Alternately, you may feel more secure with your servers located remotely with a company that has on-site facilities and personnel trained to maintain your servers and protect them from risks such as viruses, fire and earthquakes. Ideally, the service provider you choose will have experience in the healthcare industry and will be familiar with its associated regulatory requirements. Don’t forget to choose a company that follows HIPAA regulations regarding EHRs and EMRs, is aware of their associated fines, and understands the increasing regulatory burdens of the Patient Protection and Affordable Care Act.
Explore this issue:December 2011
The Health Information Technology for Economic and Clinical Health (HITECH) Act altered the HIPAA regulations by mandating the protection of patient and personal information. The Act’s “Security Rule” is interpreted very broadly, which has resulted in stronger compliance mandates and enforcement powers. The HITECH Act now covers all “business associates” in addition to your organization. Jurisdiction and enforcement of these laws now comes through state attorneys general, the Centers for Medicare and Medicaid Services, the Department of Health and Human Services (HHS) Office of Civil Rights, the HHS Office of Inspector General and the Joint Commission. Noncompliance or breach of the new laws results in stiff fines: $50,000 per violation and up to $1,500,000 per calendar year. Obviously, a thorough vetting of your service vender is prudent. Any breach in confidentiality is likely to come through your service and not your office practice, so the company you choose must have experience in the highly regulated field of medicine.
If possible, hire a good consultant to help you through the process of selecting a server or server provider. Talk with other local physician groups about the support solutions that have worked for them. Find the names of local experts who support and maintain servers.
Don’t be afraid to ask for help in reviewing contracts and negotiating rates. As a general rule, never use a vendor’s template to draw up an IT outsourcing contract. These contracts, which are heavily slanted towards the vendor, are going to require a lot of modifying. You likely do not have the expertise to go “head to head” with their negotiators. Your consultant should know the best way to protect data and can outline the appropriate exit strategies if the vendor does not meet your expectations. The consultant should also be able to help you define a service-level agreement (SLA). Chances are, you wouldn’t know where to begin, and you might even get sucked into a SLA to-be-determined metric that will leave you and your organization in jeopardy. If the SLA is not associated with a penalty, then it is merely an objective without recourse. Penalties are necessary should you need to force the service provider to meet the expectations outlined in the contract. From my perspective, contract consultants are worth the money, because they can keep you and your organization out of trouble!