These days, health-care security solution providers are on the precipice of something that many channel partners only wish they had — a potential windfall of business driven by federal mandates and backed up by government funding.<\/p>\n
Specifically, the federally mandated Health Insurance Portability and Accountability Act (HIPAA), which governs medical data protection, is gaining enforcement powers through President Barack Obama’s stimulus plan, spurring small doctors’ offices and large hospitals alike to start conversations about becoming compliant and transferring sensitive patient data to Electronic Health Records (EHRs). And the channel is reaping the rewards.<\/p>\n
The key factor driving these changes is recently enacted legislation — the\u00a0Health Information Technology for Economic and Clinical Health [HITECH] Act<\/a>, which arms HIPAA with tough new enforcement capabilities as well as more funding.<\/p>\n \u201cThe main catalyst is in the HITECH Act, and the additional pressures that are being put on physician practices and their business associates to become compliant,\u201d said HIPAA Security Specialist Joe Dylewski, president of\u00a0ATMP Solutions<\/a>, a southeast Michigan-based solution provider. \u201cUp until HITECH came out in 2009, there were never any teeth in HIPPA enforcement. There wasn\u2019t a lot of attention paid to the organizations that violated it.\u201d<\/p>\n The federally mandated HIPAA emerged in 1996 as a way to make health insurance portable from one provider to another, to reduce health-care costs, provide general administrative efficiencies and offer privacy and security around the exchanged information. However, it lacked enforcement, solution providers said.<\/p>\n HITECH contains incentives related to health-care IT designed to accelerate the adoption of EHR systems among providers and deepen privacy and security protections available under HIPAA by increasing the potential legal liability for non-compliance and providing more tools for enforcement. Some of HITECH\u2019s enforcement mechanisms include stiffer financial penalties and more varied and numerous fines affecting a wider swath of noncompliant organizations.<\/p>\n As\u00a0HIPAA compliance<\/a>\u00a0gradually becomes hardened with enforcement mandates, medical facilities that range from small physician\u2019s offices to major hospitals are starting to ask questions about how they can convert their sensitive patient data to EHRs and become compliant, partners said.<\/p>\n That reinvigorated enforcement as well as the mandated transition to EHRs have paved the way for HIPAA compliance as a burgeoning niche that is rapidly gaining traction for security solution providers.<\/p>\n \u201cIt [HIPAA compliance] needs the channel,\u201d Dylewski added. \u201dUnless they have an office staff with HIPAA background, [compliance is difficult], and I don\u2019t\u2019 find that nearly as frequently.\u201d<\/p>\n David Altizer, vice president of sales and marketing for\u00a0SOS Systems, a Memphis, Tenn.-based security solution provider, said that his company has experienced a huge uptick of HIPAA related business since January as awareness about healthcare privacy laws have grown.<\/p>\n One big opportunity is in HIPAA-specific assessments and audits. Service providers rely on specialized tools, such as eGestalt\u2019s SecureGRC SB, a compliance tool that automates the security process by breaking down HIPAA activities and detecting any compliance holes. The product incorporates an automated risk calculator, which detects areas of the business that are not in compliance, identifies the areas of risk and makes them a priority for remediation.<\/p>\n Altizer said that he has been able to make inroads with medical organizations by conducting risk assessments to determine compliance vulnerabilities, and then analyze the data to show the organizations their weakest links in terms they would understand. He then gives the customers tangible steps they can take in order to become compliant.<\/p>\n \u201cWe identify where they\u2019re vulnerable and where the highest risks are, and find opportunity to upsell with things like firewalls or servers with Active Directory, and implement policies and procedures in those operations,\u201d Altizer said. \u201cWhether it\u2019s a doctor\u2019s offices or transferring service, they all have to provide this documentation.\u201d<\/p>\n Other channel opportunities include maintaining and upgrading firewalls with a strong antivirus, as well as providing hosted e-mail solutions and e-mail encryption — vital when physician\u2019s offices are transferring sensitive medical information via e-mail.<\/p>\n Leo Bletnitsky, president of\u00a0Las Vegas Med IT,<\/a>\u00a0a health-care security solution provider based in Las Vegas, Nev., said that of all his health-care customers, only one encrypted e-mail, representing a huge untapped opportunity in the near future. \u201cThat is a requirement not only for HIPAA, but Nevada state law,\u201d he said. \u201cBut there\u2019s a lot of opportunity potentially as budgets start getting freed up.\u201d<\/p>\n Another area that is growing by leaps and bounds in health-care security is offsite backup and recovery services, also mandated by HIPAA. In addition, eDiscovery products and correlating consulting and analyzing services are increasingly necessary for digging up critical information required in the event of a lawsuit. The mounting opportunities translate into unprecedented profit growth for some solution providers. Altizer said that he has seen margins grow to anywhere between 40 and 50 percent, while in some cases rising to 60 percent with added consulting services.<\/p>\n \u201cIn all cases we try to sell some form of consulting on top of the assessment software. On top of that we\u2019re helping them analyze these risks and determine where they are on compliance,\u201d he said. \u201cWe\u2019re uncovering some very profitable opportunities.\u201d<\/p>\n Meanwhile, Dylewski said that his HIPAA compliance business has grown 120 percent over the last year and he expects that it will grow 100 percent a year over the next two years.<\/p>\n The opportunities also don\u2019t stop at the doctor\u2019s office or medical facility. HITECH also contains refinements that extend security not just for medical providers, but their contracted partners — or business associates (BA\u2019s) — which also have access to private client health information.<\/p>\n Next: Non-Compliant Business Associates Represent Untapped Opportunity<\/strong><\/p>\n Bletnitsky said that during the last year he\u2019s seen more medical practices conducting HIPAA agreements — non-disclosure agreements that promise to protect confidential health-care information — with partnering vendors. \u201cThat\u2019s something that no one really did three years ago,\u201d he said.<\/p>\n That\u2019s where some of the biggest opportunity exists, Dylewski said. While many medical providers are aware of the new security requirements and have already begun the process of implementing EMRs and data security protections, many of their business associates have not.<\/p>\n Altizer said that for every doctor\u2019s office SOS Systems targets, they get anywhere from 10 to 15 referrals for business associates who are not compliant or need assistance in enhancing their compliance infrastructure. \u201cThat\u2019s 10 or 15 calls we have to make,\u201d Altizer said, adding that from there, SOS will then make sure they get a list of other partnering doctor\u2019s offices that the business associates service. \u201cIt all mushrooms from there,\u201d he said.<\/p>\n And in some cases, solution providers are benefitting from government programs that are providing doctors\u2019 offices and medical organizations’ direct funding to implement upgraded and expanded security infrastructure in order to become HIPAA compliant.<\/p>\n Specifically, channel partners such as ATMP Solutions work in collaboration with organizations such as the\u00a0Michigan Center for Effective IT Adoption (M-CEITA)<\/a>, one of about 60 federally funded regional IT centers that assist medical provider throughout the entire adoption process. Among other things, M-CEITA helps medical provider achieve \u201cmeaningful use\u201d and access EHR incentive payments.<\/p>\n Those incentives come in the form of payments and reimbursements for doctors\u2019 offices and medical facilities, which are then directed to the IT channel to acquire and implement EHRs, as well as security and privacy software, if the medical organizations can prove they have achieved a level of \u201cmeaningful use.\u201d<\/p>\n The financial incentives translate into tens of thousands of dollars, distributed from various pools of money that include direct federal funds to reimburse the costs of EHRs, as well as other pools out of HITECH that are funneled into training and education programs for healthcare providers on IT.<\/p>\n Under HITECH\u00a0<\/a>, physicians can qualify for up to $44,000 in Medicare bonus incentives if they can demonstrate \u201cmeaningful use\u201d of an EHR, while physicians that deal with a large volume of Medicaid patients can qualify for up to $65,000 in incentives.<\/p>\n Next: Government Funnels HIPAA Compliance Business To Solution Providers<\/strong><\/p>\n Meanwhile, Bletnitsky anticipates an uptick of health-care security business in the next year due to raised awareness generated by other government organizations dedicated to disseminating information about the HIPAA mandates and conversion to EHRs, which he says could help drive health-care security from 50 percent to 75 percent of his overall business.<\/p>\n
\n\u201cIf a practice or a business is ever audited, they have a single point of reference where all the documentation and proof exists,\u201d Dylewski said.<\/p>\n