|
|
|
|
|
Will Y2K Become Healthcare's S&L Crisis?Steven H. Goldberg
Most healthcare providers and facilities are poorly prepared to face potential Year 2000 computer failures. According to the Gartner Group, an independent advisory to the information technology industry and a respected authority on Year 2000 compliance worldwide, 87% of healthcare organizations are "at some level of risk for experiencing mission-critical system failures by 2000." Gartner ranked the healthcare industry lowest in Year 2000 preparedness in a 17-country study.(2) A 1997 survey by the Healthcare Information Management Systems Society showed that 50% of the respondents had no Y2K budget and 25% had no project teams in place.(3) Another provider survey showed that 47% of respondents had not inventoried their information systems and 18% had taken no steps to achieve compliance.(4) But there are also more disturbing signs that the healthcare industry itself may be in the process of becoming a "failing institution" in much the same way that the nearly $1 trillion thrift industry was transformed by the savings and loan crisis of the early 1990's. Like the S&L crash, healthcare's lurch into Year 2000 will likely proceed by incremental degradation. But unlike the S&L situation, we can see now what institutional, political and regulatory shortcomings are leading to the seemingly inevitable decline. Of course, the analogy between healthcare and thrift institutions is an imperfect one. The savings and loan crisis primarily involved the loss of money, while widespread Y2K healthcare failures would also affect patient care and service delivery.(5) Moreover, the structure of the two industries is quite dissimilar, with banking being far more centralized and subject to more orderly governing mechanisms, which are in many respects a product of the hard lessons learned from the S&L experience. Some of those lessons in the financial sector have much to teach healthcare regulators, policy makers and executives. The S&L Crisis When the dust settled on the S&L debacle, some 75% of the 3,000 thrift institutions went bust or were merged into other, stronger organizations. In just a few years time, the industry lost more than one-half of its value, at a bail-out cost of $502 billion for a $900 billion industry. Many S&L executives went to jail. The reasons for the crisis were complex, but three key factors were (1) unsupervised lending in a hands-off regulatory climate, (2) loans made to businesses that were not credit worthy according to long-accepted industry standards and (3) widespread corruption by many S&L owners. Once the pendulum swung back from its farthest point of regulatory indifference and neglect, the collapse had broad social and institutional implications, including bitter political recriminations, severe regulatory retrenchment and tight money policies, all leading to the virtual end of the thrift industry as it had existed throughout the 20th century. One silver lining has been that financial regulators did not forget those lessons when they were confronted with the Year 2000 problem. Financial Regulators and Year 2000 In fact, financial regulators were among the first government officials to focus not only on their own vulnerable computer systems, but also on the technology and business risks facing the institutions under their jurisdiction. As the Wall Street Journal recently reported, "regulators, who have been prodding banks for about the past 18 months to keep their own computer systems up-to-date, have also started asking them to analyze their existing portfolios and loan applications for year 2000 credit risk."(6) The apparent reason for this expansive exercise of regulatory authority, never explicitly stated, is a commendable desire to avoid repeating past policy lapses in which billions of dollars were loaned to ventures that could not demonstrate their ability to meet their repayment obligations. The message of monitoring the Year 2000 compliance efforts of regulated banks and their loan customers has been communicated by the entire financial bureaucracy, including Federal Reserve President Alan Greenspan, the Federal Financial Institutions Examination Council ("FFIEC"),(7) Freddie Mac and Ginnie Mae, and even the Bank for International Settlements in Basle, Switzerland. Recognizing the considerable difficulty that banks would encounter in trying to assess their customers' Y2K work, the FFIEC issued an interagency statement on March 17, 1998, entitled, Guidance Concerning the Year 2000 Impact on Customers. The FFIEC also requires financial institutions to evaluate the Year 2000 readiness of their key information technology contractors, in accordance with a second interagency statement, Guidance Concerning Institution Due Diligence in Connection with Service Provider and Software Vendor Year 2000 Readiness. Together, these and other similar directives to federally-regulated banks provide detailed compliance checklists and mandated schedules and reporting requirements. But federal regulators are not merely sitting in Washington issuing bureaucratic edicts. The FDIC and its sister agencies recently completed Y2K examinations of every federally-regulated bank, and U.S. branch and agency of a foreign bank and the service providers that the Federal Reserve Bank supervises. The FDIC also issued a cease-and-desist order in November, 1997, to Putnam-Greene Financial Corp. of Eatonton, Georgia, a three-bank holding company with $209 million in assets for failing to make sufficient progress on its Y2K work. And on March 20, 1998, President Clinton signed the first federal Year 2000 statute into law, the "Examination Parity and Year 2000 Readiness for Financial Institutions Act," which, among other things, "extend[s] examination parity to the Director of the Office of Thrift Supervision and the National Credit Union Administration." Thus, financial regulators are earnestly endeavoring to assume active supervisory responsibility over every link in the Y2K chain for all important financial transactions upon which modern commerce depends. While serious concerns remain about the Year 2000 preparations of financial institutions, especially thousands of small- and medium-sized U.S. banks and many international banks, the financial services industry and its regulators are making an impressive effort. Healthcare and Year 2000 By any measure, healthcare is a beleaguered industry with far too much on its plate. Among the major issues occupying the attention of legislators, providers, payers, and consumers are increased fraud and abuse enforcement, industry consolidation and integration, federal and state consumer protection regulation of managed care, conversion of non-profit organizations to for-profit status, measurement and use of quality and outcomes data, medical staff credentialing, and privacy of medical records.(8) All of these demands are real and leave little room for focused attention on Year 2000. Moreover, federal regulators have not addressed the problem in the industry to any significant extent because federal health agencies are overwhelmed by their own Year 2000 compliance problems. In June, 1998, the House Subcommittee on Government Management, Information and Technology gave the Department of Health and Human Services a grade of "F" for Y2K readiness, down from a "D-" in March. HHS estimates that its mission-critical systems will not become compliant until 2003. It should come as no surprise, then, that the Year 2000 efforts of HHS and the Health Care Financing Administration (HCFA) appear to be focused almost exclusively on repairing their own computer systems and insuring the uninterrupted operation of the electronic interfaces necessary to process billions of Medicare and Medicaid claims and payments each year. Unlike their counterparts in the financial services industry, healthcare regulators have not provided any meaningful Year 2000 guidance to the insurers, fiscal intermediaries, providers, vendors, and contractors that provide and pay for healthcare services. For example, HCFA issued "Project Plan Guidelines - Year 2000 Modification" in November, 1997, that, regrettably, are just two pages of empty boxes. According to the guidelines, providers should "schedule the dates for deliverables and milestones." Deliverables should include "software, conversions, documentation, [and] training" and "Management considerations" should include "requirements management, project risk management, progress reporting, issues management, [and] contingency plan." But there are no guidance documents, compliance schedules, inspection plans or questionnaires, audit requirements, payment restrictions or other enforcement initiatives to give substance to these meaningless statements. Of course, HCFA knows how to provide such guidance and put muscle behind its priority programs. For example, its "Fiscal Intermediary Fraud Unit Procedures" provide 69 pages of detailed requirements for beneficiaries, contractors, providers, and peer review organizations, which are implemented by HCFA, the Office of Inspector General, the Department of Justice, the FBI, and state Medicaid fraud control units. Moreover, HCFA is not shy about assigning legal responsibility to the parties that disburse federal monies, as the following introductory statement from the fraud unit procedures document makes abundantly clear: "You are responsible for assisting Medicare in protecting the program's Trust Funds from those persons and entities that would seek payment for items and services under false or fraudulent circumstances ... Ensure that you make only appropriate payments and that you take appropriate steps to recover any mistaken payments. Suspension and denial of payments and the recovery of overpayments are only some of the sanctions available." No federal healthcare agency has issued any remotely similar directive concerning Year 2000 compliance. Certainly, there is nothing pleasant about the demanding efforts required to comply with the rigorous anti-fraud requirements imposed on healthcare providers.(9) But at least hospitals, laboratories, allied health agencies, and physicians know what is expected of them and the federal program has been effective in achieving its objectives, unlike Year 2000, for which no comparable program exists. Because healthcare providers are on their own when it comes to Year 2000, they confront formidable barriers to achieving compliance. Faced with the pressures of financial survival and consolidation, acute financial strain and more immediate regulatory obligations, providers encounter the problem with no standards or guidelines, daunting embedded systems challenges(10) and excessive dependence on a vulnerable supply chain. Their liability exposure is correspondingly high should Y2K problems cause or contribute to personal injury or death arising from a failure "to use reasonable care in the maintenance of safe and adequate facilities and equipment [or] to formulate, adopt and enforce adequate rules and policies to ensure quality care for the patients."(11) As the Gartner Group recently observed, "[w]hen compared to all other industries, health care already has more litigation than anywhere else in the world."(12) Evolving Standards of Liability and "Corruption" As 2000 approaches, the political, regulatory and legal outlook for a healthcare industry in crisis is uninviting. It is difficult to imagine that injured consumers, their elected representatives and even the same federal regulators who have fallen so far short in their own compliance efforts will not count managed care organizations and for-profit healthcare chains among the parties responsible for any Y2K failures that might come to pass. Expansive language in existing statutes and regulations covering quality assurance, accreditation, safety, risk management, and many other areas in which healthcare is otherwise closely controlled will likely be stretched even further to fashion legal duties that have never been explicitly recognized. As one judge observed in an important securities fraud case, there is "an increasing tendency, especially under federal law, to employ the criminal law to assure corporate compliance with external legal requirements, including environmental, financial, employee and product safety, as well as assorted other health and safety regulations."(13) An industry that has seen sloppy bookkeeping become the subject of administrative sanctions and criminal prosecution for fraud, waste and abuse should not be surprised to see similar treatment of avoidable Y2K-related failures, especially if cost-cutting measures contribute to compromised patient care. Given that information about the Year 2000 problem is now widely reported, relaxed legal standards could come into play under such statutes as the False Claims Act, which prohibits "knowingly" submitting a claim or making a false statement to obtain payment of a false or fraudulent claim, but defines "knowing" to include acting in reckless disregard of the truth or falsity of the information provided. Looking back to the major contributing elements of the S&L crisis, it is not difficult to find in healthcare's incipient Year 2000 crisis two of the three main ingredients: a "hands-off" regulatory policy and public funding unrestricted by progress toward Y2K readiness. The third factor - corruption - might appear absent. But corruption ain't what it used to be. While some S&L executives once engaged in outright bribes and kickbacks, persons accused of white collar crime today often commit hazier acts of "influence peddling" or even common regulatory infractions that catch the fancy of creative prosecutors. As the U.S. Court of Appeals for the First Circuit observed in a novel mail fraud prosecution of a lobbyist for paying for golf and meals for public officials in violation of two state statutes that until then had only been punished by civil fines of not more than a few thousand dollars: "... while we are somewhat concerned about the lack of fair warning of a prosecution such as this one, we see no legal basis for precluding the government from embarking on what is in practical terms an expansive reading of the federal statutes."(14) What starts out as a garden-variety regulatory violation can quickly become much more. In the case of the healthcare industry's unsatisfactory response to the looming Year 2000 crisis, a foundation of public and political hostility already exists toward corporate healthcare. If foreseeable technology failures bring about an appreciably worse state of affairs, politicians, regulators and prosecutors stand ready to appease public outcries. It is not too late for healthcare to adopt a vertical industry approach to the Year 2000 problem, as technology companies, banks, utilities, auto makers, securities dealers, accountants, insurance companies, and retailers have already begun to do. A continued failure to take appropriate measures to protect what financial regulators would call the "safety and soundness" of thousands of healthcare institutions in this country spells trouble for a $1.8 trillion regulated industry. If a company will soon be unable to get a bank loan without establishing its ability to meet its repayment obligations after 2000, how can it be that America's hospitals, nursing homes, clinics, laboratories, and other providers of vital healthcare services can receive billions of federal dollars without answering a single question about their ability to function safely and reliably less than eighteen months from now? August, 1998
1. Martin Lowy, High Rollers - Inside the Savings and Loan Debacle (Praeger 1991). 2. "Gartner Study Sounds Alarm on Global Y2K Glitches," @Computerworld (Sept. 24, 1997). 3. HIMMS Annual Conference, San Diego, Calif., Feb. 17, 1997 (200 responses). 4. Third Annual Health Care Technology Survey, Gordon & Glickson, P.C., Feb. 1997 (146 responses). 5. In focus groups conducted by the Rx2000 Solutions Institute, 67% of the respondents strongly agreed and 25% agreed that "Year 2000 issues have the potential to negatively impact the quality of health care." Even more disturbing, 58% agreed and 25% strongly agreed that "Year 2000 issues have the potential to create errors that lead to unnecessary deaths." See Joel M. Ackerman, Rx2000 Solutions Institute, "Prudent Paranoia" (Sept. 1997), available on the Internet at http://www. rx2000.org/Prudent.html. 6. "Banks Could See a Rise in Loan Losses Due to Year 2000 Computer Glitches," Wall Street Journal, March 18, 1998. 7. The Federal Reserve Board of Governors, the Comptroller of the Currency, the Federal Deposit Insurance Company, the Office of Thrift Supervision, and the National Credit Union Admistration comprise the FFIEC. 8. BNA Health Law Reporter (Jan. 1998). See also, Setting Foundations for the Millennium: An Assessment of the Health Care Environment in the United States, Deloitte & Touche and Veterans Health Administration (March 1998) (identifying key healthcare trends, including: Upward Cost Pressures, Efficiency and Productivity of the Health Care System Increases, Managed Care Growth Continues Apace, Consumer Voice Is Getting Louder, Government Captures Savings and Offers Choice, Doctors Remain a Wild Card, Technology Investment Grows, and Quality Takes Center Stage). 9. Indeed, the Associated Press recently reported that, "[t]he Justice Department, responding to complaints of harassment from hospitals, has issued new guidelines limiting how federal prosecutors can pursue alleged Medicare fraud. The revisions followed complaints from hospitals and lawmakers that overzealous prosecutors were going after innocent billing mistakes through the False Claims Act, which allows triple damages and fines of up to $10,000 for defrauding or seeking to defraud the government." "US Limits Probes of Medicare Fraud," Boston Globe, p. A9, June 6, 1998. 10. Embedded chips are non-programmable microcircuits that are "hard wired" into other pieces of equipment that may be critical to patient services or hospital operations, many of which include date calculations in their programming logic. The equipment in which the chips are embedded often is not under the control of the information technology department but usually is the responsibility of the vendors who supply and maintain them for diverse operational units of the hospital. Embedded chip systems that should be tested for Year 2000 vulnerability include medical devices and equipment, monitoring and control systems, environmental and safety equipment, fire alarm and suppression systems, security systems, telecommunications equipment, and building infrastructure. 11. See Thompson v. Nason Hospital, 591 A.2d 703, 706-707 (Pa. 1991). 12. Lou Marcoccio, Gartner Group Year 2000 Research Director, Year 2000 Law Report, (Bureau of National Affairs, April 1, 1998). 13. In re Caremark International Inc. Derivative Litigation, 1996 WL 549894, *10 (Del. Ch., Sept 25, 1996). 14. United States v. Sawyer, 88 F.3d 713, 742 (1st Cir. 1996).
shg@tiac.net http://www.2000legal.com © 1998 Steven H. Goldberg |
