As a vice president and general manager at Peak 10, Phillips helps small and midsized companies determine how much and what kind of data storage they need. The corporate compliance team makes sure the plan meets all the appropriate rules.
Peak 10 has worked with several healthcare companies in the 10 markets it serves including:
- iTraycer, a Web-based solution that tracks medical devices, implants and surgical tools;
- NuScriptRx, a pharmacy solutions provider for long-term care facilities and their patients, including a Web portal;
- Rise Health, a company developing a technology platform to support affordable care organizations
Phillips is a member of the Louisville Health Fellows 2012 class and on the board of Health Enterprises Network. We talked about HIPAA compliance and best practices for startups looking for data services.
Q: Is a HIPAA-compliant data center a myth?
A: You can never say 100 percent that data is secure. In the end, there is some risk out there that you can’t be aware of.
We do everything we can do from a data center perspective: physically secure the facility, control the people who come in and all the security and processes that go around that equipment in the data center. When we are doing managed services for a client who is BAA-required by HIPAA/HITECH, the data is always encrypted.
For a long time we had a private cloud environment and for a long time we would not put a covered client in it. No auditor would sign off on a shared environment. We look at every customer individually and sometimes we say, “We don’t think the cloud is right for you.”
Q: How does Peak 10 keep up with changing compliance requirements?
A: More and more businesses are being caught in compliance mode. Peak 10 has a VP and GM who runs every single market. He manages P&L and everything else except compliance. We have a compliance VP and a team that reports to the corporate board of directors. That team takes the lead whether it’s a Business Associate Agreement for a healthcare company or a covered company. The company doesn’t want any one-offs.
Q: What questions should a healthcare company ask a technology provider?
A: First, make sure the provider has been audited to basic standards. Have they done a HIPAA audit? Do they have a compliance team who can talk about solutions? Do they have a Business Associate Agreement that you can start with?
A customer also should check the track record of the data center and its up-time. Ask if the provider audits itself and determine what areas they were audited. Customers have to make sure they’re not going to put app in an environment that will create vulnerability. The customer should still be in control of servers and access to the outside world.
Q: How can a startup build the best IT foundation?
A: Don’t build an infrastructure that is three years in front of itself. You don’t ever want to say, “I spent $100,000 on infrastructure that I’ve outgrown,” or worse, didn’t even use. Size your environment to your business today, but have a model to grow incrementally. Retain the most flexibility that you can to scale out and scale back as you need to.
Q: How can a startup negotiate a data center cost structure that matches its current revenue?
A: In every Peak 10 market, the VP GM has the ability to structure deals that make sense along that spectrum. We’re willing to take some risks with our customers and the growth of their business. If we are doing our job, they will grow their business and that will grow ours.