Episode 258: Gary Pritts helps clients comply with HIPAA and other regulatory requirements

HIGHLIGHTS

Will Bachman: Hello, Gary. Welcome to the show.

Gary Pritts: It’s a pleasure being with you, Will.

Will Bachman: So, Gary, let’s start at the beginning. How did you get into the world of HIPAA?

Gary Pritts: Well, it goes back quite a few years. Probably about 18 years ago, I had a stint with a clearing house, which is … One of the companies that’s involved in transmitting, generally their bills, electronic invoices between healthcare providers and the insurance companies. And so, believe it or not, these folks were the ones that were actually lobbying for what became the HIPAA regulations. What’s a little known fact is that this was a business expansion opportunity for them. They had this complicated world where every insurance company had a different computer format for the electronic bills or electronic claims. And so they thought, “Gosh, if we were to get the government to force the insurance companies to adopt a standard format for the electronic bills, then it would be a lot easier for us to do this and be able to expand our business.” And so they got what they asked for, but the government said, “Hey. Gosh, we’re going to be sending all this private information through cyberspace. Maybe you should put some privacy and security along that as well.” And so they said, “Sure.” And of course they didn’t know what they were saying yes to, but that was kind of the origin of it.

And I was the point person at the clearing house to figure out how to implement all of this stuff. And I recognized a tremendous need because of the complexity of the regulations, and left that company and started Equal Consulting. We focused on implementing HIPAA, which was new for everybody. This was 18 years ago. And so, we worked with over a thousand customers within the first couple of years.

Will Bachman: That’s amazing.

Gary Pritts: So that’s how it all got started.

Will Bachman: Could you describe the services that your firm offers now?

Gary Pritts: Well, what has happened as of late is that the vast majority of the people are interested in the computer security part of HIPAA. HIPAA is pretty broad. It encompasses … well, we’ll just say privacy, security, and then electronic transactions formats, but the computer security side is what most of the people that are looking for our services are interested in. And it’s not really too surprising why this is because if you’ve just picked up a headline anytime in the last five years, you can’t avoid hearing about the multiple data breaches and other cybersecurity incidents that are going on.

And so what we do most commonly is help organizations with the cybersecurity side of their organization, the policies and procedures that are necessary, the various disciplines that are involved in securing their computer networks. So that’s the bulk of it, although we get involved in a wide variety of other things as well.

Will Bachman: What kind of clients are you mostly serving?

Gary Pritts: Well, we have really four segments that we’re involved with, certainly healthcare providers. Those would be doctors and hospitals and providers of all different types. The second is the payer side of things, the insurance companies, third party administrators, those that are involved processing health claims. The third is the government sector. There are a number of agencies, state, county and local that are subject to the HIPAA regulations because generally they’re providing something that is considered a health care service or involved in payment for healthcare. And the fourth is, in HIPAA parlance they’re called business associates. But basically that’s a company that is engaged with, on a contractual basis, one of those first three segments that I just mentioned. So, somebody that’s regulated as a so-called covered entity by HIPAA, if you bring a contractor in, they become your business associate. And that a so-called business associate is also regulated by HIPAA. So that’s a fourth segment, and that’s really a wide variety of different types of organizations. But in our case, we work a lot with technology companies that might be offering things like electronic health records or some kind of service to the insurance industry. So those are the four segments that we deal with.

Will Bachman: And what would some typical projects be for you, both in terms of duration and the kind of deliverables that you provide?

Gary Pritts: Well, the core service offering is the computer security risk assessment. And so if you look at the HIPAA security rules, there are 45 requirements. And the first requirement is that you complete a computer security risk assessment. In the computer security world, the risk assessment is really foundational to any kind of a security program. You need to figure out what bad things could happen, what the likelihood is that they will happen, if they do happen, how bad is it going to be? And then based on that analysis, “What should we do to prevent those bad things from happening?” or to manage them if they were to happen. And so there’s a specific methodology that we use … actually, there are multiple methodologies. One is prescribed by NIST, the National Institute for Standards and Technologies. And there’s another one that we use, it’s called FAIR. There’s a different method for doing this risk assessment.

But what it is, it’s a systematic evaluation of the computer security controls that are in place and exploration of what the business impacts would be if there were some kind of a cyber failure, and then an assessment of the landscape, what kind of threat actors are there out there, nation states, cyber criminals and the like. And based on that, “What are we worried about the most?” And then we try to quantify those various threats in terms of both probability of occurring and the impact, “How bad would it be financially if they do occur?” And that drives the corrective action from the program. So it’s a report, is the deliverable that we give, that follows one of those methodologies that I mentioned.

And then a followup engagement that we have typically would get involved with would be what we call risk management support. And so this is, I think in that consulting world those of us that have spent a lot of time living from project to project, we can appreciate the notion of having some kind of retainer arrangement so that you’re not chasing down projects continually. So the risk management engagement picks off where the security risk assessment leads off, where we’re working on an ongoing basis to address each of those risks that we identified. Sometimes addressing these things might involve some big ticket expenditures, and they can’t be done immediately. And so there’s a lot of balancing and budgeting and project management and prioritization that goes along with risk management, along with documentation that it’s being completed, because risk management is actually the second requirement in the HIPAA security rule. So for compliance purposes you need to also be able to demonstrate that you’re doing something there.

So those are two services that we offer. A third is the creation of policies and procedures. This is something in the HIPAA world they’re very big on. And so we can assist with creating all of those that are compliant with the regulations. And there are others, but what else might you be interested in?

Will Bachman: To do that risk assessment, is there an aspect of that where you kind of get kind of white-hat hackers to see if they can hack into the system and kind of test the defenses? Is that part of it?

Gary Pritts: Yeah. So doing some kind of a, what we would call a penetration test?

Will Bachman: Mm-hmm (affirmative).

Gary Pritts: There are a number of flavors of these tests. So one would be the penetration test. Another would be a what we would call a web application security review. And a third would be what we would call a network vulnerability assessment. So those are three examples of a technical studies that can be a part of one of these risk assessments. And so, depending on the situation, we will include one of these as part of the engagement. Now, if we don’t, it’s often a recommendation that flows from the assessment, the presence or absence of one of these tests. Now, in some cases the organization already has an ongoing program where … maybe they’ve got another consultant that’s engaged to do this type of study that you just mentioned, or maybe they’re doing it internally. But if there is one that has been done, we review the results of that, and that becomes input into the risk assessment process. And if there is one that’s done, whether we do it or whether it was done by somebody else, we’re able to be more precise in the quantification.

So, these are highly confidential reports because they’ve got, often, information that could be used by a skilled attacker to exploit the company, and so you don’t want to … You don’t want anybody to be aware of that because it may take you some time to fix it. And so, to the extent that we have one of these studies, we’re able to be more precise with the things that could go wrong, and it also helps of course with the prioritization. But we’re not the technical specialists that do the most technical jobs. We do have a network of partners that we rely on when we need to do one of those.

Will Bachman: All right. Now, I noticed something on your website, which is something that a lot of independent consultants might be interested in doing something similar, which is you have some … you’ve kind of productized your offering to some degree where maybe if a firm doesn’t necessarily want to hire you to create their policies and procedures, you have some products on your website that companies can just buy. Could you talk a little bit about that aspect of your business?

Gary Pritts: Yeah, sure. So one of the things that is very big with the HIPAA regulations is that organizations that are subject to these regulations are required to have extensive written policies and procedures in place. Now, the reality of putting together these policies and procedures is that they really are highly dependent on the workflows and the type of organization you are. So, just to give you a for example, the policies and procedures for a small doctor’s office are a much different than a major hospital system with, you know, 30 hospitals scattered around the United States, which is a much different than a small consulting firm that might have access to some kind of health information, which is much different than an electronic record software vendor. And so, the policies and procedures need to be specific to the workflows and the type of organization. And so what we’ve done over the course of doing policy and procedure development for almost 20 years now is dealt with that a new type of organization. We’ve put together, I guess you’d say a product, or a little, carefully crafted set of templates that are specifically designed for a certain type of organization.

And so we’ve got HIPAA policies for about 10 different types of organizations, which would include physician offices. It includes third party administrators. These are people involved with self-insured health plans to handle all the claims processing. We’ve got policies for public health agencies. We’ve got policies for what’s called a managed services firm. These are computer companies that manage networks for doctors and computer networks for doctors in hospitals. And so we put those on our website, these policy templates. We have a web store where they’re available for purchase for a nominal price, for a few hundred bucks, as opposed to $10,000 or 5,000 or 20,000, which it might cost to do these on a custom basis. And, turns out, on Google rankings if somebody is searching for HIPAA policies, we come up very highly in the Google rankings, that web store we have.

Will Bachman: That’s fantastic.

Gary Pritts: We sell a few. To be honest, not a whole lot, but that’s often a point of entry for someone that turns into a consulting client.

Will Bachman: Oh, is that right? What have you done to get so high in the Google rankings? Have you invested in SEO, or has it just been you’ve been around so long? How have you gotten that high ranking?

Gary Pritts: Well, we’ve worked at it over a period of probably about seven or eight years, when we really got started with this and earnest. And so we have a marketing company that we work with that does our website and provides us some support. But a big part of it is putting up content. And so we try to understand our market in terms of what kind of information they’re interested in. We do SEO work. We understand what kind of terms are being searched. And so we try to put together a useful, insightful, high quality content on a regular basis. And so that’s probably the core of our SEO effort. We inform that with our analysis of what keywords are being searched. We do work whenever possible to get external references, links from a third parties, and that has paid off.

It’s kind of varied. About five years ago, we had a new program that came out from the federal government, the so-called HITECH Act. It was part of the stimulus bill when the country was melting down economically in 2008, you know, the big financial crisis that we had. Well, this stimulus bill that President Obama signed included the so-called HITECH Act, which was an incentive program to pay doctors and hospitals about $25 billion in order to put in electronic record software. But part of it was they had to comply with one of these HIPAA security regulations. And so it had a specific reference to the code of federal regulations building into it, and nobody knew what it was. So in 2011, we got a tremendous number of inquiries just by having content up there with some very basic SEO.

Will Bachman: Wow, that’s amazing. And today, where does most of your new customers come from? Is it people finding you via the website, or do you go out and give talks at conferences? How do you generate new business?

Gary Pritts: Well, all of the above. But at this point in time, probably most of our business is repeat work. What we try to do is stay as close as possible to our customer. Well, first of all, we try to do as high a quality work as possible. So, that’s really first and foremost part of our marketing effort, is to do good work. We have been lucky to get a word of mouth over the years, but now, based on the base of work that we’ve done and the base of customers, probably half of it is repeat engagements from existing customers.

We also have been active with building a referral partners. And so these partnerships have evolved. They’ve come and gone over the years. But at the moment we’ve got a referral partner that’s a managed service providers. These are computer companies that specialize in providing support to physician’s offices and small hospitals and other healthcare providers. Their customers have a need for these HIPAA services, and so we’ve got an arrangement with one of these organizations whereby they’re providing referrals to us. And, just as a for example, we’ve gotten three deals from that in the last 60 days.

We’ve had other partnership arrangements that we’ve done over the years that have provided dozens of customers, so I guess partnerships has been a big thing for us. And then on an ongoing basis, we’ll get inquiries as a result of our SEO work, people that find us on the web. So that’s probably the third common way.

I guess I’ll mention one final thing. There is a niche that we have. There’s a particular government agency, a county agency here in Ohio, and we’ve established ourselves as the HIPAA leader for this particular type of agency. There are 88 of them, one for each of Ohio’s 88 counties. And so we’re doing some work with that little segment to expand and maximize our position there. And so that’s a series of partnerships with some of the trade organizations and agencies that … There’s some other government agencies that serve those agencies, but that’s a final thing that we’re doing in order to bring business that’s working for us right now.

Will Bachman: I’m curious, has it taken a lot of discipline to stick to HIPAA regulatory compliance consulting? Have you been tempted at some times to say, “Hey. There’s maybe some other regulations. Maybe I should get into financial?” Or has there just been always enough work in HIPAA that you say, “There’s plenty to do here. I may not expand.” Tell me how you’ve thought about that over the years.

Gary Pritts: Well, first of all, we are doing more than HIPAA. And so generally HIPAA has been a way that we’ve gotten you in the front door. But then with our customers that they had some other obligation, and there are probably about 30 different federal state laws that we’ve done some kind of compliance work for. So, an example, there’s a New York cyber security regulation for banking, finance and insurance. And so, one of our customers, a the third party administrator in New York, said, “Hey, can you help us with this?” The answer was, “Absolutely.” And so we’ve assisted with that.

Another example is a community mental health agency in the state of Michigan. They’ve got some complicated compliance obligations related to the state of Michigan, and so we’ve done all that. And I could go on with about 30 more examples. GDPR is maybe the biggest and recent ones, so the new European Union privacy regulation.

Will Bachman: Sure.

Gary Pritts: So we’ve done work for that as well. So, we have gone beyond HIPAA, but HIPAA has been kind of a marketing core. Right now actually we’ve made a decision that we will be going beyond the HIPAA regulations. We’re going to be, because the cyber security crisis … I’ll call it a crisis because of everything that’s been going on in terms of cybersecurity, both in … If you look at the banking and finance system, the fraud that’s gone on, cyber theft. In the defense community, our country is coming under attack from adversaries that are stealing our defense technology, and in some cases implementing it before we are. And so the Department of Defense has a new program where they’re going to be requiring all defense contractors to get a cyber security certification. This is going to effect about 350,000 defense contractors, and it’s going to be a mandatory certification, and that’s a market that we’re looking at.

Will Bachman: That sounds like a pretty big market.

Gary Pritts: Yeah.

Will Bachman: What should consultants listening to this show know about HIPAA in terms of … Let’s say you’re serving a healthcare client. At what point would you become subject to the terms of HIPAA and have to start worrying about complying with HIPAA and having a HIPAA policy and so forth? When would you start falling under the umbrella?

Gary Pritts: If the scope of the engagement has anything to do with patient information, then they would be subject to the HIPAA regulations. So, for example, if there’s any kind of … And it could be computer information, or it could be just looking at a patient name. If the nature of the consulting work is more high level, let’s say there was a strategic planning engagement, deciding what kind of services to offer at the business planning level, where there was no involvement with any patient information, then you would not be subject to HIPAA at all. So the key is whether any patient information is part of the scope of work.

Now, there’s often some misunderstanding, by the way, where if there’s anything sometimes even kind of remotely related, the health care organization will ask you to sign one of these business associate agreements. In which case, you could do a little bit of pushback. But if there is no HIPAA liability, it often doesn’t really a hurt to just sign the agreement, even if you’re not a business associate. But anyway, there’s a contract that the healthcare or the covered entity will ask you to sign. It’s a very specifically prescribed contract and the regulations called a HIPAA Business Associate Agreement. And so you might get asked to sign one of these.

And if you are using patient information, you could … probably you might be a good candidate for a set of policy templates that we don’t have out there yet, but I’ve thought of putting those out for consulting organizations that might have some involvement or exposure to health information. But anyway, give us a call if you’re in that need.

Will Bachman: All right. And on that note, what is the best way for folks listening to this show to find you? If you want to give out either a website or a phone number or Twitter.

Gary Pritts: Sure. The website would probably be the easiest. It’s, like a bird, Eagle, Eagle Consulting Partners, plural, Partners.com. EagleConsultingPartners.com, and you can find a link to get directly in touch with us from there.

Will Bachman: Fantastic.

Gary Pritts: And we’d be delighted to talk to you, even if you just have a question.

Will Bachman: All right. That’s awesome. And it sounds like also if … For consultants on this show who are aware of a client that maybe has a HIPAA question or maybe needs some HIPAA compliance support, it sounds like that you would be interested to have that discussion about getting referred into new clients.

Gary Pritts: Yeah, absolutely. And let me just mention that we work quite a lot with other parties and all different relationships. And we’d be happy to even pay a … If you’re interested in a referral fee, if you have a lot of customers and that. But we would be, again, delighted to provide any kind of help, guidance to you regarding any obligations that your customers might have.

Will Bachman: All right. Well hey, Gary, thank you so much for joining the show. It was very cool hearing about how you’ve built a thriving practice focused on HIPAA and then expanding from there.

Gary Pritts: Well, Will, it was a pleasure speaking to you. And I wish you and your listeners a good day.