270 likes | 899 Views
How to sell HIPAA Secure Now! (and increase your sales and profits!) May 2015. HIPAA and HSN. This presentation assumes you have a good understanding of HIPAA. You can learn about HIPAA from a variety of sources, including the training provided by HSN.
E N D
How to sell HIPAA Secure Now! (and increase your sales and profits!) May 2015
HIPAA and HSN • This presentation assumes you have a good understanding of HIPAA. You can learn about HIPAA from a variety of sources, including the training provided by HSN. • This presentation also assumes you understand the HSN product. • If you are not familiar with either of the above, please spend a few minutes learning, and come back to view the rest of this presentation.
HIPAA: Who is affected? Myth: We are a small organization so we don’t have to worry about HIPAA • All HIPAA regulated organizations (Covered Entities) must comply with HIPAA regardless of size: • Chiropractors -- Dentists -- Health Insurance • Physicians -- Podiatrists -- 3rd Party Admins • Hospitals -- Psychiatrists -- Self insured orgs • Who is regulated? ANY organization which accepts insurance whether private (Aetna, Blue Cross, etc.) or government (Medicare / Medicaid) must comply with HIPAA regulations. • HIPAA compliance is an ongoing process
HIPAA: The Past • Most medical records were on paper; now they are electronic and online • In the past breaches primarily occurred with hospitals and health insurance companies • There was no enforcement for small practices • Smaller organizations were not compliant
HIPAA: What is the problem today? Increasing cyber-security threat Lots of medical data online
HIPAA: What is the risk? • Permanent HIPAA Random Audit Program • Will begin 1Q/2015 • 500 – 800 organizations of all sides will be audited • Will include both covered entities and business associates • HHS - OCR will use fines to fund its budget “A major weakness found during the pilot audit program, as well as through OCR breach investigations, has been a lack of thorough risk analysis” Leon Rodriquez OCR Director
HIPAA: What is the risk • Meaningful Use Audits Are Already Underway • Audits by both CMS and OIG • Pre and Post Payment Audits • Doctors have been fined and forced to return payments • 1 in 20 (5%) participants (doctors not practices) • Failure Triggers • Inaccurate submissions • Missed Requirement: Conduct or review a security risk assessment of the certified EHR technology, and correct identified security deficiencies and provide security updates as part of an ongoing risk management process. • Patients and employees are filing HIPAA complaints • HHS-OCR must formally investigate complaints that appear to be due to willful neglect
HIPAA: What is the risk 4. Cost of remediating a breach Ponemon 2013 Cost of Data Breach Study: Estimate $233 per record – not including penalties Indirect Costs • Turnover of existing customers- Loss of customers / patients • Diminished customer acquisition- customers / patients not using a practice (Reputation is damaged) Direct Costs • Detection and escalation costs– legal, forensics investigative activities, crisis management activities • Notification costs- IT activities to create contact database, determination of regulatory requirements, postage, etc. • Post data breach costs - help desk activities, inbound communications from customers, identity protection services, etc.
HIPAA: What is the risk? HIPAA Penalties
HHS Wall of Shame • Over 1200 reported breaches of 500 or more records since 2009 • Breaches for all types of CEs and BAs • SALES TIP: Use the list of violators in your state as a sales tool
HIPAA: Real Life Penalties • Alaska Mental Health Provider- $800,000 – no malware patching; using Windows XP • Mass Dermatology Office -- $150,000 – lost unencrypted thumb drive • Idaho Hospice -- $50,000 – use of unencrypted laptops • Arizona Cardiology Practice -- $100,000 – use of unencrypted email and online calendar • Mass Opthalmology Practice -- $1.5 Million -- use of unencrypted laptops • Colorado Pharmacy -- $125,000 – improper disposal of medical records • In all cases the penalties were imposed due to lack of policies and/or Security Risk Analysis • REALITY: HIPAA FINES, AUDITS AND BREACHES ARE ON THE RISE
How to Achieve HIPAA Compliance 4 major elements to HIPAA compliance: • Conduct an annual Security Risk Analysis and produce a Work Plan • Develop Policies and Procedures • Annual Employee Training • Documentation • HSN has all of the above
Why can’t a practice do this themselves? From CMS: “Doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through the services of an experienced outside professional”
Security Risk Assessment • Biggest HSN differentiator • Follows NIST 800-53 guideline • Personalized interview with a HIPAA expert; not a checklist • HSN has implemented some of the SRA in software • A consultant will do it manually • HSN has a big cost advantage
Other HSN Differentiators • Online training • Compliance Portal & Documentation • Financial Protection • Minimal time and effort required by practice • Affordability • Helps prevent data breaches • Over 2,000 SRAs performed • Audit Support • Over 50 CMS audits survived – no failures
Affordability • Full Service Pricing – Annual Subscription • 1 – 10 Employees $999 • 11- 20 Employees $1,399 • 21 - 50 Employees $1,750 • 51-100 Employees $2,750 • 101-250 Employees $3,750 • It’s worth it to spend a little money today, to avoid potential penalties and breach remediation costs in the future
Unique Benefit: Financial Protection • $100,000 HIPAA Breach and Violation Expense Protection • Breach Related Expenses • To Determine Cause • To Notify Affected Patients • To provide Credit Monitoring Services • HIPAA Federal or State Fines
Overcoming Objections Objection: I can do it myself Answer: CMS recommends that small practices uses a professional Objection: It won’t happen to me Answer: Audits, penalties and breaches are on the rise. Do you really want to take the risk?
Overcoming Objections Objection: I already have a service Answer: Do you have a professional SRA like HSN? Financial protection? How many audits has your provider defended? Objection: Meaningful Use is over, I don’t have to be HIPAA compliant Answer: You always have to be HIPAA compliant
Overcoming Objections Objection: I did it last year Answer: You have to perform an SRA and train your employees every year Objection: My EHR company did it for me Answer: Chances are they haven’t. Get me a copy of what they gave you and I will take a look at it.
Overcoming Objections Objection: A checklist is OK for a Security Risk Analysis Answer: That is not true. In fact, practices have gotten in trouble for assuming that is the case. HIPAA requires a professional SRA, along with an associated Work Plan to remediate security gaps.
What do you have to do to sell? Get the client to a demo; it’s that simple
How to sell HSN • A la carte, as a separate service • Bundled as part of a service offering • Referred; some partners prefer to have clients buy directly from us
How to market HSN • Put it in on your web site • Repurpose our blog • Develop a partnership with: • Local medical association • Billing company • Practice management consultant • Healthcare lawyer • Insurance company