Wednesday May 15 2002

Web Services Solution for HIPAA Compliance

Using J2EE-based Web Services

Kapil Apshankar

The Health Insurance Portability and Accountability Act (HIPAA, The Act) is poised to become the next Year 2000 or Euro issue in terms of deadlines and revenue expenditures. What sets The Act apart from Y2K, however, is the geographical impact region - only the USA in this case. Just as solution providers are rising up after the economic downturn, this is a golden opportunity to both bring in new business and introduce new technologies into an otherwise legacy applications sector. This article looks at a J2EE-based Web Services methodology which can be used to provide industry standard solutions.

Introduction

The Act was passed by Congress in August 1996, and has two goals - improvement in system effectiveness, and protection of confidentiality. In an attempt to reduce healthcare costs and improve efficiency, The Act calls for simplification of administrative procedures and mandates health care organizations to implement standard formats for all transactions.

The Act clearly defines requirements for storing patient information before, during, and after electronic transmission. It also identifies compliance guidelines for critical business tasks such as risk analysis, awareness training, audit trail, and disaster recovery plans.

The major changes mandated by The Act cover the following five functional subgroups:

• Insurance Portability
• Medical Spending Accounts
• Medicare Fraud
• Tax Incentives
• Administrative Simplification

Apart from defining mandated transactions, The Act also sets severe penalties for non-compliance.

What The Act Covers

Any exchange of electronic data between two parties covered by the HIPAA legislation constitutes a transaction. The Act makes it compulsory for all such electronic transactions to conform to ANSI X12 EDI standards. The health care industry currently has more than 400 electronic data information (EDI) formats in use by various players.

The Act applies to all healthcare service providers handling personally identifiable healthcare information. This includes, but is not limited to, healthcare providers, payers, clearinghouses, and insurance companies.

The following are the major aspects of HIPAA that need to be addressed at any stage of a HIPAA solution:

1. Transactions
   The electronic transaction rule establishes standard data content and formats for submitting electronic claims and other administrative health transactions. See http://www.hcfa.gov/hipaa/hipaahm.htm for a detailed discussion of each of these standards. The implementation guides for these can be found at http://www.wpc-edi.com/hipaa/HIPAA_40.asp.
2. Medical Code Sets
   The Act defines Medical Code sets as any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnosis codes, or medical procedure codes. The code sets are classified into two taxonomies, administrative code sets and medical code sets.
3. Unique Health Identifiers
   The Act proposes unique identifiers for the providers, payers, individuals, and the health plan, being National Provider Identifier (both individual and organizational), National Health Plan Identifier, National Employer Identifier for Healthcare, and National Employer Identifier for Healthcare.
4. Security and Privacy Standards for Health Information
   Any information stored in an electronic format that allows an individual to be uniquely identified is secured as per HIPAA norms.
5. Electronic Signature
   The Act proposes adopting standards for the electronic transmission and authentication of signatures with respect to the respective transactions referred to in the law. For more information on this aspect of HIPAA compliance, see the following: http://houns54.clearlake.ibm.com/solutions/healthcare/helpub.nsf/detailcontacts/
   HIPAA_SECURITY_MATRIX.

For an indication of how many people are going to be affected by The Act, take a look at "Provider's HIPAA implementation points out policy strengths, areas of need", being the final instalment in a series from searchSecurity on HIPAA compliance, published 04 February 2002: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci799969,00.html

Why a Web Services Solution

Most of the bigger health organizations have their data on legacy systems. For such systems there are three solutions on the frontier to address the HIPAA mandates:

1. Make a complete migration to a HIPAA compliant platform.
2. Actually implement the changes in the existing system code.
3. Protect and utilize existing investments using Web Services.

Web Services can overcome integration problems across different systems running across different platforms. In the data interchange process XML can be used to integrate applications by minimizing effort previously required for data transformation across different platforms. Moreover, it's easily extensible, scalable, and highly portable.

Web Services are a very promising candidate for a solution to HIPAA compliance, since they enable application integration regardless of programming language or operating environment. Web Services concepts would introduce a single model for transaction, security, and so on. Moreover, business people would be able to visualize and design business processes and map process activities with Web Services without referring to technology.

With strong vendor support for tools and frameworks to develop, deploy, and implement Web Services, it's very important to understand the thought process behind using Web standards like UDDI, SOAP, and WSDL while implementing a HIPAA solution.

Why J2EE Platform

There are some compelling reasons why Sun Microsystems' Open Net Environment (Sun ONE) makes a viable business choice.

1. Comprehensive API suite
Sun ONE combines support for J2EE, XML, LDAP, and Web Services API. The J2EE standard at the core of Java enterprise computing includes a strong API support for building Web applications (Servlets and JSP), for architecting business components (EJB), and other ancillary standards like JNDI, JMS, Java RMI, and JCA.

2. Consistent Environment Security
Solaris is a highly secure operating environment for network servers and is a key component of Sun ONE. In scenarios where advanced security specifications need to be met, Trusted Solaris, a security-enhanced version of the Solaris Operating Environment can be employed.

3. Easy Integration of Additional Security Technologies
The J2EE Web Services solution for HIPAA can exploit the features of Java Card technology-based smart cards, Sun Ray thin client solutions, and Sun Professional Services in addition to the native platform security

High Level Architecture

Let us see the architecture of a typical form this solution will take:

In this solution, we provide wrapper functionality over the existing legacy applications. This is similar to the HIPAA accelerators provided by Microsoft for Microsoft BizTalk Server. The difference is that while they are available for the Microsoft platform, we have to develop them in the J2EE solution that we have been concentrating on.

Web Services can be used to handle transactions using medical code sets. They would also enable health identifiers to be uniquely identified. Electronic security features can also be implemented to ensure that security and privacy standards for health information are met. This architecture could take two forms:

1. Internal solutions would aim at making the system HIPAA compliant and interacting with the systems of business partners using Web Services.
2. External solutions would utilize specialized Web Services offerings by corporations to meet very specific and precise requirements. One example that comes to mind immediately is that of a specialized Web Service that deals with one particular medical code set.

Advantages of the Architecture

This Web Services architecture offers us the following advantages:

• Capitalize on existing investments: Web Services can make an existing healthcare system HIPAA complaint and avoid expensive code rewrites in the process.
• Portability: A Web Services solution is not only portable across platforms, it also facilitates cross technology integration.
• Scalability: Web Services are highly scalable components, supporting industry strength scalability requirements.
• Security: Security in Web Services is one issue that is being handled with the highest importance currently. The solution will definitely benefit as we go on incorporating the security standards as they become available. Since all the transactions are between trusted business partners, however, this is not an immediate concern. Solutions provided by VeriSign et al can be used for this purpose.
• Multiple client access: Web Services provide a huge and flexible capability for using multiple client access through a wide array of heterogeneous devices - palmtops, PDAs, and cell phones.
• Low costs: Web Services solutions are cheaper to develop, maintain, and upgrade. The HIPAA solution benefits from this substantially and increases the ROI.

Economics

The US Department of Health and Human Services estimates that The Act will cost the healthcare industry $4 billion and the Gartner Group expects that HIPAA compliance will cost around three times as much as Y2K compliance for the healthcare industry.

Let us compare the economic parameters associated with putting a HIPAA solution in place the traditional way and using Web Services:

Point of Comparison	Traditional Upgrade Solution	Web Services Solution
Cost to enter	High	Moderate
Cost to maintain	Very High	Low
Cost to upgrade	Very High	Low
Total Cost of Ownership	Very High	Moderate
Return On Investment	Low	Very High
Expertise Required	Very High	High
Ease of Implementation	Very Low	High
Timeframes	High	Moderate
Success Rate	Moderate	Very High

These costs prove that the payback period of such a solution is better than a conventional solution. The Web Services methodology also promises faster break-even point. What it also assures is that total compliance with The Act is possible even if someone were to start from scratch at so late an hour. The capability and maturity of the platform is ours for the taking.

Summary

J2EE has already overcome most of the effective distributed computing issues. By Q1 2003, SOAP and XML APIs will appear in the J2EE standard. Service providers can choose iPlanet and other third-party tools to implement Web Services solutions without a huge investment in developer expertise on Sun ONE.

The bottom line is that the XML SOAP wrappers no longer need to be hand coded. With full API support, it should become even easier to develop Web Services on the Sun platform. This means that any HIPAA solutions developed now would become far superior in their quality and after-deployment support by the time the legislation is enforced.

Whatever the solution, the interoperability of Web Services and the healthy competition between the two will ensure that the investments immediately made in either of them would protect investments and leverage existing applications for a long time to come.

The extended PDF version of this article is available now.

J2EE based Web Services Solution for Health Insurance Portability and Accountability Act Compliance by Kapil Apshankar
After covering the background in a little more detail, this paper looks more closely at a J2EE-based Web Service methodology using which industry standard solutions can be provided. Also included are the advantages and disadvantages of a J2EE solution as compared to a .NET solution using Web Services.

Adobe Acrobat format (PDF) - 83K
11 pages
Price: $10

Kapil Apshankar has over three years of experience in manufacturing, knowledge management, i18n and L10n domains. He is currently working with Web Services in all their forms and finding ways and means of taking this nascent technology to its limits. He is a freelance contributor for webservicesarchitect.com and works as a developer with a major software corporation in India.