Avatar

This post is part of a new series featuring Brian Higgins, Principal Healthcare Consultant at Comstor US. Comstor is a recognized global leader in Cisco product distribution and an established provider of networking and advanced technology solutions. Brian is a sales and business development executive with 35 years of experience in the global healthcare information technologies industry. He has a proven and successful track record of establishing and executing go-to-market strategies for both start-ups and well-established companies in the healthcare space. He is also a trusted sales and business development advisor to information and medical technology companies selling into all segments of the healthcare industry.

I recently hosted a webinar on the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) for a community of technology resellers.

HIPPA and HITECH are the US version of “privacy and security” laws that are getting so much attention in our industry. I thought I had a reasonably good grasp on the subject, but my intuition was that the subject was complex enough to warrant an expert. We brought in a nationally recognized expert by name of Bob Chaput, Founder and CEO of Clearwater Compliance LLC, and (luckily for me) he did an outstanding job of explaining a very complicated set of rules and regulations in a simple and easy to understand way. 

While it was interesting to learn more about specifically who is covered by these laws and what their specific obligations are, the more enlightening discussion related to how far behind most industry stakeholders are in their compliance and the resulting economic ramifications.

For those of us in the channel that recognize the enormous opportunity of delivering technology to the healthcare sector, this is an important subject about which to have a first level of understanding. It not only gives us the credibility that our healthcare end users are looking for in a vendor, it also represents an opportunity to deliver valuable advice and services.  Finally, it’s a law that we might fall under if we are in the business of maintaining healthcare communications or information technology (HCIT) platforms, or delivering cloud services.

Similar privacy and security laws exist around the world, requiring partners to play close attention to what is occurring in their regions relative to this topic.

Consider the following facts: In the US, the street value of a stolen social security or credit card number is about $1, and it can be sold for only a few days after it’s been stolen. By comparison, a stolen medical record number has a street value of $50 and can be exploited over a much longer period of time. As Bob pointed out to us, “Credit cards can be cancelled, medical records can’t!” 

The cost to the system is far greater than the cost to individuals. Most media attention has been given to the invasion of privacy concerns over sensitive clinical information that can be obtained and leaked.  However, the great majority of “clinical fraud” is in obtaining prescription narcotics for illegitimate use.

A lesser but still significant cost of clinical fraud is in free care that is delivered. The total cost of clinical fraud and abuse is estimated to be $125 billion to $175 billion per year. In a system with costs that are spiraling out of control, reining this in with the help of privacy and security laws is certainly worth doing.

And yet, 60 percent of US consumers believe the laws are not adequate to protect their Public Health Information (PHI) and 80 percent of regulated entities believe that the laws are too complex. 

This debate is likely to continue for some time and will no doubt be further compounded by political parties, special interest groups, their lawyers and lobbyists. This will have the effect of allowing the economic ramifications to continue and will likely spill over into important initiatives like the implementation of electronic health records and health information exchanges.

I’m sure there is more to it than what we can see from here. But in listening to Bob talk about the regulations, it didn’t seem to me that they were too onerous or difficult to understand. Moreover, they seemed designed to do a reasonably good job protecting individuals’ health information. 

I came away believing that the parties to the debate are exaggerating the difficulties associated with getting these laws promulgated and implemented at the great expense of our system. I think they need to buck up and resolve to not let “perfect” be the enemy of “good enough”.  As the comic line goes, “let’s get ‘er done”! 

Around the world, data protection and privacy legislation is increasingly important and a crucial part of overall IT Governance, and increasingly onerous. It is in this field, in particular, that new laws are emerging on a regular basis. Many of these overlap, or contradict existing laws, and for few of them is there any detailed regulatory implementation guidance or meaningful case law. However, BS10012, which specifies a Personal Information Management System (or PIMS) may bring some clarity to this area.

If you want to better understand the laws regulating the privacy and security of protected health information and what that means to you the reseller, by all means check out the recording of our session.

What are some of the challenges, similar to the ones we have with HIPAA, which you as resellers are facing with compliance in the global market?