How does a healthcare provider piece off some of its health IT in order to work with an India-based outsourcing firm and still maintain compliance with patient and consumer privacy protections? Very carefully.
Pune-based Zensar Technologies Ltd. started in the healthcare space years ago working with payers and continues to provide services for them. Recently the company crossed into the provider space. Many customers are finding ways to use the company's services that don't involve clinical data storage.
The user who used to have one device or even one PC shared by multiple people on different shifts, in the last 18 to 20 months it's become one person using three or four devices.
The company does offer full IT infrastructure for clients in other market sectors, including data center and end-user computing. But with healthcare clients, the company focuses on services such as ICD-10 impact assessment, remediation and testing; business intelligence services that can handle meaningful use progress tracking and reporting; and connecting EHRs to patient portals. Recently announcing data geofencing services, Zensar executives hope that could also find traction in the U.S. healthcare provider market.
Zensar, which serves customers in 140 countries, also hosts its own data centers in the United States, and signs HIPAA business associate agreements when necessary. "We are very cognizant to the sensitivities associated with data protection and privacy and are very aligned with the way the customer would like to implement the policy," said Krishna Ramaswami, Zensar senior vice president, in an email.
Concerns of enforcing HIPAA regulations away from U.S. soil can lead to some creative health IT outsourcing arrangements. No clinical data leaves U.S. borders, said Ankit Ghosh, senior vice president and head of global infrastructure management practices in an interview with SearchHealthIT. Similar arrangements exist for pharmaceutical companies Zensar serves in various territories; for compliance reasons, data must reside within the borders of compliance rules' jurisdiction.
But there is room to move some IT services offshore, especially when it comes to performing analytics on U.S. clinical data for accountable care organization (ACO) reporting and reimbursement. That can be an expensive IT project for providers to take on themselves because it requires scaling up and improvements as an ACO expands to include more physicians and patients. Outsourcing can push construction and maintenance of analytics systems on to a third party.
"While most of the IT work associated with these imperatives is being done within the U.S.," Ramaswami said, "providers have already started offshore pilots with the objective of driving costs down."
Catch up with the rest of this outsourcing series
Part I: Outsourcing health IT a consideration for large providers
Part II: Outsourcing needed to reach rural providers
Part IV: Identity management, data breaches among outsourced tasks
There are other ways an offshore IT outsourcing company can aid healthcare providers, too, without handling or storing clinical data. Zensar believes its latest offering, clinical data geofencing, will become popular with healthcare clients. Again, Zensar doesn't touch clinical data, it just builds the virtual fence around a healthcare provider's facility and, offsite, monitors employee comings and goings through it.
While the "fence" itself is a simple concept, the functions can be complex. Through single sign-on systems it controls access to applications and clinical data, and it can also perform mobile device management functions. In addition, the fence enforces policies such as disabling smartphone or tablet cameras and games as well as applies Wi-Fi or cellular network policies.
When the employee steps outside the fence, the device settings revert, but other policy enforcement can happen, such as wiping clinical data contained on a device and alerts to administrators that the employee has left the building.
The need for geofencing connected with clinical data storage is driven by bring-your-own-device policies, said Ghosh. While it's technically a way to restrict devices, in practical terms geofencing grants employees freedom to use their own mobile tools while at the same time enforcing compliance needs of the employer.
"This is a very strong concept," Ghosh said, adding that most clients will plug into an existing virtualized desktop infrastructure or thin-client infrastructure to use his company's geofencing services. "In any vertical, the user who used to have one device or even one PC shared by multiple people on different shifts, in the last 18 to 20 months it's become one person using three or four devices."