By Bob Andelman Maddux Business ReportNovember 2009
Whatever his personal political beliefs, St. Petersburg software developer Kurt Long found good things to say about select leaders of both parties over the last 12 months.
Long’s company, FairWarning, develops privacy software used by hospitals, medical centers and doctors to ensure patient confidentiality and electronic medical records privacy. It was a promising market when he hung out a shingle four years ago after a long and successful run with his previous company, OpenNet; today he is sitting on another potential goldmine.
The first career-changing moment came when Republican California Gov. Arnold Schwarzennegger signed legislation on September 30, 2008 creating a state office to police patient privacy and issue fines of up to $250,000 for violations. That was a huge, manna-from-Heaven moment all by itself for FairWarning.
“During calendar year 2008,” Long says, “there were a lot of high profile breaches of privacy—unfortunately its only celebrities that get the notoriety, when it’s truly the tip of the iceberg. The mistake these guys did in California was snooping on (Schwarzennegger’s wife) Maria Shriver’s records. Within months, Gov. Schwarzennegger signed into law an anti-snooping provision. For the first time ever, it defined what snooping was and defined substantive fines for people involved in snooping.”
To put that in perspective, Long claims that UCLA Medical Center in Los Angeles may have had thousands of medical records breaches in 2008 that didn’t cost it a penny. Those same invasions of privacy in 2009 would have brought $25 million in state penalties.
And in February, when Democratic authors of the 2009 federal stimulus—the American Recovery and Reinvestment Act—included new requirements for electronic health records and privacy requirements, that was a second unexpected, life-changing development for Long.
“Buried in there—nothing to do with monies allocated—there were 70 pages of privacy language that passed,” according to Long. “The first time I heard of it, it was a rumor. A customer sent us an email: ‘Did you realize?’ I didn’t, actually. The language was negotiated in the last hours, but it was signed in a form that healthcare privacy advocates had been hoping for for years.”
HIPPA—Health Insurance Portability and Accountability Act—created general guidelines in 1996 for medical professionals to observe, but it lacked enforcement or requirements that patients be notified if a breach occurred. “If some bad guys broke in and stole your records,” Long says, “there was no federal law that required that health care entity to notify you that your records had been comprised. And there was no requirement to notify the federal government—or anyone else.
“Thousands and thousands of records were compromised. There was this concept that you could go to Health and Human Services and hope their civil rights office would take your case—among 50,000 others. Now there is federal law to require that entity to report to the media and the federal government if there is a breach. And they will receive tiered penalties.”
The new reporting will likely be akin to what happens when a credit card company’s electronic records are stolen, exposing thousands of customers and their account numbers.
There is such a thing as too much of a good thing, too much, too soon. And that does strike a cautionary note with Long. “It was legislation catching up on 10 years of neglect in 10 days. I was worn out on the prior administration’s attitudes on privacy and enforcement. I don’t know what to say. Is it too good to be true or is it too much too soon?”
Health care industry officials are among those playing catch-up with the new California and federal rules, trying to absorb what just happened in the omnibus recovery bill. The Federal Trade Commission (FTC) has something called the “Red Flag” rule for financial identity theft. As of November 1, 2009, health care organizations will fall under federal identity theft rules and be required to take steps to minimize identity theft.
That “ka-ching!” sound effect you just heard was the virtual cash register at FairWarning jingling like never before.
“In California, our sales are going through the roof,” Long says. “They have already fined Kaiser Permanente several hundred thousand dollars in the Octomom case” for privacy breaches. The deaths of Michael Jackson and Farrah Fawcett and the invasion of their medical records only created more demand for vendors such as FairWarning to sell their wares. “Our challenge is that we have this amazing, unique product and a four-year head start on this sector nobody cared about. The question is, how do we capitalize on that? How do we get to all these places fast? How do we educate the market? How do we mobilize a sales force? Those are no small challenges. We’re going to grow. My wife should fire me if I don’t grow the business. We have to grow it a lot if we want to be the world’s largest provider of these services.”
FairWarning software can detect a nurse that has accessed 100 patients in a day, according to Long, or whether she printed out sequential medical records. The company will notify the medical and security officers if it occurs and provide detail such as whether data was copied to a USB drive or sent to a Yahoo or Gmail account.
All this demand puts a serious squeeze on FairWarning, which still operates like a start-up in many ways. As of early September, the company employed fewer than 20 people full-time “but we’re hiring,” Long says. And rather than ramping up too fast or too much, challenging quality control, Long made a tactical decision to take on sales and marketing partners that could supply and service worldwide demand. The first two FairWarning resellers are huge: McKesson and Oracle. “We’re trying to figure out how to mobilize their worldwide sales force,” Long says. And there are 30 more companies waiting in line to join them. Eventually, the resellers will be trained to customize FairWarning software for their customers.
“We have to phase it in,” Long says. “The resellers will do training and planning but we won’t let them touch the data. There is a lot of quality control we have to worry about.”
Another decision: Long isn’t returning to his globetrotting OpenNetwork days.
“This is a no-travel business model,” he says. “We did a digital sales process and digital deployment so nobody flies. I’m managing as many or more customers as I had at OpenNetwork with one-eighth of the people. We’re absolutely going to hire, but it’s a much more leveraged, more profitable model. I’m tired of traveling on business. If we travel on business, it’s the kind of things you want to be traveling for.”
Long makes technology work for him; FairWarning webinars, white papers and press releases were downloaded more than 60,000 times in the first eight months of 2009 and there were 1,200 live attendees to the company’s webinars.
“We’re using webinar technology and remote access technology and every kind of digital advantage we can gain across marketing, sales and support. Here we are, a little company in St. Petersburg, Florida, and we’ve signed University of California Medical Centers and Scripps Health,” Long says. “We’re in 200 hospitals and 700 clinics. It’s a start, but in the US alone there are 5,706 hospitals. Globally, you can about double that market.”
Tweet Copyright 2010 Bob Andelman. Click here for copyright permissions!Some stories may appear in this archive in unedited or different versions that are different from their print counterparts.