Organizations don't change the way they work because of a new technology. More often, a change in circumstances leads to a situation that demands the use of that technology. How do outside pressures affect the application service provider (ASP) marketplace? Let's take a look at how the Health Insurance Portability and Accountability Act (HIPAA) could affect ASP opportunities in the United States. I talked to Jon Bogen, president of HealthCIO, a market research firm and consultant for information-technology suppliers to the healthcare industry.

What is HIPAA? The Clinton administration originally proposed the legislation in 1996 to make it easier for people to carry health insurance from one employer to another. Specifically, HIPAA said that a condition that developed while a person worked for one employer shouldn't become a preexisting condition when the person applied for health insurance with a new employer.

That was the original idea. As often happens with legislation, its premise has become more complicated. In 1998, the idea mutated when Health and Human Services (HHS) proposed insurance claims transaction standards. HHS finalized the rules in August 2000, and companies must comply by October 2002.) The transaction issue got some media attention, and people became concerned about security, wondering just how much their present or former employers would know about their health. As a result, HIPAA developed a privacy component. President Clinton signed the privacy regulations in December 2000, and Tommy Thompson, the current HHS secretary, approved the privacy component in April 2001; it takes effect in April 2003. This legislation, by the way, doesn't introduce anything new; states already have privacy laws that govern who can see patient data. Instead, HIPAA creates federal guidelines that are consistent across all states.

What opportunities does HIPAA present for ASPs? According to Bogen, the legislation sets rules about minimum disclosure of information when information is passed between employers, but no one tells health-care organizations HOW to do this. In some situations, organizations have to share confidential information. People have different access levels to information—the treatment provider gets access to information that the lab technician doesn't. Providers have to ensure that they audit access in conformance with HIPAA guidelines, but they have to know the guidelines to work with them. Therefore, HIPAA creates two main opportunities for ASPs: claims management and training.

Bogen says that claims management is terrifically inefficient and that the US medical-loss ratio (money spent to provide health care) is 84 percent, in contrast to Canada's 3 percent. In the health-care field, 30 percent of labor costs go toward processing managed-care transactions. In short, health care is so fragmented and inefficient that the HIPAA rules can create efficiency, and an ASP that's experienced in the medical field is best placed to implement these rules. The ASP can concentrate on setting up a system that works and can duplicate what it learns from serving one customer when it serves the second, or the tenth, or the hundredth.

Training is a longer-term goal for ASPs. HIPAA will require that health-care organizations change their work flow and possibly introduce new staff. These organizations will also have to deal with new rules. An ASP that offers training in those new rules will be helpful to organizations that want to get up to speed before the compliance deadline of April 2003.

But this opportunity won't be wide open to just any ASP that asks for it. As Bogen points out, a lot of ASPs have tried to succeed in health care—and many of them have failed. ASPs need to offer a broad mix of services that include consulting, as opposed to just automating practices and handing a set solution off to the customer. They should concentrate on and be knowledgeable in the field. Finally, they must concentrate on offering services that would cost their customers money to provide themselves and wait for their customers to need those services (which means offering claims management now, but perhaps waiting until next year to offer training).

That's really the bottom line in this business, isn't it? No one spends money unless it will cost them more money NOT to spend it.