Sign In Sign-Up

Welcome!

Close

Would you like to make this site your homepage? It's fast and easy...

Yes, Please make this my home page!

No Thanks

  Don't show this to me again.

Close

MANAGING "YEAR 2000" BUSINESS AND LEGAL

RISKS FOR HOSPITALS AND HEALTH CARE SYSTEMS

------------------------------------------------------------------------

Steven H. Goldberg

Cosgrove, Eisenberg & Kiley, P.C.

One International Place, Suite 1820

Boston, MA 02110

Phone: 617.439.7775 -- Fax: 617.330.8774

E-mail: shg@tiac.net -- Web: www.2000legal.com

OVERVIEW

The Year 2000 (or "Y2K") computer problem -- that is, the inability of most computers to process date information later than December 31, 1999 -- is much more than just a computer problem. In the case of hospitals and health care systems, Y2K problems originating from both internal and external sources are likely to threaten the whole institution, not just those departments that are concerned directly with information technology. Unrectified, Year 2000 failures could compromise patient care, disrupt core business functions and create substantial liability exposure. To effectively address the problem, boards of directors, chief executives and other senior officers and managers must sponsor and actively support comprehensive risk management strategies across all business units.

Among the factors that pose significant business and legal risks to hospitals and health care systems in connection with Year 2000 failures are the following:

•the responsibility to protect life and health;

•a heavy dependence on technology in general, as well as medical devices and other equipment containing date-sensitive embedded chips, and outsourced products and services;

•the electronic exchange of information with insurers and claims processors, physician practices and affiliated institutions;

•a complex regulatory environment;

•industry consolidation;

•acute financial pressures; and

•a late start in preparing to achieve Y2K compliance.

This paper addresses the following questions: (1) What is the Year 2000 problem and how serious is it? (2) What are the Y2K business and legal risks facing hospitals and health care systems? (3) How can those risks be managed effectively?

THE YEAR 2000 PROBLEM

Simply put, Y2K is the legacy of saving scarce and expensive computer space. Today, it costs about ten cents per month to lease one megabyte of computer storage space. But in 1963, the cost was $175/month (in 1995 dollars), approximately one million percent higher.(1) In order to save precious computer storage space, programmers used only two digits to code years, such as "69" for 1969. Unless these programs are changed, they will interpret the year "00," that is, 2000, as 1900.

When that happens, some computers won't work at all and others will suffer critical calculation and other processing errors. For example, a person who was born in 1935 will turn 65 in 2000, but a computer that is not Year 2000 "compliant" would subtract 1935 from 1900 and determine the age to be -35 (or possibly 35). Sorting and sequencing errors could scramble chronological patient histories and schedules for lab tests, admissions, surgeries, and office appointments. New perishable goods could be rejected by automated inventory systems as being 100 years old and current accounts could be canceled because receivables were thought to be 100 years overdue. Equipment with computerized maintenance or calibration schedules could be taken out of service automatically. Other business functions that Y2K failures could disrupt include invoicing, shipping, license renewals, employee compensation and benefits, electronic data interchange, building systems, power generation, and claims processing.

Gartner Group estimates that converting computer systems to handle 21st century date information will cost $400-$600 billion worldwide.(2) Software Productivity Research, Inc. puts the total cost, including software, hardware and database repairs, plus litigation and damage awards, at more than $1.6 trillion.(3) Money aside, industry analysts agree that there is little prospect that serious Year 2000 failures can be avoided entirely. Although reprogramming date codes is not difficult in isolation, locating and repairing two-digit dates contained in millions or tens of millions of lines of code poses an enormous project management challenge. According to Software Productivity Research, 22% of the best-managed information technology projects are late, while 85% of the worst-managed projects are late and 40% are canceled.(4) Gartner Group estimates that 90% of all computerized applications will fail without Y2K corrective measures.(5) It is safe to assume that fixing virtually every program in the world in just two years will not be completed right on time or without substantial errors.

Year 2000 problems have already begun to crop up as enterprises begin to enter post-1999 date information into their systems. Examples include rejection of credit cards with "00" expiration dates(6) and insurance claims for policies expiring after 1999, and the inability to schedule patient appointments in 2000.(7) Early failures can also be expected in scheduling maternity services for pregnancies coming to term in early January, 2000, contracting and purchasing goods and services for delivery after 1999, and developing multiple-year capital budgets.

Moreover, because of the unprecedented scope of the millennium problem, long lead times are required to assess, correct and test automated systems. Meriter Hospital, a 515-bed facility in Madison, Wisconsin, reports that it has taken two years to bring its systems into compliance.(8) The University of Maryland Medical System must evaluate 29 mission-critical clinical software applications, over 15,000 medical devices from approximately 2,000 vendors, more than 2,000 suppliers of goods and services and 5,000 personal computers, and the entire hospital infrastructure, including elevators, security, chillers, and HVAC.(9)

Because of the number, complexity and interdependence of these internal and external hardware and software products and services, testing and debugging alone will often require one full year and comprise up to one-half of total Year 2000 conversion costs. J.P. Morgan Securities, Inc. believes that, for many business organizations, "triage will be the key activity during most of 1997, as corporate executives organize resources to address their top-priority problems and seek expedient methods of addressing less critical systems."(10)

In general, the Year 2000 readiness of the health care industry is not encouraging. One recent survey showed that 50% of the respondents had no Y2K budget and 25% had no project teams in place.(11) Another showed that 47% had not inventoried their information systems and 18% had taken no steps to achieve compliance.(12)

YEAR 2000 BUSINESS AND LEGAL RISKS FACING HOSPITALS

It is highly unlikely that the impact of serious Y2K computer failures will be limited to information technology systems alone. Hospitals and health care systems must anticipate and plan for four broad categories of business and legal risks: operational disruptions, financial losses, business failures, and liability exposure.

Operational Disruptions

Health care facilities will be exposed to operational disruptions caused by failures in computer systems, embedded chips, business dependencies, and public infrastructure.

Computer systems failures like those already described can occur in the organization's own information systems, as well as in the systems of third parties upon which the institution relies.

Embedded chips are non-programmable microcircuits that are "hard wired" into other pieces of equipment that may be critical to patient services or hospital operations, many of which include date calculations in their programming logic. The equipment in which the chips are embedded often is not under the control of the information technology department but usually is the responsibility of the vendors who supply and maintain them for diverse operational units of the hospital. Embedded chip systems that should be tested for Year 2000 vulnerability include:

•medical devices and equipment, including infusion pumps in intravenous drips, heart defibrillators, pacemaker and intensive care monitors, MRIs, CT scans, dialysis, chemotherapy and radiation equipment, and laboratory, radiology and other diagnostic systems;

•monitoring and control systems, including environmental and safety equipment;

•fire alarm systems, including detection, sending, receiving, and suppression units;

•security systems, including sending and receiving units, video and surveillance systems, and badge readers;

•telecommunications equipment, including telephone switching equipment, call management systems, pagers and cellular phones; and

•building infrastructure, including HVAC, energy management and lighting controls, emergency generators and lighting, uninterruptible power supplies, and elevators.(13)

In June, 1997, the Center for Devices and Radiological Health of the Food and Drug Administration informed medical device manufacturers that "some computer systems and software applications currently used in medical devices, including embedded microprocessors, may experience problems beginning January 1, 2000 due to their use of two-digit fields for date representation."(14) It is important to test these devices to determine whether they will have operational, calibration, reporting or other problems after 1999.

Business dependencies pose external Y2K operational risks. Even if a hospital takes care of its own Year 2000 problems, it may still experience business interruptions if third parties upon which it depends fail to do so. Health care systems cannot function effectively without reliable support from medical insurance payers, claims clearinghouses, banks, and suppliers of hundreds or thousands of other goods and services, all of which are potentially vulnerable to Y2K failures.

Public infrastructure failures are also possible. Hospitals cannot operate without power, water or police and fire protection. Public transportation is essential to many employees and patients.

Financial Losses

As the health care industry continues to consolidate and cut costs, institutions face increasing financial pressures. Year 2000 failures by providers or payers could result in late, miscalculated or rejected claims for payment. Also, the direct costs of making computer systems compliant are increasing dramatically in a sellers' market of Y2K vendors and consultants. Economic losses may occur in the form of decreased market share, reduced acquisition value (due to an unreliable information infrastructure) and, as the trend toward public ownership accelerates, lower stock values.

Business Failures

Year 2000 problems will also cause a certain number of business failures, particularly among mid-sized companies. Software Productivity Research estimates that 5-7% of corporations with 1,000 to 10,000 employees might fail.(15) Gartner Group believes that some 30% of organizations will not have mission-critical, customer-focused computer applications ready in time.(16) Ulrich and Hayes predict that 25-50% of all organizations will not get the job done by 2000.(17) Such total or partial business failures are likely to trigger multiplier effects.

Liability Exposure

It should come as no surprise that lawsuits will follow Year 2000 failures. Hospitals and their key decision-makers may face malpractice claims, personal injury and wrongful death suits, actions against directors and officers, enforcement of licensing, accreditation and other regulations, and, for publicly-held corporations, shareholders suits. Directors and officers must be particularly careful to avoid personal liability for failing to exercise due diligence and reasonable business judgment in connection with foreseeable Year 2000 problems. In addition, if Y2K expenditures or problems may be considered "material" to the business of the hospital or health care system, disclosures may have to be made to accountants, auditors, shareholders, business partners, and regulators to fulfill fiduciary or other legal obligations in certain kinds of transactions.

YEAR 2000 RISK MANAGEMENT

First and foremost, Year 2000 risk management requires active executive involvement to provide adequate financial and human resources and sustained effort across the enterprise. Once senior management support is secured, hospitals must systematically assess their Y2K business and legal risks and develop comprehensive compliance plans.

A business risk assessment should first inventory internal information technology systems, as well as embedded chips and third-party dependencies. The inventory should be cross-referenced to the patient services, projects and business functions the technology supports. Potential system failures should then be evaluated in terms of expected timing, consequences and criticality.

A Year 2000 legal audit should inventory and evaluate existing contractual and other legal rights, obligations and remedies as they relate to the identified business risks, particularly those that are high-risk and mission-critical. The dual objectives of the legal audit are to determine whether vendors, service providers, insurers or other third parties might be responsible for correcting certain Y2K problems or bearing some or all of the cost, and to identify where the hospital and its officers might face legal exposure.

A due diligence plan along the following lines should then be developed and managed aggressively:

•track third-party compliance efforts;

•develop Y2K contracting and purchasing policies;

•prepare contingency and disaster recovery plans;

•disclose material Year 2000 contingent liabilities, as may be required;

•notify insurers of potential claims;

•document compliance efforts;

•prepare for litigation by and against the hospital; and

•provide directors and officers with information they need to comply with fiduciary duties and regulatory responsibilities.

CONCLUSION

In order to preserve quality patient care, maintain business operations and avoid liability, hospital directors, officers and managers must develop and implement systematic risk management strategies in the short time remaining to meet the Year 2000 challenge. Exercising due diligence on all fronts to prevent or minimize Y2K failures must become a priority for all health care institutions.

September, 1997

------------------------------------------------------------------------

This publication is provided for educational and information purposes and is not intended as legal advice. Readers should not act upon this information without professional legal counseling based on specific facts. This publication may be considered advertising under the rules of the Massachusetts Supreme Judicial Court.

© 1997 Steven H. Goldberg. All rights reserved.

1. Kappelman & Scott, "Accrued Savings of the Year 2000 Problem," Year 2000 Problem: Strategies and Solutions from the Fortune 100, p. 53 (Int'l. Thomson Computer Press 1997). Back to article.

2. Ulrich & Hayes, The Year 2000 Software Crisis, p. 7 (Prentice Hall 1997). Back to article.

3. Capers Jones, Software Productivity Research, Inc., The Global Economic Impact of the Year 2000 Problem, p. 58 (Jan. 23, 1997). Back to article.

4. Kappelman, "Reducing the Risks of Year 2000 Projects," Year 2000 Problem: Strategies and Solutions from the Fortune 100, p. 74 (Int'l. Thomson Computer Press 1997), referencing Capers Jones, Software Productivity Research, Inc., "The Impact of Software Cost Estimating on Projects that Fail or Succeed," Knowledge Base, 5.1 (Jan. 1996). Back to article.

5. Kappelman, Year 2000 Problem: Strategies and Solutions from the Fortune 100, p. 4 (Int'l. Thomson Computer Press 1997), referencing Hall & Schick, Gartner Group, "The Year 2000: Solutions for Today ... and Tomorrow," Conference Presentation Notes (June 19, 1996, Dallas, Texas). Back to article.

6. Year 2000 credit card failures have become the subject of litigation. See Produce Palace International v. TEC-America Corp., No. 97-P-20134 (Michigan Circuit Court, Macomb County). Back to article.

7. Healthcare Information Management Systems Society Annual Conference, San Diego, Calif., Feb. 17, 1997 (200 responses). The survey is available on the Internet at http://www.easyon.com/users/simmonsp/YEAR2000.htm. Back to article.

8. Millennium Times Europe (Aug. 28, 1996), http://www.implement.co.uk/milweb2.htm. Back to article.

9. E-mail message to healthcare@mail.rx2000.org (Sept. 17, 1997). Back to article.

10. J.P. Morgan Securities, Inc., Equity Research, Industry Analysis, "The Year 2000 Problem: It's Worse Than We Thought" (May 15, 1997). This article can be found on the Internet at http://www.jpmorgan.com/MarketDataInd/ Research/Y2Kupdate/Y2K.htm. Back to article.

11. Healthcare Information Managements System Society Annual Conference, ibid. Back to article.

12. Third Annual Health Care Technology Survey, Gordon & Glickson, P.C., Feb. 1997 (146 responses). The survey is available on the Internet at http://www.ggtech.com. Back to article.

13. See Coffou, "Year 2000 Risks: What Are the Consequences of Technology Failures?", Statement of Hearing Testimony, Subcommittee on Technology and Subcommittee on Government Management, Information and Technology (March 20, 1997), available on the Internet at http://www.house.gov/science/couffou_3-20.html; Ackerman, Rx2000 Solutions Institute, "Prudent Paranoia" (Sept. 1997), available on the Internet at http://www.rx2000.org/Prudent.html; Bailey, David, Hall & Kappelman, "When the Chips are Down," Year 2000 Problem: Strategies and Solutions from the Fortune 100, pp. 135-136 (Int'l. Thomson Computer Press 1997). Back to article.

14. The FDA letter is available on the Internet at http://www.fda.gov/cdrh/yr2000.html. Back to article.

15. Capers Jones, Software Productivity Research, Inc., The Global Economic Impact of the Year 2000 Problem, p. 42 (1997). Back to article.

16. Kappelman, Year 2000 Problem: Strategies and Solutions from the Fortune 100, p. 3 (Int'l. Thomson Computer Press 1997), referencing Hall & Schick, Gartner Group, "The Year 2000: Solutions for Today ... and Tomorrow," Conference Presentation Notes (June 19, 1996, Dallas, Texas). Back to article.

17. Ulrich & Hayes, The Year 2000 Software Crisis, p. 8 (Prentice Hall 1997). Back to article.