That is, data could be divided into different compartments based on how access to the data should be controlled.

Figure 1. Hierarchical Infrastructure

The second and less highly structured method is a mesh infrastructure (see diagram below). This type of implementation is better suited to organizations where the emphasis is not on structure and security but more on promoting access and information sharing. This type of implementation is seen in eCommerce and business-to-business (B2B) exchange sites. The idea is to spread the information across the most users, where users will not be restricted to information but will instead focus themselves on the information they need. In this way, some data could be provided directly to Intranet/Internet users, while other data could require authentication for access. This approach might apply to an organization where the directory is maintained to provide Intranet access to directory information for employees or participants in an online exchange. Unfortunately, if any confidential information is shared across this system, security becomes more of an issue. With relationships spanning across the Internet, this type of organization may need to establish individual “chain of trust” agreements (a HIPAA requirement), which will place an administrative burden across the organization.

Figure 2. Mesh Infrastructure

End User

End User

End UserEnd User End User

Directory

Directory

DirectoryDirectory

eBusiness Partner Agreements

It is necessary for an eBusiness organization to establish chain-of-trust agreements with all third parties who may have access to patient health information. Such agreements are necessary to not only satisfy HIPAA requirements, but also to provide the organization with accountability of its users. Such agreements should outline that the third party will:

Keep the information in strict confidence. Use the information only for the purpose of providing services under the contract. Disclose the information only to those employees who need access to the information in

order to provide services under the work contract, and that those employees have signed an agreement requiring them to hold the information in confidence.

Return the information in usable form upon request or at the end of the work contract. Indemnify the organization for all breaches of these obligations.

A business domain may consist of a closed corporate Intranet or be expanded to include a community of interest of healthcare institutions, providers, payers and even patients. While all these participants are part of a community of interest with an objective to communicate and share information, they are not bound by any one corporate entity that can vouch for their identities while conducting business-like transactions.

The management difficulty faced by chief information officers is how to effectively manage thousands of “trust” relationships with eBusiness partners. Not only must “chain of trust” agreements be in writing but, these agreements must be maintained and enforced by covered entities. The business goal is to have a system that can support a wide community of users, all of whom maintain trust relationships with the main organization, which in turn, administers those trust relationships.

Implementation Checklist

HIPAA Concerns

HIPAA is not merely an IT problem, it is a concern for the entire organization. As a department prepares to rollout a new eBusiness initiative, it can expect “push-back” from those forces within the company concerned with HIPAA compliance. The IT manager versed in HIPAA regulations will be well prepared to deal with other organizational members concerning HIPAA security and privacy issues. In a sense, the IT manager will be prudent to demonstrate to non-IT executives that HIPAA security and privacy features are embedded within the planned eBusiness initiative.

Be prepared to give an accounting of how HIPAA security and privacy concerns are being addressed in the eBusiness initiative; authentication, access control, role-based access control (RBAC), auditing, back-up of data and chain of trust agreements.

1. Web site access control

Plan for a centralized portal to enterprise information; using reduced or single sign-on authentication with User ID and passwords as required by HIPAA (authentication). Plans to use digital certificates or hardware tokens should be thoroughly considered as these technologies are still maturing and are not mandated by HIPAA.

Utilize role-based access control to present users with a customized HTML menu for easier navigation, and ensure that only the right people see the right information from Web-servers and applications located across the enterprise, a HIPAA requirement (RBAC).

Plan for administrators to centrally define, monitor, enforce and audit information security policies while delegating control back to departmental, branch or help-desk administrators, a HIPAA requirement (auditing).

2. Decide on Standards-based Directory

HIPAA compliance is easier to demonstrate with a centralized managed directory for Web site authentication, access control, RBAC and auditing. Additionally, increased savings and efficiencies will be realized when establishing user accounts, changing permissions, allocating storage for eBusiness trading partners. One of the easiest ways to establish the directory is by integrating systems using the Lightweight Directory Access Protocol (LDAP). This standard is being widely adopted by enterprises both in and out of the healthcare industry and should make for higher compatibility and easier integration.

LDAP:

Provides a mechanism for passing text-based queries from an LDAP client to an LDAP server over the TCP/IP network protocol;

LDAP is a specification of a protocol to allow users access to a directory;

LDAPv3 implements Secure Sockets Layer (SSL) between an LDAP client and LDAP server. Required under present Internet policy of the Health Care Financing Administration (HCFA).

Organizations should also begin to define appropriate user metrics for the eBusiness application. In the case of accommodating millions of new users, it will be especially important to address capacity planning, back-up, response time and scalability. User roles should be defined, for example; insured, physician claims administrator and auditor would be common roles. These roles will be required to effectively enforce role-based access control at runtime.

Summary

Productivity will be increased and user perceptions of IT will be improved if information lookup is faster and consistent and if the information is accessible, secure and accurate. A unified directory service will streamline the process of finding the appropriate information regarding network devices, locations, customers and clients faster and more reliably.

With a high availability of systems and using open standards for interoperability, directory services will be easier to maintain and operate. Standardized schema and tree information will enable developers to design optimized search paths that will significantly reduce searching and retrieval of relevant data.

The deployment of a corporate directory service will address operational improvements in workflow and processes by allowing centralized administration of multiple client interfaces. This technology will facilitate improvement of synchronization of multiple directories, extensibility of new organization specific attributes and communications and interoperability between applications.

This flexibility reduces the complexity of enterprise-wide directory services and promotes the use of interoperable (standards-based) applications and systems, as well as the design and deployment of a scaleable infrastructure that will support enterprise-wide needs into the future.

The path to an effective eBusiness site requires a very complicated and detailed assessment of wants and needs on behalf of the organization and its users. Careful planning and strategy will allow organizations to create the most effective eBusiness possible with the least amount of headaches. Technology initiatives will always require a major investment of money and time in the development and implementation. However, creating an eBusiness will reward the organization with cost savings and reduced man-hours. The time to bridge the technology gap is now.

David Sweigert is the Director of HIPAA Programs for OpenNetwork Technologies. OpenNetwork is a leading developer of eBusiness and directory services software that is providing solutions to Blue Cross Blue Shield organizations across the country.