HEALTHCARE IT FUNDING: "HIPAA-COMPLIANT" MEANS WHAT?

NEW YORK, NY - Cabot Adams LLC releases its latest industry report on trends in Healthcare IT venture funding. Stephen Dunn, Director of Life Sciences comments on what venture capital investors should look for in Healthcare IT funding candidates:

With numerous Healthcare IT companies seeking venture funding, the phrase "HIPAA-Compliant" has become a standard bullet point in business plans. The difficulty confronting venture capital investors is how to easily verify this during the course of their due diligence process. Indeed, some VC's are not yet comfortable in their understanding of the true nature and scope of HIPAA requirements.

HIPAA is short for The Health Insurance Portability & Accountability Act of 1996 and was intended to standardize all healthcare information and transaction codes to facilitate data communications throughout the entire industry. In addition to the standardization of patient health, administrative and financial data, it mandated unique health identifiers for individuals, employers, health plans and health care providers. Behind the scenes however, it was the necessary first step in allowing for the possibility of a nationalized U.S. healthcare system.

While the potential for administrative cost savings was high, it was also clear that large quantities of sensitive patient data would now be at risk of misuse or public disclosure through unauthorized computer intrusions. Therefore, HIPAA mandates security standards protecting the confidentiality and integrity of "individually identifiable health information" past, present and future. Compliance for all privacy rules is required by April 14, 2003 while compliance for all data and transaction rules is October 16, 2003. The penalties for violating HIPAA regulations range from a mere $100 all the way up to a possible 10-year prison sentence.

So what should VC's look for in a Healthcare IT investment? The most important factor is system flexibility. We fully expect the government to continue making new HIPAA requirements long after the deadlines have passed. If the system lacks flexibility, VC's could find their prize investment drowning in software re-engineering costs while losing sales from compliance delays.

In particular, the system should have the ability to easily add more fields for data input and storage. All fields should allow for the complete range of alphanumeric characters with variable widths (including leading and trailing zeros) as well as multiple hyphens. These fields should then be locked for data input validation purposes but must be easily reconfigured when needed.

Data and transaction information, both inside and outside the system, must be protected using encryption while all outside communication channels should possess VPN "Virtual Private Networking" capabilities. Wireless networks, especially those utilizing 802.11x or ""Bluetooth" standards must be locked down and tested as they are easily intercepted.

The final step is to ensure the system allows access only to authorized personnel, at the authorized location and at the authorized time. Special attention should be given to systems that automatically email or fax data so that they will send only to authorized addresses or phone numbers. This "triple-lock" method requires additional system administration work, but it provides a good legal defense for non-compliance as a result of a security breech.

Finally, the company must have solid customer support and "rapid response" procedures for fixing security-related bugs and installing those fixes at all customer sites. The penalties for HIPAA non-compliance are per-incident. If 100 hospitals have the same security bug, the company could theoretically be responsible for 100 separate penalties under HIPAA.

Clearly, investors should not ignore the legal liability issues facing Healthcare IT companies. While the customers bear the primary legal liability for non-compliance, they will require the Healthcare IT companies to indemnify them for system failures as a condition of sale. While this cannot be avoided entirely, the amount of the liability can be reduced through negotiations during the sales process.

The good news is that the entire healthcare industry has no choice but to upgrade their systems and procedures to meet HIPAA requirements. This provides an outstanding opportunity as once a healthcare entity installs a system, they generate a reliable licensing revenue stream for many years, even decades, as the cost to switch vendors is prohibitive.

The savvy venture capital investor will also recognize that the system security components developed for HIPAA are also directly applicable to any high-security infrastructure such as that needed by the new Department of Homeland Security. Those companies with strength in government healthcare contracting may be able to spawn a separate defense security company, thus yielding multiple exit strategies for the investor.

Cabot Adams LLC is a multi-industry capital advisory and venture funding firm based in New York. More information can be found at www.cabotadams.com. Stephen Dunn is Director of Life Sciences and can be contacted at sdunn@cabotadams.com.

The information in this report is obtained from sources which Cabot Adams LLC believes to be reliable. All opinions expressed herein reflect Cabot Adams LLC's judgment and are subject to change without notice. No person should act on the basis of this report without considering and if necessary taking appropriate professional advice upon their own particular circumstances. No liability can be accepted for any loss arising from the use of this report. This report is for information only and should not be construed as an offer or solicitation for the purchase or sale of any security. Cabot Adams LLC and its employees cannot be held responsible for errors or any consequences arising from the use of this report.