The Health Information Technology for Economic and Clinical Health (HITECH) Act has earmarked $19.2 billion of the $787 billion federal economic stimulus package in incentives to encourage healthcare organizations to convert to electronic healthcare record (EHR) implementations.
The $19.2 billion is only a fraction of what the nation's hospitals and doctors will spend for the conversion -- including security to protect patient records. Solution providers can cash in by providing security products and services to support the federal mandate, but capitalizing on this opportunity requires quick and efficient action, as the healthcare industry scrambles to adopt EHR in time to earn incentives that will offset part of the cost.
HITECH, which is part of the American Recovery and Reinvestment Act that passed in February, uses a carrot-and-stick approach to accelerate EHR conversion. Medicare and Medicaid will pay out HITECH Act incentives starting in 2011 -- up to $65,000 per eligible physician, and $11 million per hospital. Healthcare providers that haven't demonstrated "meaningful" use of EHR by 2015 will be subject to penalties.
"This is the time for channel partners to build a practice around healthcare," said Dave Howell, senior manager of solutions marketing at Bedford, Mass.-based RSA, the security division of EMC Corp. "If you wait, it will be too late."
The HITECH Act's breach disclosure requirements for HIPAA-protected patient information are somewhat analogous to the 40-plus state laws for disclosing breaches of personally identifiable information. As with those laws, encrypted information is exempt from the disclosure requirements.
The combination of the incentives and the disclosure requirements may spur security spending. In the past, the federal government hasn't done much in terms of HIPAA enforcement, so healthcare organizations and providers have felt little pressure to invest heavily in security. For example, according to a Healthcare Information and Management Systems Society survey released in October 2008, the majority of healthcare provider organizations devote 3% or less of their total IT budget to security.
"There haven't been a lot of incentives to kick start healthcare security," Howell said. "Now that's happening."
Large organizations have already begun EHR implementations and have some security controls in place, said Khalid Kark, principal analyst at Cambridge, Mass.-based Forrester Research Inc. Small companies, which lack the time, money and resources, will probably move slower.
"The middle section, 50% to 60% of the industry, is working pretty feverishly to get basic requirements taken care of," he said. "For the majority, the incentives are pushing them."
There should also be plenty of opportunities to sell security products and professional services in support of the HITECH Act beyond healthcare providers. Kark said security needs will extend beyond the hospitals to businesses that share patient information, such as medical service providers, insurance companies and government agencies.
"Any data protection technology -- encryption, DLP -- should be pretty big," he said.
Channel healthcare expertise
VARs, integrators and consultants that do business with healthcare organizations obviously have a leg up. Those that don't will need to acquire or develop industry expertise or partner with companies with a proven track record in the healthcare industry, Kark said.
As trusted advisors, VARs are in prime position to provide customers with comprehensive assistance in designing and deploying EHR implementations. VARs can also help customers by recommending implementation of appropriate controls and the security technologies to enforce them.
< p>Smaller VARs may be at a slight disadvantage, Kark said, but can still do well with smaller customers by bringing in the right consulting and technology partners to provide the best possible service.
Kark went on to note that VARs with extensive healthcare industry experience but little security knowledge will need to partner with security specialists. Conversely, VARs experienced in encryption, data loss prevention or wireless security can get in on the EHR business by partnering with existing healthcare IT providers.
"Since they've [healthcare providers] only got a couple of years to earn incentives, a lot of them will rely on a trusted third party to bring together other parties to deliver a solution, Kark said." "VARs have to forge relationships with other companies to provide a holistic solution."
"Then, if you do business with some health care companies, others will come. If not, you will probably be left on the sidelines."