HITECH Act Changes Game For HIPAA Compliance VARs
These days, health-care security solution providers are on the precipice of something that many channel partners only wish they had -- a potential windfall of business driven by federal mandates and backed up by government funding.
Specifically, the federally mandated Health Insurance Portability and Accountability Act (HIPAA), which governs medical data protection, is gaining enforcement powers through President Barack Obama's stimulus plan, spurring small doctors' offices and large hospitals alike to start conversations about becoming compliant and transferring sensitive patient data to Electronic Health Records (EHRs). And the channel is reaping the rewards.
The key factor driving these changes is recently enacted legislation -- the Health Information Technology for Economic and Clinical Health [HITECH] Act, which arms HIPAA with tough new enforcement capabilities as well as more funding.
’The main catalyst is in the HITECH Act, and the additional pressures that are being put on physician practices and their business associates to become compliant,’ said HIPAA Security Specialist Joe Dylewski, president of ATMP Solutions, a southeast Michigan-based solution provider. ’Up until HITECH came out in 2009, there were never any teeth in HIPPA enforcement. There wasn’t a lot of attention paid to the organizations that violated it.’
The federally mandated HIPAA emerged in 1996 as a way to make health insurance portable from one provider to another, to reduce health-care costs, provide general administrative efficiencies and offer privacy and security around the exchanged information. However, it lacked enforcement, solution providers said.
HITECH contains incentives related to health-care IT designed to accelerate the adoption of EHR systems among providers and deepen privacy and security protections available under HIPAA by increasing the potential legal liability for non-compliance and providing more tools for enforcement. Some of HITECH’s enforcement mechanisms include stiffer financial penalties and more varied and numerous fines affecting a wider swath of noncompliant organizations.
As HIPAA compliance gradually becomes hardened with enforcement mandates, medical facilities that range from small physician’s offices to major hospitals are starting to ask questions about how they can convert their sensitive patient data to EHRs and become compliant, partners said.
That reinvigorated enforcement as well as the mandated transition to EHRs have paved the way for HIPAA compliance as a burgeoning niche that is rapidly gaining traction for security solution providers.
’It [HIPAA compliance] needs the channel,’ Dylewski added. ’Unless they have an office staff with HIPAA background, [compliance is difficult], and I don’t’ find that nearly as frequently.’
David Altizer, vice president of sales and marketing for SOS Systems, a Memphis, Tenn.-based security solution provider, said that his company has experienced a huge uptick of HIPAA related business since January as awareness about healthcare privacy laws have grown.
One big opportunity is in HIPAA-specific assessments and audits. Service providers rely on specialized tools, such as eGestalt’s SecureGRC SB, a compliance tool that automates the security process by breaking down HIPAA activities and detecting any compliance holes. The product incorporates an automated risk calculator, which detects areas of the business that are not in compliance, identifies the areas of risk and makes them a priority for remediation.
Next: Risk Assessments Provide Upsell Opportunities
Altizer said that he has been able to make inroads with medical organizations by conducting risk assessments to determine compliance vulnerabilities, and then analyze the data to show the organizations their weakest links in terms they would understand. He then gives the customers tangible steps they can take in order to become compliant.
’We identify where they’re vulnerable and where the highest risks are, and find opportunity to upsell with things like firewalls or servers with Active Directory, and implement policies and procedures in those operations,’ Altizer said. ’Whether it’s a doctor’s offices or transferring service, they all have to provide this documentation.’
Other channel opportunities include maintaining and upgrading firewalls with a strong antivirus, as well as providing hosted e-mail solutions and e-mail encryption -- vital when physician’s offices are transferring sensitive medical information via e-mail.
Leo Bletnitsky, president of Las Vegas Med IT, a health-care security solution provider based in Las Vegas, Nev., said that of all his health-care customers, only one encrypted e-mail, representing a huge untapped opportunity in the near future. ’That is a requirement not only for HIPAA, but Nevada state law,’ he said. ’But there’s a lot of opportunity potentially as budgets start getting freed up.’
Another area that is growing by leaps and bounds in health-care security is offsite backup and recovery services, also mandated by HIPAA. In addition, eDiscovery products and correlating consulting and analyzing services are increasingly necessary for digging up critical information required in the event of a lawsuit.
’If a practice or a business is ever audited, they have a single point of reference where all the documentation and proof exists,’ Dylewski said.
The mounting opportunities translate into unprecedented profit growth for some solution providers. Altizer said that he has seen margins grow to anywhere between 40 and 50 percent, while in some cases rising to 60 percent with added consulting services.
’In all cases we try to sell some form of consulting on top of the assessment software. On top of that we’re helping them analyze these risks and determine where they are on compliance,’ he said. ’We’re uncovering some very profitable opportunities.’
Meanwhile, Dylewski said that his HIPAA compliance business has grown 120 percent over the last year and he expects that it will grow 100 percent a year over the next two years.
The opportunities also don’t stop at the doctor’s office or medical facility. HITECH also contains refinements that extend security not just for medical providers, but their contracted partners -- or business associates (BA’s) -- which also have access to private client health information.
Next: Non-Compliant Business Associates Represent Untapped Opportunity
Bletnitsky said that during the last year he’s seen more medical practices conducting HIPAA agreements -- non-disclosure agreements that promise to protect confidential health-care information -- with partnering vendors. ’That’s something that no one really did three years ago,’ he said.
That’s where some of the biggest opportunity exists, Dylewski said. While many medical providers are aware of the new security requirements and have already begun the process of implementing EMRs and data security protections, many of their business associates have not.
Altizer said that for every doctor’s office SOS Systems targets, they get anywhere from 10 to 15 referrals for business associates who are not compliant or need assistance in enhancing their compliance infrastructure. ’That’s 10 or 15 calls we have to make,’ Altizer said, adding that from there, SOS will then make sure they get a list of other partnering doctor’s offices that the business associates service. ’It all mushrooms from there,’ he said.
And in some cases, solution providers are benefitting from government programs that are providing doctors’ offices and medical organizations' direct funding to implement upgraded and expanded security infrastructure in order to become HIPAA compliant.
Specifically, channel partners such as ATMP Solutions work in collaboration with organizations such as the Michigan Center for Effective IT Adoption (M-CEITA), one of about 60 federally funded regional IT centers that assist medical provider throughout the entire adoption process. Among other things, M-CEITA helps medical provider achieve ’meaningful use’ and access EHR incentive payments.
Those incentives come in the form of payments and reimbursements for doctors’ offices and medical facilities, which are then directed to the IT channel to acquire and implement EHRs, as well as security and privacy software, if the medical organizations can prove they have achieved a level of ’meaningful use.’
The financial incentives translate into tens of thousands of dollars, distributed from various pools of money that include direct federal funds to reimburse the costs of EHRs, as well as other pools out of HITECH that are funneled into training and education programs for healthcare providers on IT.
Under HITECH , physicians can qualify for up to $44,000 in Medicare bonus incentives if they can demonstrate ’meaningful use’ of an EHR, while physicians that deal with a large volume of Medicaid patients can qualify for up to $65,000 in incentives.
Next: Government Funnels HIPAA Compliance Business To Solution Providers
Meanwhile, Bletnitsky anticipates an uptick of health-care security business in the next year due to raised awareness generated by other government organizations dedicated to disseminating information about the HIPAA mandates and conversion to EHRs, which he says could help drive health-care security from 50 percent to 75 percent of his overall business.
One such organization, Las Vegas, Nev.-based Health Insight, the Medicare Quality Improvement Organization (QIO), serves that very purpose for small medical practices. Among other things, the non-profit, community-based Health Insight provides low-cost consulting, information and enablement regarding EHRs, which include analysis of implementation, quality care analysis and work process redesign.
Bletnitsky, said that he works regularly with Health Insight to find and funnel business opportunities their way. Thus far, less than 50 percent of his customer base has embarked on the process of EHR adoption. But recently he’s seen a groundswell of about 10 more medical facilities initiating the conversion process. And he anticipates further growth by January and February as more medical practices take advantage of Health Insight’s services or receive stimulus funds for the conversion.
Once the ball gets rolling, solution providers such as Las Vegas Med IT are on the front lines for implementation, assessment, monitoring and maintenance services, he said.
’In the long term it’s going to be beneficial. They’ll need more technical assistance to get up and running on the information exchange,’ he said.
Meanwhile, more government organizations like M-CEITA are emerging around the country as HIPAA gains traction, with a mission to enable compliance that will ultimately spur IT business around data protection right to the channel.
And because HIPAA and HITECH are federal mandates, health-care security solution providers can often expand their customer base from anywhere in the country.
’Customers are going to say, ’what do you mean I have to secure this?’ They’re not even aware of the breaches that can happen,’ said SOS’s Altizer. ’We just have to get the information to them.’