HIPAA is a great training opportunity for your staff. That means that it is a big opportunity for e-learning ASPs. It's huge because of the certifications needed to comply with HIPAA. (Without e-learning) you'd have to go to some location to get trained. This is so much easier and would keep track of all those certifications (once they're obtained), as opposed to having them on paper. What sorts of questions should a healthcare organization ask an ASP in regard to HIPAA before agreeing to use that ASP?
One, is has the ASP worked in healthcare. It's a whole different industry. If they haven't, I would have some concerns. The second thing is who is on their security team. Do they have a computer security systems professional? What's their plan for securing the data? It should be clearly posted. What are their backup and recovery mechanisms? If the data is corrupted or there's a problem, you're in trouble under HIPAA. In terms of HIPAA compliance, what types of applications can ASPs help with?
Basically, RACER transactions (referrals, authorizations, claims submission, eligibility checking and remittance) from provider to health plan. RACER transactions are a pain in the neck and involve a lot of time and extra staffing. Also, there is the question of HIPAA confidentiality and privacy of PHI (protected health info) is an issue with faxing, phoning... We're talking about these types of transactions, which can be avoided by using "secure" Web-based systems. So, as the HIPAA deadline nears, what do you see happening with the healthcare ASP market?
I think you will see the trusted health IT companies, the 800-pound gorillas out there, either launching ASP initiatives or, if there are any ASPs left standing, acquire them. I don't think the investment community is going to continue to fund ASPs because the profit is not there. I don't think we're going to see many new ones popping up. So, you recommend using a vertical market ASP specifically tailored for the healthcare industry?
I think my spin would be either hire an ASP that specializes in healthcare or hire an ASP that has done enough healthcare work to understand it. If someone says they know about healthcare, and they have worked with the manufacturing or the hotel industries, then forget it. Healthcare has its own set of rules and definitely a unique set of data. It is the only service industry that bridges financial data plus clinical data. Is it fair for ASPs to say that they are HIPAA compliant?
No, of course not. They should not be saying that. The security rules (for HIPAA) aren't even final. There's no agency to accredit you (as HIPAA complaint). Remember, HIPAA is not a technology issue. Technology is an enabler. It is a business compliance and regulatory issue. Technology will help you comply with pieces of HIPAA, but unless your people are trained, forget it. Because the ASP market is tight, do you think some ASPs will pop up to take advantage of this market?
They've tried and failed. Some have popped up and gone out of business. Is a larger or smaller healthcare company a better fit to use an ASP's services to comply with HIPAA? For instance, would a small medical group want to turn to an ASP?
The opportunity for ASPs is in the independent provider market ? medical groups, small physician offices, labs. The majority of healthcare delivery does not take place in large institutions. Most of these smaller organizations have no IT infrastructure at all. Many have a Windows 95 computer. Very few even have an NT network. And, they tend to have these proprietary practice management systems, many Unix based. They may have a PC, which would be easy to Web-enable and have them use an ASP. But no one has been terribly interested in the smaller market because it is hard to get the economy of scales there. Plus, it's tough to sell to those small independent offices. So, it's kind of ironic that the organizations that can most take advantage of ASP services, may not be able to find a provider.
Dig Deeper on Secure SaaS: Cloud services and systems