The voice for the medical software reseller community.

HIPAA Security for Medical VARs

HIPAA Security will become the law of the land next year on April 20, 2005. This new regulation mandates that “covered entities” comply with 42 “Implementation Specifications” which include physical, technical and administrative security measures. While this makes the business of a medical VAR more complex, it also creates opportunities for new value-added services and recurring revenues. Because of the rampant spread of malicious software, phishing scams, spam and other internet plagues, your clients already understand the risks of operating a computer system, especially one with a broadband internet connection. You will find a certain percentage of your clients willing to open their checkbooks, because when it comes to computer security, regulatory compliance makes business sense.

What is the HIPAA Security Rule?

The Security Rule is the 3^rd installment of HIPAA. Compliance is required by medical providers who use electronic transactions, insurance companies and clearinghouses. The rule covers electronic “protected health information” which includes all patient information in practice management software, electronic medical record software, and any other application containing patient information, such as word processing files with medical notes and reports.

The security rule mandates both confidentiality (and dovetails with the HIPAA Privacy rule) as well as availability. In recognition that medical organizations vary widely from a solo doctor’s office to major hospital systems, the rule is “scalable,” that is, flexible to accommodate varying situations. Of the 42 “implementation specifications”, 20 are required, and the other 22 are “addressable.” “Addressable” means that the specification is mandatory if applicable in the environment.

These specifications call for technical capabilities which you will need to supply for your customers. These capabilities include routine measures such as unique user IDs, passwords, system backup, and virus protection. Other requirements, as discussed later, may provide VARs with new revenue opportunities. Medical practices must conduct a “risk assessment”, implement a “security management process” and conduct a periodic “technical and non-technical evaluation” to verify compliance with the rule.

Finally, HIPAA mandates physical security requirements, and a host of other written policies and procedures. All VARS should review and understand these regulations. For a convenient on-line guide to the security rule, check out Interhack Corporation’s HIPAA Security Hyperule which provides four ways to view the rule, including a matrix showing the 42 specifications as well as the actual text of the rule from the federal government.
 

Impact on Resellers

Resellers are impacted in five ways:

• Sales Training Needed. Without a doubt, HIPAA Security makes life harder for the salesperson. The effective sales person will need an understanding of the essentials of HIPAA security, including the answer to the standard question “Is XYZ software HIPAA compliant?” Salespeople need to be prepared to respond in varying levels of detail, from the one sentence answer to a more involved conversation with a technical buyer. Proposals will be impacted, and VARs will have an array of new value-added services to sell.

• Revised Business Associate Agreements. Most medical VARs have signed numerous HIPAA Business Associate Agreements, either at the request of your customers or upon your suggestion. Unfortunately for those of you who were proactive in offering these agreements, the HIPAA Security has changed the specifications for the agreements. Consequently, your clients will require an updated agreement by 2/21/2005 to be in full compliance. Note that it is your client, not you, who is obligated to have this agreement in place.

• Compliance with the Business Associate Agreement. While your client is required by law to place you under contract, once you sign it you contractually obligate yourself to take certain actions. The revised specification of the HIPAA Security Rule expands the obligations of you, the business associate. For example, you agree to put in place “physical, technical, and administrative safeguards” to protect the confidentiality and security of medical information which you become exposed to. Typical resellers will need policies instructing employees on confidentiality of any client information they see, procedures for safeguarding client modem phone numbers and system passwords, contracts with subcontractors who perform data conversion services, and your own system security procedures if you ever store your client’s patient data on your systems.

• Technical Training and Customer Configuration Adjustments. The HIPAA Security rule has more impact on network and operating system implementation than on the application software. Resellers should obtain the necessary technical training in order to evaluate, and in most cases make adjustments to their network configuration procedures. Special attention should be given to any wireless or portable components which present significant security challenges. Other areas for review include e-mail configuration and system backup. Note that none of your installed base of clients is fully compliant with the HIPAA Security rule, and all will require some attention.

• Revenue Opportunities. The regulatory compliance burdens of HIPAA increase the complexity of running a medical office, and this increased complexity provides more opportunities for value-added services. For the HIPAA Security rule, which includes complex technical matters, you, the reseller, are the trusted authority. After developing an expertise in the HIPAA Security rule, revenue generating services will become apparent. For resellers with a significant installed base of clients, the upcoming 10 months provides a window of opportunity for providing an array of services. These include:

  1. HIPAA Security Training. Many medical practices will spend $249 for a one-day training class which provides an overview of the security rule requirements. The class can also include training for the features of your software package which are required for compliance, as well as training in the various add-on capabilities which are mandated by the security rule.

  2. Compliance Products and Services. Resellers have recommended and installed security-related products for many years. Some clients, however, never purchased these recommended products, or technology may have changed so that an upgrade is appropriate. For example, many clients may find a secure internet backup solution more reliable and easy-to-use than an old tape backup system currently in place. Each account should be reviewed for HIPAA compliance including their firewall, virus protection, system backup technology and procedure, security configuration for wireless equipment, other server configurations, and use of application software security features. Virtually all clients will require some network configuration changes and training, and would benefit from an on-site visit. This alone can easily generate $200 to $500 in service revenue per site.

  3. Security Consulting. As noted above, the security rule requires a “risk assessment”, a “security management process” and an array of computer security policies and procedures. The vast majority of medical practices are poorly equipped and trained to conduct a legitimate risk assessment. VARs who invest in the necessary training can create a new revenue stream of consulting revenue to assist their clients with these obligations. A typical security compliance engagement would include a risk assessment, creation of HIPAA-mandated documentation, tailoring of HIPAA policies and procedures, and conducting security training for the medical staff. For a VAR with 50 clients, if 5 or 10 of these clients accept a $4,000 proposal for a HIPAA Security engagement, the added revenue for the VAR is $20,000 to $40,000. VARs can shorten their learning curve by using on-line risk assessment tools and boilerplate security policies and procedures which are available from a variety of vendors.

  4. Ongoing Revenue Opportunities. Good security, like anything of quality, comes at a price. For the subset of your clients who choose to rigorously comply with the Security Rule, a series of revenue opportunities are available. For example, the HIPAA Security rule mandates a periodic “technical and non-technical” evaluation of compliance with the security rule. Other requirements include “security awareness” reminders for the staff, media destruction for discarded equipment and periodic review of software audit trails. Most risk assessments will identify the need for frequent application of Microsoft security patches. Creative VARs can develop an “enhanced service agreement” which offers an package of security-related services for a fixed monthly or annual price.

Now is the time for VARs to more fully understand the impact of the HIPAA Security rule on their business. Providing value-added services will allow a VAR to differentiate themselves from VARs who chose to ignore this important regulatory issue. HIPAA Privacy was the domain of attorneys. While some law firms will be involved in this phase of HIPAA, few attorneys understand computer security. VARs are the “computer department” for medical practices, and will “own” this business opportunity, if they choose to act.

For more information, see Interhack Info for Medical VARs which contains links and other resources to assist the medical VAR with HIPAA Security.

 -- Gary Pritts
Eagle Consulting Partners, Inc.
4415 Euclid Ave. #300, Cleveland, OH 44103
(216) 228-7959 voice (216) 432-0655 (fax) (216) 233-4960 (mobile)

Gary Pritts is not affiliated with InvestMed; he is a healthcare, business and information systems consultant with 25 years of experience.  To contact Gary with questions about this article or HIPAA in general, visit his website at:  www.eagleconsultingpartners.com