By Fernando Quintero
Beginning Sept. 23, solution providers now face steep penalties for failure to comply with the security disclosure requirements of the Health Insurance Portability and Accountability Act’s Omnibus Rule. Solution providers serving the health care industry must disclose security incidents and detail in contracts their security measures and procedures for responding to breaches.
This is no trivial matter. The Office of Civil Rights, charged with the Omnibus Rule, promises increased enforcement and hefty fines for infractions. What does this mean in real terms? Recent enforcement fines range from $50,000 to $1.4 million, depending on the severity of the incident — and this is nothing compared to the civil liabilities a solution provider could be exposed to if they fail to prevent a security breach.
Solution providers have dreaded the HIPAA Omnibus Rule since its announcement last year. The nice thing the government did was give the channel a year to prepare and comply with the rule’s requirements. For many, though, a year was not enough time. Security postures and procedures are often subjective, and coming up with precise processes is elusive.
Dread aside, solution providers could look at the Omnibus Rule as an opportunity: HIPAA requires health care providers — covered entities (those delivering health care and act as the primary custodians of patient data) and business associates (those providing services to health care providers) — to implement appropriate security controls. Few health care organizations have the expertise to implement and maintain security systems on their own.
Since security is a requirement in the health care market, security solution providers are the most obvious choice for delivering technology systems, services and expert technical support. Health care providers will look for security partners with expertise and the ability to demonstrate compliance with HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) legislation.
Security solution providers that comply with the Omnibus Rule can use it as a competitive differentiator. Compliance is a value-add since it demonstrates expertise, commitment to security standards and the ability to help health care providers meet HIPAA requirements. The mere investment in security compliance is proof of a solution provider’s commitment to maintaining a reasonable compliance level.
Just how much of a difference will Omnibus Rule compliance make? It’s hard to say. We won’t find out how many solution providers are in or out of compliance until the first enforcement actions happen; the inverse measure will be the number of solution providers that cry for help. The expectation: There are more companies out of compliance than in, and this will remain true for some time.
So, while HIPAA and its Omnibus Rule are hot and there’s tremendous uncertainty over compliance, button-upped solution providers have the opportunity to use their security posture as a market differentiator and sales driver. Now that’s a great prescription for success.
Fernando Quintero is vice president of channel sales and operations for the Americas. He is responsible for McAfee’s partner relationships as well as building strategies related to sales, marketing, operations and profitability, while promoting product and services growth for more than 10,000 partners in the region. His focus and proven understanding of the channel, specifically around partner engagement, value-based productivity, speed of execution and agility, have marked his career with a consistent track record of achievements around the entire partner experience and adoption of McAfee’s products. He has been with McAfee since 2002, holding key sales management positions. Quintero previously served as McAfee’s channel director for the Latin America region.
Leave a Reply