Compliance For All
JOHN LONGWELL contributed to this story.
rossroads Turning Point is no stranger to government regulations. The Pueblo, Colo.-based nonprofit operator of six drug rehabilitation centers has been dealing with strict privacy rules governing treatment facilities for 20 years.
But recently when Crossroads decided to have a VPN installed to make it easier to move patient data between its facilities, it ran into yet another regulation: the Health Insurance Portability Accountability Act (HIPAA). Solution provider Dimensional Data came to the aide of its longtime client with server, firewall and intrusion-detection solutions to meet heightened privacy and security requirements.
Dimensional Data owner Bill Salagovic said HIPAA, Sarbanes-Oxley and other regulations are driving new business his way. About half of Salagovic’s small-business clients are affected by HIPAA. “I am personally getting a lot more questions from doctors’ offices and small clinics and such,” he said.
Dimensional Data is not alone. Regulatory compliance is an issue that small businesses and their solution providers increasingly must deal with, said Randolph Kahn, a lawyer, author and founder of Kahn Consulting, a management consulting firm specializing in legal compliance and policy issues related to IT.
Until now, large companies have generally been more consumed with these issues than smaller companies. And companies in highly regulated industries such as health care and financial services have been ahead of others. But Kahn said ultimately everyone must understand and comply with the regulations that apply to their businesses. “Laws don’t care whether you’re big or small,” he said. “The main thing is, you have to comply.”
| AD | |
|---|---|
| id | unit-1659132512259 |
| type | Sponsored post |
As the effect of regulatory mandates spreads from the enterprise to the small business, it can be a double-edged sword for solution providers. While the regulations are driving business due to the security, storage and content management technologies required to address compliance issues, solution providers are finding it necessary to gain more expertise to respond to their clients’ regulatory environments. And unlike enterprise environments, small businesses don’t have the internal legal and IT resources to help them identify or define the issues.
“It’s a pain,” Salagovic said. “Trying to weed through all the rules and regulations is tough because everybody has a different interpretation. You go to one site and they say, ‘Well, we want it this way,’ and at another site, they say they want it that way.”
There are many small businesses today that understand not only the importance of complying with regulations specific to their markets but also the need for outside help to do it, said Dave Klauser, CEO of Prism Technologies, an Oakbrook Terrace, Ill.-based solution provider.
“When we talk to small organizations about compliance and outsourcing, immediately the talk turns to data integrity and whether data can be restored,” Klauser said. “When a small business talks like this, they need a full-solution solution provider. They’re not just going with a backup.”
In other cases, though, solution providers are finding they do need to prod clients into addressing compliance. Randy Premont, president of Houston-based solution provider SpaceCycles.Net, said a lot of his small health-care clients say they are not that concerned about HIPAA, but those that deal with medical records have to be HIPAA-compliant or they risk leaving themselves open to liability issues. “If you can’t prove that data is protected and prove who transported it and when and where it is stored now, you are not HIPAA-compliant,” Premont said.
Small-business customers in the legal industry can also be ambivalent about compliance issues, said Peter Lesser, managing partner at Kraft Kennedy & Lesser, a New York-based solution provider specializing in IT infrastructures for law offices. While law offices may tell clients how to become compliant, they may or may not take their own advice, Lesser said. They either destroy all e-mails and other documents right away or keep everything so they can find anything before someone else does.
“They do a lot of things larger corporations can’t get away with,” Lesser said. “For instance, they may tell their clients they need to archive their e-mails for seven years, but then they delete their own e-mails after 30 days.”
While in many cases, the regulations mean businesses need to adhere to a common set of basic security, records management and data backup technologies, many vertical markets also have special requirements, and small-business solution providers are responding by partnering with lawyers and consultants.
“At a basic minimum, every company needs to keep records to comply with certain regulations,” Kahn said. “But firms in certain areas like manufacturing or pharmaceuticals, or which are subject to EPA rules, for example, have to meet specific requirements. They need to talk to their legal counsels to determine what they may need to comply with.”
The same goes for small-business solution providers, Kahn said. They can help clients with technology to address compliance requirements, but they have to be careful not to oversell their products.
“They can’t offer legal advice,” he said. “They need to know enough to help the customer, but they also need to know what not to say and to advise customers to bring in their own legal counsel to advise on what is appropriate. … It is important that technology companies not provide legal advice, but [rather] partner with compliance consultants.”
Several solution providers are already doing just that. Prism’s Klauser said that while his company can talk to clients about the importance of compliance, it works with the law office of Vedder Price in Chicago to take advantage of that firm’s expertise in government regulations. “We take it to the next level by bringing in the lawyers,” he said.
Scott Sabellico, vice president of sales and marketing at New Dimensions, a Troy, Mich.-based solution provider, said he agrees 100 percent with Kahn on the importance of partnering with law experts. “We’re not a law firm,” Sabellico said. “We can read the law, we can read IDC and Gartner reports, and look at the best technology, but [we] certainly cannot offer legal advice.”
New Dimensions is now engaging in conversations with a consulting firm focused on manufacturing-related compliance issues. “It’s good to go in with a consultant and work with them on sales,” Sabellico said. “In this space, the more partnerships you can utilize without having the resources on staff, the better.”
Solution providers are also turning to managed service firms for help in bringing their small-business clients into the world of compliance at a reasonable cost.
SpaceCycles.Net, for instance, is partnering with Phonoscope, the Houston-based provider of fiber-optic MANs (Metropolitan Area Networks), to offer secure off-site backup services to small businesses. Monthly fees for the services, based on number of gigabytes stored, are about the same as someone might pay just for their security software, Premont said, adding that it sure beats the alternative. “Most small businesses back their data up to a Zip disk and throw it in a desk drawer,” he said. “What protection do they have if a building burns?”
SpaceCycles.Net is also working with partners such as Hewlett-Packard, IBM and McKesson to sell compliance backup services, while Prism is reselling hosted data storage services in partnership with LucidLine, Palos Heights, Ill. The two companies jointly own storage infrastructures in cages set in several hosted facilities that can be used for disaster recovery, backups or compliance.
Small-business solution providers can also turn to vendors such as Open Access, a Melville, N.Y.-based telecom, which bundles services such as VoIP, videoconferencing, data protection and disaster recovery for small businesses and is now working with software from Arsenal Digital to offer compliance services, said Jimmy Tam, vice president of business development at Open Access.
Using his service, Tam said, small businesses can handle compliance-related tasks such as e-mail archiving and retaining financial documents for government-specified times.
Distributors can also be a source of help. Arrow Electronics, for instance, implemented a program last year to offer compliance resources and training to its solution providers, many of whom serve small businesses, said Terry McGrath, business manager for enterprise storage at Arrow.
Arrow is working with consultants such as Kahn Consulting, Atlanta-based channel program consultant Industry Direct Limited, and Denver-based marketing and sales solution company Circa 65 to offer free training on compliance fundamentals. Solution providers can then work with the consultants on developing specific compliance business plans, McGrath said.
As technology continues to migrate from the enterprise down to small business, compliance issues are coming along for the ride. And the role solution providers play as trusted IT and business consulting partner is taking on a new dimension to address regulatory issues, requiring new types of partnerships.