HITECH Act Blocking Smaller IT Firms

While some industry estimates have healthcare IT spending expected to reach $34 billion this year government policies and other related issues are preventing small and midsize IT firms from getting their share of the action, according to a report released by IT trade association CompTIA.

Many small and midsize IT firms are sitting on the sidelines of the nation's health IT transformation due to barriers caused mostly by government policies as they relate to education, security and privacy, and technical assistance, said authors of the CompTIA report, Health IT: The Essential Role of Small IT Solution Providers.

The report contends that "several minor changes to existing policy" would help enable small IT products and services providers to play a bigger role in helping the nations tens of thousands of healthcare providers--especially smaller medical providers--transition to digitized patient records and other health IT enabled processes.

So, what are those policy barriers preventing smaller IT firms from playing a bigger role in health IT transformation--and what sort of changes are needed, according to CompTIA?

First, CompTIA contends that the HITECH Act--which allocates more than $20 billion for programs to encourage and support the adoption of health IT by healthcare providers over the next several years--isn't focused on providing opportunities for smaller IT firms to assist medical providers in their move to health IT.

"We understand that HITECH is already far down the road, but we want to get front and center the role IT firms can play" in the nation's transition to health IT, especially in helping smaller medical providers in their adoption of e-medical record and other systems, said Elizabeth Hyman, VP of public advocacy at CompTIA and co–author of the report, in an interview with InformationWeek Healthcare.

The barriers preventing small IT firms from "helping achieve the healthcare and economic potential" include a lack of resources for retraining IT professionals; not fully integrating IT professionals from smaller IT firms in the programs offered by the nation's 62 Regional Extension Centers, or RECs, that are assisting medical providers in choosing and implementing health IT systems; and new HIPAA data breach provisions under HITECH that place "unfair burdens" on IT professionals, said the report.

"While these barriers could significantly limit entry for IT professionals and, therefore, limit the success of the health IT transition for small medical providers, there are opportunities to overcome these barriers, said the report.

The remedies CompTIA is seeking include tweaking some existing policies and in other cases, changing laws.

For instance, under the HITECH Act, millions of dollars were allocated to help community colleges and universities roll out programs to help cultivate a new health IT workforce to help fill a projected shortage of 50,000 health IT professionals over the next several year.

Many of those programs are geared at helping to train new individuals in health IT skills, however, there has been no funding allocated to help experienced IT professionals to gain additional health IT certifications that could bolster their existing skill sets, Hyman said.

In the absence of funding for certification programs, CompTIA is advocating that IT professionals who obtain ongoing education and health IT certification programs also be able to write off the expenses under tax laws.

CompTIA is recommending "adapting existing tax credit programs to help retrain current IT professionals and then phase credits out over time," according to the report. In particular, "we encourage policymakers to amend the Lifetime Learning Credit and Business Education Tax Deduction so that individuals and IT solution providers could offset some of the expense of earning appropriate certifications and skills for the health IT marketplace," the report said.

CompTIA offers health IT certification programs, so such a change in tax laws would not just benefit IT professionals, but help boost interest to CompTIA's offering, too.

As for the nation's 62 RECs--which received a total of $677 million in HITECH Act funding--some RECs take "a vendor and services firm neutral approach" to referring healthcare providers to those companies. However, other RECs do not, said Hyman.

CompTIA wants a uniform and standard process for all RECs to provide referrals, outreach and communication to healthcare providers so that smaller local IT firms--not just large products and services--are also listed on the menu of available region to implement e-health records and other systems, she said.

Also, the products and service offerings sold by larger health IT vendors sometimes aren't geared to the needs of smaller medical providers--especially those with limited budgets. So, by ensuring that smaller IT firms are listed in REC referrals, smaller healthcare providers have access to a wider pool of services firms they might not otherwise know about, she said.

"There's a gap in small and midsized medical providers adopting e-health records systems, so assistance from smaller IT firms could help bridge that gap," said Hyman.

While some RECs have held job fairs and hosted other activities that help connect medical providers with local IT services firms, CompTIA advocates that all RECs across the U.S. offer these events.

RECs should also offer educational seminars and guidance to IT services providers so that all are well informed about the HITECH Act's meaningful use programs and standards, as well as new data breach notification regulations that could impact IT firms that assist medical providers in their health IT rollouts.

In terms of data breaches, recent provisions to HIPAA under HITECH now deem business associates and subcontractors of the covered entities directly liable for complying with the security and privacy rules. That means that unless an IT implementation includes specific encryption and adheres to other "safe harbors," the IT services firm that delivered the products or services to a healthcare provider could be held liable for certain HIPAA violations, said Hyman. Civil and criminal penalties for violations of the HIPAA security rule can range up to $1.5 million, which could crush some smaller firms, said Hyman.

CompTIA is advocating amending the business associate rule of HIPAA, and instead putting back in place the HIPAA liability model that was in place previously. Before HITECH, the HIPAA Security Rule required a covered entity--such as a healthcare provider, rather than its business associates--to maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of all personal health information the covered entity creates, receives, maintains, or transmits.

While HITECH provides for a 60-day data breach notification deadline, HITECH also permits states to keep their own data breach notification requirements as long as those laws don't provide less protection than the federal rules.

Some states, including Massachusetts, have a 45-day data breach notification law. The varying deadlines among states make it difficult for many smaller IT firms to keep up with the regulations, said Hyman. CompTIA is looking to have those varying state requirements made uniform by having a federal preemption enacted.

For smaller IT services firms in particular, current HIPAA laws are "chilling," said Hyman.

On Aug. 8, this story was changed to correct the length of HITECH's notification deadline. Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)