November/December 2015 Issue
While the health care management and technology
industries are often dominated by men,
four women in Northwest Arkansas have founded
a company that encompasses both.
Photography by Beth HallSecurity requirements in the federal Health Insurance Portability and Accountability Act, or HIPAA, are tough. They establish standards to protect patients’ medical records and hefty fines for health care providers who don’t comply. And these standards apply to all providers — from a family practitioner running a one-doctor office to the Mayo Clinic.
Big health care providers have staff dedicated to ensuring that records are safe from hackers and thieves. The “little guys,” however, generally can’t afford to hire that kind of specialized help. For four Northwest Arkansas women — three of them sisters — that gap meant opportunity.
Anna Drachenberg, Catherine Ganahl, Elizabeth Green and Katie Lay founded HIPAA Risk Management, or HRM, in 2013. Lay, the company spokesperson and “honorary” sister assigned to media duties, said the market is ripe for their solution.
“Ninety-six percent of health care businesses are small businesses of less than 100 employees,” she said. “Their day to day is not concern for compliance. Their day to day is taking care of their patients.”
High-profile data breaches at Target Corp., The Home Depot, Sony Pictures Entertainment, Anthem Insurance Companies Inc. and others have made cybersecurity mainstream. As Lay notes, health care information is particularly sensitive for patients and particularly valuable for hackers. Medical records often contain all the necessary information for identity theft in one convenient location, and medical fraud in the form of false claims and prescriptions is a problem that affects everyone who pays for health insurance.
“It’s more profitable for a thief than a credit card,” she noted.
HIPAA rules are complex and failure to follow them can be disastrous, particularly for small operations. The federal government mandates that health care operations must secure their records. The rule doesn’t, though, specify how to do so. It is up to the individual providers to balance risk and cost when devising a security protocol. What’s right for the Mayo Clinic isn’t necessarily practical for your family doctor.
Even something as common as a stolen or lost laptop could lead to a ruinous security breach for a small medical office. The average fine from the federal government is $398 per patient record, Lay said, and most breaches encompass 3,000 records or more.
“We’ve seen fines from $50,000 to $4 million,” she added.
The “big guys” hire staffers to handle security at annual salaries ranging from $70,000 to $120,000. Or, they hire a consultant who comes in only periodically. When HRM’s four founders realized that smaller providers were priced out of such options, they found their market niche.
The sisters met Lay at health care-related seminars and conferences, where women were often scarce.
“Being the only women in the room, eventually we became good friends,” Lay said. The four got together over lunch and realized they had complementary skills and experience: Drachenberg as a software and database developer, Ganahl as a web developer and manager, Green in marketing and strategic planning, and Lay in sales and business development.
“We all had the necessary pieces,” Lay said. “It was a very ‘aha moment.’ We say we couldn’t have planned it better if we planned it.”
What they created is a cloud-based subscription service that ensures clients are meeting HIPPA security standards by tracking and documenting safety measures. If an office hires a new employee, for example, HRM’s software guides managers through the background and training measures the federal government will want to see, should compliance come into question.
“If there is a problem, they can call us, and we can generate a report in 30 minutes,” Lay said.
HRM’s offices are in Fayetteville and in Austin, Texas, and their clients are all over the country. Their service starts at $199 per month. “We didn’t want price to be a barrier,” she said.
If women are scarce in health care management, they are even more rare in the tech sector. According to one estimate, 97 percent of tech companies are headed by men, and women are nearly absent from tech management teams. Lay, who serves as the face of the company at trainings and seminars, has experienced the “unicorn” factor firsthand.
“I’ve had people come up to me and say, ‘Let me know when your boss gets here,’” she said. “I have to, very gently, let them know that I am one of the bosses. There is still very much a barrier.”
The barrier comes down, however, when people realize her company provides a solution to a very real problem. “HIPAA is not going away. It is not going to get better. It is only going to get worse,” Lay explained.
At that point, gender becomes irrelevant. “Sometimes you are underestimated, and you just blow everyone away,” she said.