There are several pitfalls, starting with:
Lack of Customization: Off-the-shelf solutions often can’t be tailored to the specific needs of healthcare organizations, resulting in incomplete or inefficient data processing.
Compliance Issues: These solutions might not keep up with the latest HIPAA and other regulatory requirements, risking non-compliance and potential fines.
Scalability Challenges: Off-the-shelf software may struggle with increased transaction volumes as organizations grow, leading to performance bottlenecks. Integration Difficulties: Integrating with existing healthcare systems like EHRs and PMS can be cumbersome and error-prone with off-the-shelf options.
Hidden Costs: Initial costs might seem low, but additional fees for features, licenses, and support can quickly add up.
Vendor Lock-In: Dependence on a single vendor can lead to significant disruption if the vendor changes pricing, policies, or support structures.
A custom EDI solution offers several advantages:
Tailored Fit: Custom solutions are designed to meet specific organizational needs, ensuring efficient handling of 834 files and other EDI transactions.
Compliance Assurance: Custom solutions can be built to adhere to the latest regulatory standards, ensuring continuous HIPAA compliance.
Scalability: Designed with scalability in mind, custom solutions can handle growing transaction volumes without performance issues.
Seamless Integration: Custom solutions can integrate smoothly with existing healthcare systems, minimizing errors and improving data flow.
Cost Efficiency: Though initially more expensive, custom solutions can reduce long-term costs by avoiding hidden fees and reducing licensing expenses.
Control and Flexibility: Custom solutions offer full control over updates and support, minimizing the risk of vendor lock-in and providing adaptability for future needs.
Do you have any remaining questions, requests, or just want to chat with us? Email us at podcast@hipaavault.com!
Transcript:
Adam
Hello, and welcome to the Hipaa vault show, where we discuss all things Hipaa compliance in the cloud. This is episode 55. I’m Adam Zeineddine, and joining me, as always, is the CTO and founder of Hipervault, Gil Vidals. Good afternoon, Gil.
Gil
Hey, Adam. Good to see you. Excited to talk more about EDi today.
Adam
Yep, excited to dive into it, too. So today we’re going to be talking about paraphrasing here, but why off the shelf EDi software sucks and why custom solutions are important. So, yeah, sorry for the paraphrasing there, Gil, but that’s essentially what we’re talking about here.
Gil
Well, yeah, I think so. When we say it sucks, I mean, there are cases where there are customers that have Adi needs. They can go to one of the platform providers that charge $0.20 or $0.50 pertainous per member transaction. And it works for them because the data is just ready to roll and they can just pump it in there so it can work. We don’t want to knock the competition like that completely, but it can suck. It really can suck, especially if you go to a platform provider that says, well, you need to massage the data into the format we need, and next thing you know, you’re hiring. Programmers are spending months trying to get the data in the format they want before they can process it. And that’s kind of what we want to talk about today.
Adam
Yeah. So what’s the advantages to customization for EDI?
Gil
I think the advantage and the customers we’ve had, what they’ve told me is that, well, we have EDI transactions we have to process, and they don’t have the time nor the desire to manipulate their data to fit the format required by the platform. So the platform will process the data only when it’s in the right model that they require. And sometimes that’s a heavy lift. You know, maybe not for everybody. For some people might say, oh, that was easy. I just, you know, changed a few columns and, you know, I’m good to go. But for a lot of companies, probably the smaller ones, you know, they don’t have software engineers available to them. They have to think, okay, what do I do? I need to get all this data translated to fit the platform.
Gil
And it’s frustrating for them, Adam, because the whole point of what they’re looking for is to take their data and transform it into EDI. But kind of what they’re having to do is first take it, massage it, and transform it so that it fits into the platform, and then the platform spits out the EDI. So there’s this whole intermediary step that they say, look, you and your team, you guys figure out how to, we’ll send you our data just as it is. We’re not going to change anything. We’ll deliver it to Hippo vault. And hip of all, you figure out how to do all this somersaults to get it to fit into the platform, into your platform.
Adam
Yeah. And I see it seems to come down to ownership of the, of the EDI system. Right. Because what I’m seeing is like I had a customer a couple of weeks ago, wherever they’d started off with an off the shelf EDI solution, and it fit their needs for a certain amount of time. But as the amount of transactions and claims that they were processing for the 834 files was growing, they started to face more and more issues, and compliance became an issue as well because they don’t own the software when it’s off the shelf and they don’t have any control over how the software works and the security and all that. So what kind of compliance areas are important to consider as, you know, as the transactions scale?
Gil
Well, for compliance, I think that the same applies regardless of if you have fewer or greater transactions for scale. I think scaling is more of an infrastructure issue where, hey, we’re going to have a lot more transactions. Can you process those timely? Is it going to take many hours and errors, or can you do it, you know, timely? But as far as compliance goes, it is a little bit concerning if you have some desktop software, because first of all, you’ve got to download that software. You own the software, you buy the license. Now it’s your software, and you have to put it on your desktop computer. And if it’s not in the cloud, you know, there are other models in the cloud, but let’s talk about the desktop model.
Gil
So if you’ve got software you downloaded, it is sitting on your desktop, and you have your analyst, your claims analyst, and they’re processing it. That’s concerning because, well, what happens if something happens to that laptop? You know, they go home for the evening and they take the laptop with the software on there, and then they come back and say, hey, some guy grabbed my laptop from the trunk of my car. I don’t like that desktop solution at all. I’d rather go for the cloud. So I would say desktop is probably the worst case scenario. And then if it’s in the cloud, then I think that’s a better solution. Why? Well, because the vendor should be responsible for the HIPAA compliance of their software. That’s their responsibility.
Adam
What about integration? Because obviously if you’re going with an off the shelf product, often the integration relies on the software being compatible with any. Let’s say, let’s say you have to connect to a new vendor’s ehr. How are you able to keep up to date with the latest and greatest in EHR systems and the way they connect?
Gil
Yeah, I mean, the EHR systems like Cerner, Epic, you know, they’re all going to have their, there are APIs and documented and all of that. But you’re right, there’s some maintenance to be done to keep up with the different APIs. But converting the data is something that is important because it has to be done timely. If it’s not done timely, then the billing is later and the cache affects your cash flow. If you’re doing a, if you’re doing claims and it’s not done timely, then your cash flow gets kicked down the road a few days or weeks, and then that becomes a cash flow problem. So that’s a real concern.
Adam
Is there something to be said about not necessarily going with the most popular EDI solution out there and going for a custom approach, simply from a security point of view where maybe more eyes are on that software, more hackers are attempting to find vulnerabilities in it.
Gil
And so, yeah, I don’t know if that would be the case because I mean, eventually companies become successful, they’re going to be the more popular one. So they have to have good security, you can’t avoid that for long. But I would say that if you’re selecting a vendor for EDI, you want to avoid the desktop method and go for something that’s a in the cloud by a vendor who acknowledges HIPAA compliance. And if you’re a company that has a software engineer on contract or as an employee, and you can manipulate the data so it fits into the platform and the platform has a good price, that works for you.
Gil
But if you’re a company that doesn’t really have the time or the desire to retrofit your data into the platform, then the solution that Hippavault offers where we can take the data as is and then convert it ourselves into the EDI format and then deliver it back to the customer, I think that works out. So you have to just consider your options and where you are in terms of resources. It’s time and labor type of thing. So do you have the time? Do you have the engineers available. So let’s assume that even if you do take, let’s say you go for the platform solution and you’re happy, everything’s working fine. Day one, somehow you’ve got your data from your system into this platform that you’re buying for the EDI transactions and you’re happy. Let’s say price is good.
Gil
Then the EDI, the vendor will send you eventually a notification saying, hey, we’re changing X, Y, and Z fields. So then you got to go back and do some maintenance, say, okay, who do we have on staff that knows how to go in and manipulate the data? So now it will adhere to the new requirements, right? So you have new requirements, or what happens if there’s, what happens if you’re rejected? Your EDI transaction is rejected with an error code. Hey, code 1256. That means that the Social Security number had an extra digit. It’s too long, something’s wrong. You got to go in and fix all these things. So that’s a burden or at least a maintenance requirement that your company has to be willing to accept that and work with that.
Gil
Where I contrast that with what we’re offering is we like to just help the customers out, and then if they have an issue, it doesn’t work, they just notify us and we go in there and fix that. It’s our obligation to do that.
Adam
If you’re listening or watching and you do have a requirement for EDI and you’re looking for a more custom solution, Hippervault can help. You can visit hippervault.com dot. We have a dedicated EDI solutions page where you can check out more information on our EDI products and book a discovery call as well. Gil, is there anything that someone reaching out to us should have in mind in terms of what kind of information we’re looking for to scope out, or can they just come in, ask the questions, and we’ll figure a solution for them?
Gil
Yeah, I mean, a scoping call. You know, it’s pretty broad, but typically we’re looking for what kind of transactions? Is it benefit enrollments? Is it claims? And then how many transactions are they looking to do on the average month? And then if there are any special cases, like if they have some special conditions that need to be met. So that’s typically what we’re looking for.
Adam
Cool. Very cool. All right, so let’s move on to our next topic. And that is some news from Arpa. And ARPA is announcing a program to automate cybersecurity for healthcare facilities. Gil, so the program seeks to protect operations and ensure continuity of patient care. This article I’ll link in the description below, but the headlines from it are obviously that announces a program to enhance automation for cybersecurity for healthcare facilities. What they’re specifically looking at is within hospitals, there are medical devices that have software installed on them, and more they’re becoming more intelligent. However, the issue is with vulnerabilities that arise on the software, on the medical devices, and how long it takes to patch those vulnerabilities.
Adam
So they’re coming up with a program and they’re asking for contractors to bid for this, to basically streamline the patching process for specific devices and work with vendors to get patches out quicker. Sometimes it takes, to give you an idea, it takes like years, sometimes at the worst case, months at the best case, to release a patch once the vulnerabilities discovered. So they’re looking to improve that. And I thought that was quite an interesting development here. The program is called upgrade, which stands for universal patching and remediation for autonomous defense program. So quite a mouthful.
Gil
That was a mouthful, yeah. Patching the applications and keeping them up to date is really important. That is one of the major tasks. As somebody who wants to keep their systems compliant, they need to have all the patches applied, especially the ones that are security centric. They need to apply those in a timely way. And that’s a lot of work. It’s not something that is trivial. It requires a lot of timing. In other words, keep an eye on the vulnerabilities and which ones require a patch. You have to, it’s a continual churn. You can’t do it once a year, you’re doing it at least once a month.
Adam
Okay, on our final topic is our popular, ever popular breach of the week. And this week we’ve got a report from the HIPAA journal. A New Jersey dermatology practice suffers 380,000 record data breach. So New Jersey based affiliated dermatologists have announced a major breach of patient data. On March 5, the adds found a ransom note on its network that claimed its network had been breached and data had been stolen. They notified its third party vendor, its third party it provider, and brought in cybersecurity specialists to investigate and verify the threat actors claims and determined that there had been unauthorized access to the network. Between March 2 and March 5. Evidence was also found confirming files had copied, had been copied from its network. So that doesn’t look very good. Including they verify it.
Adam
They’ve confirmed as well that comprised employee information includes names, mailing addresses, birth dates, Social Security numbers, driver’s licenses, and passport numbers. It’s taken several steps to improve security to prevent future incidents. Yeah, it’s obviously offered credit monitoring, but this is another ransom. It looks like a ransomware attack. They said there’s a ransom note, but there’s been no confirmation as to whether they’ve reached out and paid the ransom or not as of today. So if you have any questions about any of the topics we discussed in today’s episode, please reach out to us. You know where to find us. Hippo.com, thanks for sharing. Thanks for liking. Thanks for subscribing. And you can also email us@podcasthip.com, and until next time from us, thank you for stopping by.