Live Chat | Login | Blog | Careers

emPower eLearning: August 2011

emPower eLearning

Tuesday, August 30, 2011

HITECH Act Changes Game For HIPAA Compliance VARs

These days, health-care security solution providers are on the precipice of something that many channel partners only wish they had -- a potential windfall of business driven by federal mandates and backed up by government funding.

Specifically, the federally mandated Health Insurance Portability and Accountability Act (HIPAA), which governs medical data protection, is gaining enforcement powers through President Barack Obama's stimulus plan, spurring small doctors' offices and large hospitals alike to start conversations about becoming compliant and transferring sensitive patient data to Electronic Health Records (EHRs). And the channel is reaping the rewards.

The key factor driving these changes is recently enacted legislation -- the Health Information Technology for Economic and Clinical Health [HITECH] Act, which arms HIPAA with tough new enforcement capabilities as well as more funding.

“The main catalyst is in the HITECH Act, and the additional pressures that are being put on physician practices and their business associates to become compliant,” said HIPAA Security Specialist Joe Dylewski, president of ATMP Solutions, a southeast Michigan-based solution provider. “Up until HITECH came out in 2009, there were never any teeth in HIPPA enforcement. There wasn’t a lot of attention paid to the organizations that violated it.”

The federally mandated HIPAA emerged in 1996 as a way to make health insurance portable from one provider to another, to reduce health-care costs, provide general administrative efficiencies and offer privacy and security around the exchanged information. However, it lacked enforcement, solution providers said.

HITECH contains incentives related to health-care IT designed to accelerate the adoption of EHR systems among providers and deepen privacy and security protections available under HIPAA by increasing the potential legal liability for non-compliance and providing more tools for enforcement. Some of HITECH’s enforcement mechanisms include stiffer financial penalties and more varied and numerous fines affecting a wider swath of noncompliant organizations.

As HIPAA compliance gradually becomes hardened with enforcement mandates, medical facilities that range from small physician’s offices to major hospitals are starting to ask questions about how they can convert their sensitive patient data to EHRs and become compliant, partners said.

That reinvigorated enforcement as well as the mandated transition to EHRs have paved the way for HIPAA compliance as a burgeoning niche that is rapidly gaining traction for security solution providers.

“It [HIPAA compliance] needs the channel,” Dylewski added. ”Unless they have an office staff with HIPAA background, [compliance is difficult], and I don’t’ find that nearly as frequently.”

David Altizer, vice president of sales and marketing for SOS Systems, a Memphis, Tenn.-based security solution provider, said that his company has experienced a huge uptick of HIPAA related business since January as awareness about healthcare privacy laws have grown.

One big opportunity is in HIPAA-specific assessments and audits. Service providers rely on specialized tools, such as eGestalt’s SecureGRC SB, a compliance tool that automates the security process by breaking down HIPAA activities and detecting any compliance holes. The product incorporates an automated risk calculator, which detects areas of the business that are not in compliance, identifies the areas of risk and makes them a priority for remediation.

Altizer said that he has been able to make inroads with medical organizations by conducting risk assessments to determine compliance vulnerabilities, and then analyze the data to show the organizations their weakest links in terms they would understand. He then gives the customers tangible steps they can take in order to become compliant.

“We identify where they’re vulnerable and where the highest risks are, and find opportunity to upsell with things like firewalls or servers with Active Directory, and implement policies and procedures in those operations,” Altizer said. “Whether it’s a doctor’s offices or transferring service, they all have to provide this documentation.”

Other channel opportunities include maintaining and upgrading firewalls with a strong antivirus, as well as providing hosted e-mail solutions and e-mail encryption -- vital when physician’s offices are transferring sensitive medical information via e-mail.

Leo Bletnitsky, president of Las Vegas Med IT, a health-care security solution provider based in Las Vegas, Nev., said that of all his health-care customers, only one encrypted e-mail, representing a huge untapped opportunity in the near future. “That is a requirement not only for HIPAA, but Nevada state law,” he said. “But there’s a lot of opportunity potentially as budgets start getting freed up.”

Another area that is growing by leaps and bounds in health-care security is offsite backup and recovery services, also mandated by HIPAA. In addition, eDiscovery products and correlating consulting and analyzing services are increasingly necessary for digging up critical information required in the event of a lawsuit.
“If a practice or a business is ever audited, they have a single point of reference where all the documentation and proof exists,” Dylewski said.

The mounting opportunities translate into unprecedented profit growth for some solution providers. Altizer said that he has seen margins grow to anywhere between 40 and 50 percent, while in some cases rising to 60 percent with added consulting services.

“In all cases we try to sell some form of consulting on top of the assessment software. On top of that we’re helping them analyze these risks and determine where they are on compliance,” he said. “We’re uncovering some very profitable opportunities.”

Meanwhile, Dylewski said that his HIPAA compliance business has grown 120 percent over the last year and he expects that it will grow 100 percent a year over the next two years.

The opportunities also don’t stop at the doctor’s office or medical facility. HITECH also contains refinements that extend security not just for medical providers, but their contracted partners -- or business associates (BA’s) -- which also have access to private client health information.

Next: Non-Compliant Business Associates Represent Untapped Opportunity

Bletnitsky said that during the last year he’s seen more medical practices conducting HIPAA agreements -- non-disclosure agreements that promise to protect confidential health-care information -- with partnering vendors. “That’s something that no one really did three years ago,” he said.

That’s where some of the biggest opportunity exists, Dylewski said. While many medical providers are aware of the new security requirements and have already begun the process of implementing EMRs and data security protections, many of their business associates have not.

Altizer said that for every doctor’s office SOS Systems targets, they get anywhere from 10 to 15 referrals for business associates who are not compliant or need assistance in enhancing their compliance infrastructure. “That’s 10 or 15 calls we have to make,” Altizer said, adding that from there, SOS will then make sure they get a list of other partnering doctor’s offices that the business associates service. “It all mushrooms from there,” he said.

And in some cases, solution providers are benefitting from government programs that are providing doctors’ offices and medical organizations' direct funding to implement upgraded and expanded security infrastructure in order to become HIPAA compliant.

Specifically, channel partners such as ATMP Solutions work in collaboration with organizations such as the Michigan Center for Effective IT Adoption (M-CEITA), one of about 60 federally funded regional IT centers that assist medical provider throughout the entire adoption process. Among other things, M-CEITA helps medical provider achieve “meaningful use” and access EHR incentive payments.

Those incentives come in the form of payments and reimbursements for doctors’ offices and medical facilities, which are then directed to the IT channel to acquire and implement EHRs, as well as security and privacy software, if the medical organizations can prove they have achieved a level of “meaningful use.”

The financial incentives translate into tens of thousands of dollars, distributed from various pools of money that include direct federal funds to reimburse the costs of EHRs, as well as other pools out of HITECH that are funneled into training and education programs for healthcare providers on IT.

Under HITECH , physicians can qualify for up to $44,000 in Medicare bonus incentives if they can demonstrate “meaningful use” of an EHR, while physicians that deal with a large volume of Medicaid patients can qualify for up to $65,000 in incentives.

Next: Government Funnels HIPAA Compliance Business To Solution Providers

Meanwhile, Bletnitsky anticipates an uptick of health-care security business in the next year due to raised awareness generated by other government organizations dedicated to disseminating information about the HIPAA mandates and conversion to EHRs, which he says could help drive health-care security from 50 percent to 75 percent of his overall business.

One such organization, Las Vegas, Nev.-based Health Insight, the Medicare Quality Improvement Organization (QIO), serves that very purpose for small medical practices. Among other things, the non-profit, community-based Health Insight provides low-cost consulting, information and enablement regarding EHRs, which include analysis of implementation, quality care analysis and work process redesign.

Bletnitsky, said that he works regularly with Health Insight to find and funnel business opportunities their way. Thus far, less than 50 percent of his customer base has embarked on the process of EHR adoption. But recently he’s seen a groundswell of about 10 more medical facilities initiating the conversion process. And he anticipates further growth by January and February as more medical practices take advantage of Health Insight’s services or receive stimulus funds for the conversion.

Once the ball gets rolling, solution providers such as Las Vegas Med IT are on the front lines for implementation, assessment, monitoring and maintenance services, he said.

“In the long term it’s going to be beneficial. They’ll need more technical assistance to get up and running on the information exchange,” he said.

Meanwhile, more government organizations like M-CEITA are emerging around the country as HIPAA gains traction, with a mission to enable compliance that will ultimately spur IT business around data protection right to the channel.

And because HIPAA and HITECH are federal mandates, health-care security solution providers can often expand their customer base from anywhere in the country.

“Customers are going to say, ‘what do you mean I have to secure this?’ They’re not even aware of the breaches that can happen,” said SOS’s Altizer. “We just have to get the information to them.”

This article was originally posted at  http://www.crn.com/news/security/231500612/hitech-act-changes-game-for-hipaa-compliance-vars.htm?pgno=4


Wednesday, August 17, 2011

U.S. Files Complaint Against Education Management Corp. Alleging False Claims Act Violations

WASHINGTON – The United States has intervened and filed a complaint in a whistleblower suit pending under the False Claims Act against Education Management Corp. (EDMC) and several affiliated entities, the Justice Department announced today. In its complaint, the government alleges that EDMC falsely certified compliance with provisions of federal law that prohibit a university from paying incentive-based compensation to its admissions recruiters that is tied to the number of students they recruit. Congress enacted the incentive compensation prohibition to curtail the practice of paying bonuses and commissions to recruiters, which resulted in the enrollment of unqualified students, high student loan default rates and the waste of program funds.

“Colleges should not misuse federal education funds by paying improper incentives to admissions recruiters,” said Tony West, Assistant Attorney General for the Civil Division of the Department of Justice. “Working with the Department of Education, we will protect both students and taxpayers from arrangements that emphasize profits over education.”

“Federal tax dollars must be protected from abuse,” said David J. Hickton, U.S. Attorney for the Western District of Pennsylvania. “This action against EDMC seeks to recover a portion of the $11 billion in federal student aid which EDMC allegedly obtained through false statements and which enriched the company, its shareholders and executives at the expense of innocent individuals seeking a quality education.”

The False Claims Act allows for private citizens to file whistleblower suits to provide the government information about wrongdoing. The government then has a period of time to investigate and decide whether to take over the prosecution of the allegations or decline to pursue them and allow the whistleblower to proceed. If the United States proves that a defendant has knowingly submitted false claims, it is entitled to recover three times the damage that resulted and a penalty of $5,500 to $11,000 per claim. When the government intervenes, the whistleblower can collect a share of 15 to 25 percent of the United States’ recovery.

The suit was originally filed by Lynntoya Washington, a former EDMC admissions recruiter, who later filed an amended complaint, jointly with Michael T. Mahoney, a former director of training for EDMC’s Online Higher Education Division. The states of California, Florida, Illinois and Indiana have also intervened as plaintiffs.

The suit is United States ex rel. Washington et al. v. Education Management Corp. et al., Civil No. 07-461 (W.D. Pa.).

This matter was investigated by the Commercial Litigation Branch of the Justice Department’s Civil Division; the U.S. Attorney’s Office for the Western District of Pennsylvania; and the Department of Education, Office of Inspector General.


Wednesday, August 3, 2011

Learn More About HIPAA Compliance

The actual meaning of HIPAA compliance is simply if entities and offices are effectively following the rules that Congress set forth through all three parts of the HIPAA legislation. The government states that each of the covered entities must meet the requirements which HIPAA has set forth.

The general principal of HIPAA compliance is simply to keep a safeguard over the Protected Health Information (PHI) of customers or patients. It is a rule that each entity must have a certain person that gets chosen to be the HIPAA Compliance Officer (who is sometimes referred to as the privacy officer). It is the compliance officer’s primary job to understand the laws and regulations of HIPAA as well as to be sure that the necessary actions and procedures are being put into practice so that an entity always remains compliant.

Staying within HIPAA guidelines ended up being a bit more difficult with the addition of the Security Rule in 2006. It was now required for the information to be held in secured and locked areas to help prevent security breaches in the event of a burglary.

This would be the first time that security of electronic information had ever been addressed in relation to Private Health Information. Now HIPAA compliance required password guided software and other extra measure to protect their safety.

The HITECH Act in 2009 increased these requirements even more by requiring that action be taken in the event of a breach of security. Basically, what this is saying is that the entities must inform patients or anyone who may have been affected by the security breach. It doesn’t matter if the breach in security was due to negligence on the part of the employees or if it was actually a wrongful act from the outside. All entities are required to have HIPAA Compliance procedures in place just in case regular procedures fail.

Labels: ,