HIPAA Service Provider Finds Opportunity In HITECH Incentives

HIPAA Security Specialist Joe Dylewski, president of ATMP Solutions, a southeast Michigan-based solution provider, has tapped into something big -- government funding for newly implemented health-care mandates.

The recently enhanced protections in government health-care privacy laws, outlined in President Obama’s stimulus package mandating that doctors’ offices and medical providers transfer their patient data to electronic health records, all come with a slew of financial incentives for businesses to make the transition.

And all that funding can be channeled to solution providers to make it happen, Dylewski said.

’If I’m a doctors’ office and elect to implement an EHR solution, I have certain obligations to protect that data and make it available,’ he said. ’The process needs the channel -- unless they have an office staff with HIPAA background. And I don’t find that nearly as frequently.’

Sponsored post

The incentives are part of a plan to strengthen the Health Insurance Portability and Accountability Act, or HIPAA. The federal law emerged in 1996 as a way to make health insurance portable from one provider to another, to reduce health-care costs, provide general administrative efficiencies and offer privacy and security around the exchanged information.

As part of the 2009 stimulus, formally known as the American Recovery and Reinvestment Act of 2009, the Obama administration put in place the newly implemented Health Information Technology for Economic and Clinical Health (HITECH) Act, designed to put some teeth into the HIPAA law.

’In order to effectively transmit and use electronic health information, they had to take HIPAA a little more seriously,’ Dylewski said. ’Now they were putting some enforcement around the security side of it.’

Specifically, HITECH contains incentives related to health-care IT designed to accelerate the adoption of electronic health record (EHR) systems among providers and deepen privacy and security protections available under HIPAA by increasing the potential legal liability for non-compliance and providing more tools for enforcement. Some of HITECH’s enforcement mechanisms included stiffer financial penalties and more varied and numerous fines affecting a wider swath of non-compliant organizations.

However, HITECH also contains financial incentives, designed to help medical providers convert patients’ sensitive health-care information to EHRs. Those incentives come in the form of payments and reimbursements for doctors’ offices and medical facilities if they could prove that they achieved a level of meaningful use. The funds would then be used to acquire and implement EHRs and security and privacy software.

And the channel can play a key role in implementing this process, Dylewski said.

Channel partners, such as ATMP Solutions, work in tandem with organizations like the Michigan Center for Effective IT Adoption (M-CEITA), one of about 60 federally funded regional IT centers that assist medical providers throughout the entire adoption process. Among other things, M-CEITA helps medical providers achieve ’meaningful use’ and access EHR incentive payments.

M-CEITA also serves as a liaison between the medical provider and channel partner, by assisting medical providers in search of service providers who will help them transition to EHRs and effectively secure patient data.

Next: HITECH Financial Incentives Translate Open Doors For Solution Providers

The financial incentives translate into the tens of thousands of dollars, distributed from various pools of money that include direct federal funds to reimburse the costs of EHRs, as well as other pools out of HITECH that are funneled into IT training and education programs for health-care providers. Other pools of money are also allocated to build regional extension centers such as M-CEITA.

Under HITECH , physicians can qualify for up to $44,000 in Medicare bonus incentives if they demonstrate ’meaningful use’ of an EHR while physicians that deal with a high volume of Medicaid patients can qualify for up to $65,000 in incentives.

Beginning in 2015, physicians who fail to implement EHRs will be penalized with a 1 percent Medicare fee reduction, which will increase to a 3 percent Medicare fee reduction by 2017.

Subsequently, one of the biggest opportunities is conducting HIPAA-specific assessments and audits to get customers up to code and pave the way for the transition to EHRs.

Service providers rely on niche tools, such as eGestalt’s SecureGRC SB, a compliance tool that automates the security process by breaking down HIPAA activities and detecting any compliance holes. The product incorporates an automated risk calculator, which detects areas of the business that are not in compliance, identifies the highest risk facets and makes them a priority for remediation.

’It’s not just about doing HIPAA. It’s really the execution in compiling that checklist -- requiring things like encryption, unified threat management firewall, disaster recovery. All of the sweet spots for IT service providers,’ said Jim Hare, channel chief for eGestalt Technologies . ’It just happens to be mandated by law.’

Other channel opportunities include remediation, backup and recovery services, encryption services that incorporate data at rest and in transit, and consulting opportunities in helping organizations create disaster recovery and clinical continuity plans, Dylewski said.

And the opportunity extends beyond doctors’ offices, he added.

HITECH also contains refinements to HIPAA that extended security mandates not just to medical providers, but their partners -- or business associates -- which also have access to private client health information.

"As long as that business associate [BA] has visibility to the data, they’re by default liable,’ Dylewski said. ’Even if you don’t’ have a BA agreement in place, you’re still liable for HIPAA laws.’

That’s where some of the biggest channel opportunity can be found, Dylewski said. While many medical providers are aware of the new security requirements and have already begun the process of implementing EMRs and data security protections, many of their business associates, have not, he said.