New healthcare regulations: Are ASPs just what the doctor ordered?

It might be a good idea to add a course in technology to medical school curricula. After all, healthcare organizations have to spend a growing amount of time enabling their offices with technological tools. The U.S. Health Insurance Portability and Accountability Act (HIPAA), a set of standards for healthcare transactions, privacy protection and security, offers a new set of challenges. Organizations have to comply with the first round of guidelines by April 2003, meaning they're hard-pressed to get new technology in place that will help them meet the regulations. That's where ASPs come in, promising quick time to market and fewer internal headaches.

Jon Bogen is a former hospital administrator who founded and serves as president of HealthCIO Inc., a market research firm and consultancy for information technology suppliers to the healthcare industry. He also sits on the New England HIPAA workgroup comprised of healthcare providers and consultants. Bogen talks with searchSecurity News Editor Jon Panker about whether ASPs are the right fit to help healthcare organizations beat these HIPAA deadlines.

I know HIPAA requires a lot of added training for healthcare employees? Can ASPs help out in that process too?
HIPAA is a great training opportunity for your staff. That means that it is a big opportunity for e-learning ASPs. It's huge because of the certifications needed to comply with HIPAA. (Without e-learning) you'd have to go to some location to get trained. This is so much easier and would keep track of all those certifications (once they're obtained), as opposed to having them on paper. What sorts of questions should a healthcare organization ask an ASP in regard to HIPAA before agreeing to use that ASP?
One, is has the ASP worked in healthcare. It's a whole different industry. If they haven't, I would have some concerns. The second thing is who is on their security team. Do they have a computer security systems professional? What's their plan for securing the data? It should be clearly posted. What are their backup and recovery mechanisms? If the data is corrupted or there's a problem, you're in trouble under HIPAA. In terms of HIPAA compliance, what types of applications can ASPs help with?
Basically, RACER transactions (referrals, authorizations, claims submission, eligibility checking and remittance) from provider to health plan. RACER transactions are a pain in the neck and involve a lot of time and extra staffing. Also, there is the question of HIPAA confidentiality and privacy of PHI (protected health info) is an issue with faxing, phoning... We're talking about these types of transactions, which can be avoided by using "secure" Web-based systems. So, as the HIPAA deadline nears, what do you see happening with the healthcare ASP market?
I think you will see the trusted health IT companies, the 800-pound gorillas out there, either launching ASP initiatives or, if there are any ASPs left standing, acquire them. I don't think the investment community is going to continue to fund ASPs because the profit is not there. I don't think we're going to see many new ones popping up. So, you recommend using a vertical market ASP specifically tailored for the healthcare industry?
I think my spin would be either hire an ASP that specializes in healthcare or hire an ASP that has done enough healthcare work to understand it. If someone says they know about healthcare, and they have worked with the manufacturing or the hotel industries, then forget it. Healthcare has its own set of rules and definitely a unique set of data. It is the only service industry that bridges financial data plus clinical data. Is it fair for ASPs to say that they are HIPAA compliant?
No, of course not. They should not be saying that. The security rules (for HIPAA) aren't even final. There's no agency to accredit you (as HIPAA complaint). Remember, HIPAA is not a technology issue. Technology is an enabler. It is a business compliance and regulatory issue. Technology will help you comply with pieces of HIPAA, but unless your people are trained, forget it. Because the ASP market is tight, do you think some ASPs will pop up to take advantage of this market?
They've tried and failed. Some have popped up and gone out of business. Is a larger or smaller healthcare company a better fit to use an ASP's services to comply with HIPAA? For instance, would a small medical group want to turn to an ASP?
The opportunity for ASPs is in the independent provider market ? medical groups, small physician offices, labs. The majority of healthcare delivery does not take place in large institutions. Most of these smaller organizations have no IT infrastructure at all. Many have a Windows 95 computer. Very few even have an NT network. And, they tend to have these proprietary practice management systems, many Unix based. They may have a PC, which would be easy to Web-enable and have them use an ASP. But no one has been terribly interested in the smaller market because it is hard to get the economy of scales there. Plus, it's tough to sell to those small independent offices. So, it's kind of ironic that the organizations that can most take advantage of ASP services, may not be able to find a provider.
That's right.

Dig deeper on Secure SaaS: Cloud services and systems

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close