These days, health-care security solution providers are on the precipice of something that many channel partners only wish they had -- a potential windfall of business driven by federal mandates and backed up by government funding.
Specifically, the federally mandated Health Insurance Portability and Accountability Act (HIPAA), which governs medical data protection, is gaining enforcement powers through President Barack Obama's stimulus plan, spurring small doctors' offices and large hospitals alike to start conversations about becoming compliant and transferring sensitive patient data to Electronic Health Records (EHRs). And the channel is reaping the rewards.
The key factor driving these changes is recently enacted legislation -- the Health Information Technology for Economic and Clinical Health [HITECH] Act, which arms HIPAA with tough new enforcement capabilities as well as more funding.
“The main catalyst is in the HITECH Act, and the additional pressures that are being put on physician practices and their business associates to become compliant,” said HIPAA Security Specialist Joe Dylewski, president of ATMP Solutions, a southeast Michigan-based solution provider. “Up until HITECH came out in 2009, there were never any teeth in HIPPA enforcement. There wasn’t a lot of attention paid to the organizations that violated it.”
The federally mandated HIPAA emerged in 1996 as a way to make health insurance portable from one provider to another, to reduce health-care costs, provide general administrative efficiencies and offer privacy and security around the exchanged information. However, it lacked enforcement, solution providers said.
HITECH contains incentives related to health-care IT designed to accelerate the adoption of EHR systems among providers and deepen privacy and security protections available under HIPAA by increasing the potential legal liability for non-compliance and providing more tools for enforcement. Some of HITECH’s enforcement mechanisms include stiffer financial penalties and more varied and numerous fines affecting a wider swath of noncompliant organizations.
As HIPAA compliance gradually becomes hardened with enforcement mandates, medical facilities that range from small physician’s offices to major hospitals are starting to ask questions about how they can convert their sensitive patient data to EHRs and become compliant, partners said.
That reinvigorated enforcement as well as the mandated transition to EHRs have paved the way for HIPAA compliance as a burgeoning niche that is rapidly gaining traction for security solution providers.
“It [HIPAA compliance] needs the channel,” Dylewski added. ”Unless they have an office staff with HIPAA background, [compliance is difficult], and I don’t’ find that nearly as frequently.”
David Altizer, vice president of sales and marketing for SOS Systems, a Memphis, Tenn.-based security solution provider, said that his company has experienced a huge uptick of HIPAA related business since January as awareness about healthcare privacy laws have grown.
One big opportunity is in HIPAA-specific assessments and audits. Service providers rely on specialized tools, such as eGestalt’s SecureGRC SB, a compliance tool that automates the security process by breaking down HIPAA activities and detecting any compliance holes. The product incorporates an automated risk calculator, which detects areas of the business that are not in compliance, identifies the areas of risk and makes them a priority for remediation.
Next: Risk Assessments Provide Upsell Opportunities