Healthcare, HIPAA and the Cloud

Feature Story

Healthcare, HIPAA and the Cloud

By Doug Barney, TMCnet Editor at Large  |  February 20, 2014

If you are involved in health care either as a care provider or vendor who serves them, you have no choice but to embrace the cloud. After all, electronic medical records have been a mandate for some time. And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) adds a whole other layer of complexity.

Not just that, but health care providers are operating in an increasingly competitive market.

There are also magnificent opportunities to use the cloud the advance the art, such as distance medicine, and big data analysis.

The elephant in the room is clearly HIPAA. In fact, there can be serious penalties for clients and their providers that fail to comply.

Storage is one of the biggest areas that demand HIPAA compliance. This is because patient data must be protected and secure – and all this must be documented.

The healthcare IT market is too big to ignore, despite the rigors of HIPAA. Last year total spend was $40 billion the U.S., and it’s growing 23 percent a year.

Backup Compliance

Backup provider Intronis (News - Alert) knows all about this, and helps MSPs sell HIPAA services as a premium. Intronis co-founder and current channel chief Neal Bradbury, sees HIPAA as a carrot and a stick. The carrot is HIPAA services can be sold at a premium, and lets MSPs branch into new markets.

The stick is if HIPAA standards are violated. Here both the customer and the MSP can be liable.

Bradbury has a bevy of cases, from small to relatively huge. Starting on the small side, a hospice in Idaho had a laptop stolen. The HIPAA fine was a cool 50 grand. In Phoenix a small medical practice used unsecure email to transmit patient information, and ended up shelling out 100 grand for its mistake.

Those are the cheap ones. In Alaska the state health department lost one of their backup drives. That one cost $1.7 million. And a Boston doctor’s stolen laptop cost $1.5 million. That’s just one computer.

Under the HIPAA Omnibus Rule, service providers such as MSPs, as “Business Associates”, can be liable for HIPAA violations.

A recent Intronis blog offers some advice. “MSPs and healthcare organizations need to work together to instill a long-term understanding of what it means to practice safe data usage in order to avoid fines and loss of industry standing,” the blog said.

Ulistic, an MSP consultancy, is advising health care outfits to make sure their MSPs do HIPPAA right, that that MSPs hoping to serve this market make themselves compliant. “Is your managed services business adhering to the standards for HIPAA compliance?” Ulistic asks, and answers “If not, you need to be.”

MSP Premium Plan

HIPAA mastery can let an MSP sell to bigger and bigger clients. “In general, the larger the health care organization, the more complex the solution requirements become. As solution providers migrate up the health care stack to large hospitals and university medical facilities, they discover the need for more specialized — and more lucrative — technology services such as laboratory bar-code printing and scanning applications, patient admissions, labeling and tracking systems, pharmacy management and POS technologies,” Bradbury explained.

GFI Weighs In

GFI Max is also helping its MSPs sell premium HIPAA services through a HIPAA readiness pack which contains more than its share of advice, and ways to harden GFI tools to meet strict compliance regulations.

And GFI will sign a Business Associate Agreement (BAA) with any of its partner’s customers where GFI takes responsibility for compliance.

“We recognize that MSPs that work with healthcare providers have specific needs that must be met in order to continue doing business under the regulations. Our HIPAA readiness pack, along with the GFI MAX platform, is designed to take the pain out of the process, providing them with the information and tools they need to fulfil their customers’ requirements fully and effectively and allowing them to maintain their focus on the growth of their business and the satisfaction of their customers,” said Dr. Alistair Forbes, General Manager of the GFI MAX business unit.

Fabian Oliva, an independent security and compliance analyst, was tapped by GFI to teach its partners about HIPAA. “The HIPAA Security Rule applies to all health plans, health care clearinghouses, and to any health care provider who transmits health care data in electronic form, otherwise referred to as a Covered Entity (CE). Further, HIPAA requires that any person or organization that conducts business with the Covered Entity that involves the specific usage or disclosure of individually identifiable health information, otherwise referred to as a Business Associate (BA), must also comply and adhere to HIPAA security requirements. In order to be considered a Business Associate, the work of an organization must deal directly with the use and or disclosure of protected health information. Examples of such include: outsourced billing providers, collections providers, transcriptionists and EMR providers among many others,” said Oliva.

“MSP’s play a critical role towards helping to ensure that their customers maintain a secure and HIPAA compliant environment. Most importantly, they must ensure that their internal processes and procedures are in accordance with the HIPAA security requirements.”

Electronic Medical Records

Electronic Medical Records (EMR) is another political hot potato. The promise has always been good – by automating and standardizing records information between doctors caring for a patient is eased. And the interactions with billing and insurance companies are made simpler. All this should, in theory, dramatically save money and improve care.

Health care automation proponents sometimes refer to the new world of medical automation as Health 2.0, a blanket term for Internet-enabled collaboration, new style record keeping and sharing, and other technologies. With Health 2.0, data is available to more folks, privacy laws permitting, and the information is interactive, allowing those that view it to mark it up or search for more detail.

Much of this information is aimed at helping patients learn about their issues, ask better questions and make better decisions. And, in theory, this should save doctors time as the patients already understand the basics of their illness or concerns.

Obama and the EMR Punching Bag

Critics of Obamacare, now in the process of rolling out, have found a new punching bag in EMR. Obamacare supporters argued that EMR would drastically increase efficiency and slash costs. In fact, EMR is a requirement of the Obama administration health care law.

Those critics now argue that EMR, by documenting and publishing patient appointment and service information, makes it easier for the providers to charge for each and every thing, thus driving up costs.

If true, this would offer an unusual way to justify investment in EMR and calculate the return on investment.

60,000 Members Can’t be Wrong

Smart health care providers are lining up for cloud services. Amerinet, a healthcare solutions provider with some 60,000 members, is now offering members business continuity and disaster recovery services from Sungard Availability Services.

Amerinet offers several services to health care members, starting with group purchasing for alternate and acute care providers. It also provides performance tools “from supply chain management to data analytics and revenue enhancement – plus, improvements to technology, quality, patient safety and education,” the company explained.

Under the deal, SunGard sells managed remote hosting and data recovery services to Amerinet members.

Business continuity is particularly important for acute care facilities where patients’ lives are at risk daily. These facilities don’t just need their medical equipment up and running, but the supporting clinical and business systems must be kept going as well, which where SunGard kicks in.

Protection of Electronic Health Records systems, a prominent item in the Obama health care program, is now vitally important.

It isn’t just basic computer crashes and drive failures that threaten health care shops. Disasters are another concern. “Amerinet has repeatedly heard from our members the need for recovery services when disasters like Hurricane Sandy strike. In addition, with the increase of EHR implementations and the transition to cloud technology, the need for adoption of information technology security has escalated,” said John Vinarsky, Vice President, Executive Resources, Office Solutions and Information Technology, Amerinet, Inc. 

Edited by Stefania Viscusi
Get stories like this delivered straight to your inbox. [Free eNews Subscription]