Today, just for fun, I’m gonna start with a thesis and work my way back to see if you agree with its foundations. My conclusion: With the cost of IT security services climbing, the cost of care coordination rising and practice income in many cases remaining relatively level, group practices will have to change their business model substantially.
Specifically, though this may sound insane, I’m suggesting that they may have to begin charging patients for beyond-the-call-of-duty security efforts.
Of course, as we all know, practices are required to offer at least a minimal level of security protection as specified in rules like those in HIPAA. Necessary though it is, it’s a pricey exercise for many groups.
Even so, cold economics may push them to cut data protection further. Given that care coordination will be necessary to meet population health goals, and that quality monitoring and management are indispensable, they may see security as the most dispensable of these spending options.
As the need for care coordination staff, quality management and other necessities of value-based care rise, paying for IT security services will become almost impossible to pay for without borrowing from another source.
That source can come from an internal budgetary resource, such as money allocated for routine general expenses, or other overhead, such as salaries for existing staff members, neither of which is desirable. Of course, there’s also the possibility of obtaining a line of credit, but that’s arguably even worse for the future of the company.
But since no medical organization can go entirely without IT security protection, it will have to find the funds to pay for it somehow. Given that any of the possibilities discussed above will drain the practice and possibly cut its finances to the bone, but something will have to give.
At this point, many practices decide to sell their group to a hospital or health system. That’s certainly a legitimate way of taking on unmanageable levels of overhead and getting access to far more infrastructure options and financial resources.
But if that’s not the direction you want to take, here’s off-ball idea for recapturing some IT security revenue: concierge security services.
While every patient’s data needs to be protected, obviously, you could offer concierge security patients access to extra layers of security attentiveness, such as a private IT staff or to answer any data privacy and security questions they might have about the practice, hospital where they are seen or other entity.
Toss in a special “security report” (in all candor, probably info they could’ve read in any trade magazine), personalized to patient needs, and a free zip drive with secured copies of their data and you’ll have them hooked.
If this worked, and I’m not suggesting that it necessarily would, it could help carry the cost of mundane IT security services. What do you think? Would this model have a chance?