Magazine Article | October 18, 2012

How Understanding HIPAA Compliance Can Pay Off

By Jay McCall, Business Solutions Magazine

An MSP wins a backup and data deduplication deal with a surgeon’s office by using its HIPAA expertise to help the client understand its points of noncompliance.

As more VARs make the transition to selling managed services, creating a business differentiator becomes even more crucial for operating a thriving business. This is especially true for, a solutions provider/MSP, based in Ho-Ho-Kus, NJ, amidst several other IT solutions providers. One of the keys to powersolution. com’s sustained growth (it increased revenue nearly 34% in 2011, and it’s projecting 50% revenue growth this year) has been its IT expertise in healthcare, in particular with HIPAA compliance. This differentiator was illustrated recently when a local orthopedic surgeon’s office conducted an online search for an IT solutions provider and had to choose from among and several other IT solutions providers.

Why “Value-Added” Is Passé
David Dadian, CEO of powersolution. com, recalls meeting with the client for the first time and conducting a preliminary consultation. “One way we’re different from other IT solutions providers is we don’t have a ‘value-add,’” he says. “In other words, we don’t show a client a solution and try to wow them with all the value we can add on the back end. We provide our value up front.” When Dadian and his team first met with the manager and head physician at the practice, he was able to spot a couple of critical HIPAA violations even before sitting down with the client to start the meeting. Dadian started off the meeting asking the physician, Mark Berman, M.D., “Did you know you’re not HIPAAcompliant?” Berman, not knowing how the MSP could know this, was interested to hear more. “I noticed your server is out in the open — HIPAA requires that it needs to be bolted down, and it really should be placed in a secure location,” he said. After a couple of follow-up questions, Dadian and his team uncovered that the practice was also using unencrypted USB drives to transfer data, which was another violation. Also, even though the client was using eClinicalWorks electronic medical records software, which did encrypt data, the practice was performing tape backups, which were not encrypted, and therefore not compliant. The final clincher came when Dadian asked Berman, “Here’s one more question I’m pretty sure my competitors didn’t ask you: ‘Do you have a security policy in place?’” After the surgeon and his manager revealed they didn’t have a policy and Dadian cited potential repercussions, the client was open to the proposed solution.

Proposing A HIPAA-Compliant Backup And Dedupe Solution
After meeting with the client, proposed a managed services solution that included remote monitoring and management of the client’s two servers and five workstations (via GFI MAX) and an image-based backup and data deduplication solution (Datto SIRIS) with an off-site disaster recovery component in Datto’s secure data center. “We also proposed changing out the client’s consumer-grade firewall with a properly configured Fortinet firewall and replacing its present antivirus with our managed AV solution [ESET],” says David Ruchman, CTO of powersolution. com. “The final component of the proposal included helping the client convert one of its closets into a secure server room.” To help keep the client’s out-of-pocket, up-front capital expenditures low, purchased the Datto equipment and rolled the cost of the server into a three-year managed services contract (i.e. Hardware as a Service).

Create HIPAA Compliance, Become A Trusted Business Advisor
Since winning the managed services deal, powersolution. com has become the surgeon’s office’s go-to business partner for all IT-related purchases. “At one point, they needed a new copier, so we helped them purchase an MFP [multifunction peripheral],” says Dadian. “Plus, we now manage the life cycle of all their office equipment and all their IT vendor relationships, including their EMR (electronic medical record) vendor partnership.” Working directly with EMR vendors is another big differentiator offers over other IT solutions providers, according to Dadian. “Whenever there’s an upgrade to the EMR, we set up a conference call with the vendor, come in during the late hours to oversee the upgrade, and assist with server tweaks and resets. Some MSPs are fine with putting the burden on the office manager to handle this task, but we feel strongly that we’re that practice’s IT company.”