Strategic Planning, M. Duncan, J. Gabler, J. Young, J. Klein Research Note 9 December 2002 Healthcare Predictions for Executives and Strategists Business and IS executives as well as business and IS managers must respond to HIPAA compliance, external sourcing, IT spending and risk analysis issues in 2003. Core Topic Healthcare: Healthcare Business Drivers, Strategies and Management Issues Key Issue How will successful healthcare organizations measure, align and deploy IT to realize value from IT investments? Strategic Planning Assumptions By October 2003, fewer than 50 percent of the specified HIPAA transactions done electronically will conform to the HIPAA standards (0.9 probability), but, by October 2005, 95 percent of the specified HIPAA transactions done electronically will conform to the HIPAA standards (0.8 Given industry resource limitations, increasing healthcare costs and continued reimbursement challenges, 75 percent of healthcare organizations will externally source at least one IT function by 2004 in an effort to more efficiently manage their enterprise infrastructures (0.7 Through 2005, healthcare industry spending on external IT professional and support services will increase between 10 percent and 15 percent per year, but spending on internal IS staffs will increase less than 5 percent per year (0.8 By year-end 2004, 50 percent of healthcare organizations and pharmaceutical companies will add risk analysis (risk exposure/risk avoidance) to traditional financial analysis to determine the value and benefit of their IT applications (0.8 Change will accelerate throughout 2003 as the U.S. Health Insurance Portability and Accountability Act (HIPAA), sourcing, and business value combine to force a much higher degree of alignment between IT investments and business management. "If you build it, they will come" may be true in movies, but reality requires real, tangible value for people to accept and use new applications. This focus on linking investments to their delivered value will mature the IS organization's role in healthcare organizations (HCOs), but this maturation will not happen overnight. HIPAA and its derivatives will drive much of the change, but we believe that fully achieving the value HIPAA has the potential to deliver will take years. Focusing on the business value that can be and is obtained from IT investments is the first step in this maturation process; otherwise, the only visible target will be cost cutting. Prediction: HIPAA deadlines (14 April and 16 October 2003) are mere stopovers on the road to compliance. The HIPAA regulations are not an irresistible force in 2002 and 2003 and the healthcare industry is not an immovable object, although movement is slow. The privacy regulation becomes mandatory on 14 April 2003, and HCOs today vary greatly in their states of readiness. Since enforcement will initially be geared to the most egregious violators, the best benchmark for near-term compliance is not the standard itself, but the relative compliance of other HCOs, particularly those that share common state regulations. HCOs must focus on determining their peers' status and addressing their own high-priority vulnerabilities. Beyond 2003, federal government enforcement will ramp up, and indirect enforcement of errors and omissions insurance by accrediting agencies and carriers will become an increasingly important factor, so Gartner Entire contents 2002 Gartner, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.
compliance efforts do not end on 14 April 2003, they just enter a new phase. Although many covered entities did not file for a transaction extension under the Administrative Simplification and Compliance Act (ASCA), the healthcare industry will behave as if everyone did. ASCA requires transaction testing to begin on 16 April 2003 and compliance becomes mandatory on 16 October 2003. The April testing deadline will not be significantly enforced. The Centers for Medicare and Medicaid Services, in its role as the enforcer of the transaction regulation, has signaled that it plans to carry out a "kinder, gentler" approach to enforcement that will not penalize HCOs that are not fully compliant on 16 October 2003. An HCO's problem is to determine which trading partners, transactions and modalities (for example, electronic data interchange vs. the Web) should become compliant first, how much reliance on clearinghouses is feasible or advisable, and how to minimize the disruption of a mass conversion to the electronic data interchange standard. The HCO that does the "least badly" in this chaotic time will be ahead in compliance costs and revenue flow, and in improved business relationships with trading partners. By October 2004, HCOs that fail to perform the specified HIPAA transactions electronically in HIPAA formats will face fines or other economic consequences that erode their competitive positions (0.8 Pharmaceutical firms while perhaps not the original target of the HIPAA privacy regulations should also examine their privacy policies under the "business associate rule." Pharmaceutical companies are often involved in patient treatment programs and they collect health information during clinical trials or through online care management programs. Covered entities must be concerned about their business associates' compliance and they will want to work with pharmaceutical companies that have a plan for properly obtaining and using health information. As is the case with payers and providers, the greatest penalty from noncompliance may not be the fine, but the loss of consumer trust. By October 2003, fewer than 50 percent of the specified HIPAA transactions done electronically will conform to the HIPAA standards (0.9 probability), but, by October 2005, 95 percent of the specified HIPAA transactions done electronically will conform to the HIPAA standards (0.8 9 December 2002 2
Impact on 2003: This often-told story can serve as a parable for HIPAA compliance "Two hikers in the wilderness come upon a bear and start to run. Seeing the bear give chase, one hiker yells ahead to his friend, 'you can't outrun a bear!' His friend shouts back, 'I don't have to outrun the bear, I only have to outrun you.'" HCOs that fail to achieve good-faith compliance with HIPAA privacy by 16 April 2003 and do not continue to actively work on transaction compliance will escape major consequences in 2003, but they will be positioning themselves at the back of the pack, where the "bears" of HIPAA enforcement will selectively attack. Reacting in 2003: HCOs must not back off on their HIPAA compliance efforts in 2003 because they know they cannot finish on time or because enforcement delays limit their exposure. They must work diligently to bring their compliance efforts to closure, even as the work extends beyond the original 2003 deadlines. Prediction: Reliance on outside sourcing options continues to increase. Controlling IT costs is becoming so critical to HCOs' survival that turning complete ownership of the IS organization over to IT outsourcers is often undertaken in desperation, or at least prematurely. Outside sourcing is a deceptively attractive "quick fix," especially when executives and boards of directors believe that IT investments have failed to deliver expected business value. When well planned, the use of outside sourcing for IT provides better access to IT services and reduces distractions from an HCO's focus on core competencies. When it is undertaken prematurely, costs and chaos will likely increase. Given industry resource limitations, increasing healthcare costs and continued reimbursement challenges, 75 percent of HCOs will externally source at least one IT function by 2004 in an effort to manage their enterprise infrastructures more efficiently (0.7 Impact on 2003: Although healthcare has traditionally been averse to the extensive use of outside consultants and outside sourcers for a number of business and cultural reasons, we expect that the HIPAA mandates, the increasing complexity of e- health and clinical system initiatives, rapidly evolving technologies, and limited resources will be the dominant drivers of an IT sourcing boom in the industry. Reacting in 2003: We recommend that all HCOs seriously evaluate internal resource allocation to align IT objectives with the enterprise business to determine immediate and mediumterm sourcing needs. HCOs must develop a comprehensive 9 December 2002 3
strategy to select and manage internal and external sourcing options, and to derive sustainable long-term business benefits from their sourcing relationships. They must evaluate new sourcing models, such as the use of application service providers, business service providers and staff augmentation models, to fully optimize their IT value and service levels. Prediction: Healthcare spending on outside IT services will soon surpass internal staffing costs. As reliance on outside sourcing increases, spending on outside services will also increase. Rather than managing an internal staff with its accompanying recruitment and retention issues, HCOs will contract with outside sourcing vendors for most of their IT-related services. It naturally follows that healthcare IT spending will shift from internal costs to outside expenses. Through 2005, healthcare industry spending on external IT professional and support services will increase between 10 percent and 15 percent per year, but spending on internal IS staffs will increase less than 5 percent per year (0.8 Impact on 2003: The importance of external IT sourcing is changing healthcare IT budgeting. Increasingly, traditional capital expenditures and hardware (which depreciate over time) are being replaced by external labor-based services in the form of maintenance contracts and temporary professional staff. HCOs are managing an internal IS staff that often has significant staff vacancy and new retention pressures, due to attractive external IT employers. Reacting in 2003: HCOs must reshape their IT strategic planning and budgeting processes to accommodate these new internal and external pressures. Sophisticated providers should combine prioritization of new technology initiatives with relevant staffing plans to ensure that resources are allocated effectively. Increasingly, healthcare providers will turn to strategic sourcing solutions to better leverage capabilities. Before providers enter into these arrangements, they should clearly understand their costs of operation. There is no doubt that both business and IT pressures will force many healthcare providers to use external consultants and strategic sourcing services. This, in turn, will require a different strategy for IT budgeting for many healthcare providers. HCOs must take both vendor and project management responsibilities into account when developing resource plans and associated budgets. Finally, HCOs must develop more business-functionspecific and application-specific cost benchmarks to understand the benefits of IT sourcing. 9 December 2002 4
Prediction: Healthcare IT spending must show business value. HCOs and pharmaceutical companies have struggled to validate the benefit of their investments in IT solutions. Proof statements around tangible financial return on investment approaches, while more established for financial and administrative applications, have been more elusive for clinical applications. By year-end 2004, 50 percent of HCOs and pharmaceutical companies will add risk analysis (risk exposure/risk avoidance) to traditional financial analysis to determine the value and benefit of their IT applications (0.8 Impact on 2003: The HCOs and pharmaceutical companies must be able to assess their readiness to undertake an IT initiative and to successfully deliver the projected business value. The more closely a business change project meets the needs of the areas deemed most important by the enterprise, the more likely it is that it represents a proper investment for that organization. Business change projects that cannot demonstrate business value will not be funded. Reacting in 2003: A complete total value of opportunity (TVO) analysis can be used to clearly identify and demonstrate business value from IT investments for example, an enterprise that is focused on efficiency and projects with low risk and direct payback will likely not find newer, more-experimental technologies a good idea. Other enterprises that quickly need to find competitive differentiation through innovation or new open markets will find IT experiments more attractive because they will likely be more risk-tolerant and experimentation will be more aligned with their business strategies and expected return on investment. Acronym Key ASCA HCO HIPAA TVO Administrative Simplification and Compliance Act Healthcare organization Health Insurance Portability and Accountability Act Total value of opportunity Bottom Line: In 2003, IT costs will be targeted for reduction unless HCOs leverage regulations and economic constraints for their potential business value. HIPAA and security can be viewed negatively or as an opportunity. IS organizations must mature into their business role or face replacement with outside services that can provide adequate value at a predictable cost in 2003. Gartner predictions are a useful guide for navigating the changes that are already challenging the healthcare industry. 9 December 2002 5