White Paper

Making Enterprise Healthcare Sales Easier

By: Travis Good, MD

September 2014


Trust is the currency of the enterprise. Catalyze is proven to be a pivotal tool to help customers earn trust in enterprise healthcare.

Selling into large enterprises is hard. Selling into large healthcare enterprises presents additional roadblocks, especially for modern, cloud-based technology companies. Healthcare enterprises, in the context used here, means insurance companies, hospitals, and health systems. They have traditionally kept data on premises, in their own data centers, and behind their own firewalls. Many are risk averse when it comes to data storage outside of their own data centers, including cloud-based systems. A recent report found almost 40% of healthcare enterprises cite risk aversion as the main barrier to adoption of new technologies.

And for good reason.

Healthcare has unique compliance, privacy, and security requirements as defined by HIPAA. Healthcare enterprises are defined as "covered entities" (CEs) by HIPAA. Covered Entities have to maintain the privacy of protected health information (PHI) because violations of HIPAA result in significant financial penalties for breaches of PHI data. Vendors that work with Covered Entities are defined by HIPAA as Business Associates (BAs). As Covered Entities work with Business Associates they are required to sign Business Associate Agreements (BAAs), which outline obligations for handling PHI and expose Business Associates to financial risk for violating HIPAA.

At Catalyze, many of our customers are Business Associates of large enterprises—Kaiser, Cleveland Clinic, UCLA, Blue Shield of California, North Memorial, University of Alabama-Birmingham, and so on. Our customers are building cloud-based solutions to problems facing healthcare, helping enterprises with telehealth, bundled payments, accountable care, intelligent follow-up, patient engagement, patient reporting of data, and a bunch of other things that traditional health IT vendors are not doing. Overcoming the risk of data breaches, whether real or perceived, is essential for our customers' success. We consider helping customers in this sales process part of our solution. In that capacity we have learned what role Catalyze plays to help them drive sales faster.

There are five key areas in which our customers derive value from Catalyze to sell faster.

  1. Healthcare Exclusivity and Expertise
  2. Marketing Collateral
  3. Dedicated Infrastructure
  4. Direct Sales Assistance
  5. HIPAA Transparency

Health IT B2B Sales Process

Part of the sales complexity is associated with the myriad of healthcare players. Sometimes it's clinical, sometimes financial, sometimes ops, but always security and compliance. When you, as a business associate, sell to a healthcare enterprise, you expose them to financial risk if your technology integrates their data or collects data considered PHI. To mitigate that risk, security and compliance sign-off is always necessary before implementation and deployment.

1. Healthcare Exclusivity and Expertise

"Catalyze has been an invaluable partner as we create new products for patients managing challenging health situations. The depth of their knowledge of HIPAA, their experience in protecting personal health information, and the ease of use of their services has helped us quickly and confidently create a scalable platform for our solutions."
— Clay Williams, PhD, CEO & Co-founder, Cohere Health

Catalyze is cloud computing for healthcare. We offer targeted solutions for the healthcare industry only, helping developers, vendors, and enterprises solve the healthcare-specific plumbing problems of compliance and data integration. Because of our exclusive focus on healthcare, our products are more tailored to customer needs. Our security and organizational policies were created to map to HIPAA. Our BAA was written, and is edited periodically, to address questions and provide assurance for enterprises.

Catalyze is different from "compliant cloud vendors" that are simply secure technologies at a higher price tag because they sign a BAA. We follow every aspect of HIPAA, both technical and administrative requirements, which creates trust with enterprises for us and, by extension, our Business Associate customers. It also enables our customers to inherit policies from us, such as our Disaster Recovery Policy and Vulnerability Scanning Policy. Other customers have used our policies as templates since we wrote them for vendors of modern, cloud-based technologies like ourselves.

Another benefit of healthcare specificity is we offer specific, pre-built HIPAA-compliant infrastructure solutions, like EHR data integration. These services fall under the same BAA as our compliant mobile APIs and platform, so customers can show enterprises one BAA from Catalyze. Some enterprises take a long time to review and approve BAAs, so reducing the overall number of BAAs helps expedite compliance sign-off.

And lastly, because we work directly with enterprises like Blue Shield of California and the VA, we sometimes assist customers with introductions. Since Catalyze has existing relationships and passed security and compliance reviews, the process is expedited for our vendor customers.

2. Marketing Collateral

Because Catalyze operates like other Business Associates and not just as a secure hosting provider, we have completed full 3rd-party HIPAA audits ourselves. We readily share our audit reports with our customers when they are asked as part of the sales process. Most customers have not completed full HIPAA audits and lean on Catalyze audit reports as evidence of compliance. This has been effective for all customer types selling to large health systems.

In addition to audit reports, we also have white papers written by HIPAA auditors about the Catalyze platform that highlight the security and built-in privacy of our technology. The white papers are used by our customers when they are asked for documentation about compliance. The white papers, like our audit reports, are detailed and answer many of the questions enterprise ask about information security and HIPAA.

3. Dedicated Infrastructure

"Working with Catalyze has been a fantastic experience for Zipnosis and our unique infrastructure requirements. Catalyze has not only been quick to set up new, dedicated environments, but they have also been crucial partners in defining our security and infrastructure strategy through care and understanding of our business."
— Derek Rockwell, Director of Engineering, Zipnosis

Healthcare data is sensitive data and needs to be handled accordingly. One of the common approaches taken is to use dedicated servers and infrastructure for each enterprise.
For example, a mobile application enabling patients to message doctors. That application runs in a public cloud environment. Each time the vendor of that application sells to an enterprise, they have to spin up dedicated cloud servers for only that enterprise.

While not a requirement of HIPAA, this is something many healthcare enterprises ask about; enterprises require many things that are not in HIPPA, like hardware firewalls. Spinning up and maintaining multiple, dedicated infrastructures is not easy. And if it's compliant, it's expensive. The cost of dedicated infrastructure is often passed on by Business Associates to Covered Entities.

Offering dedicated infrastructure is a great way to speed sales because it addresses many of the questions and concerns enterprises have about multi-tenant, cloud environments. Catalyze customers quickly spin up dedicated environments for customers, in minutes, not weeks. These environments have their own encryption, logging, backup, monitoring, and other services. Since the cost is passed on to enterprises, the main hurdle is the speed to spin up these dedicated environments and the time to manage them. Catalyze addresses both of these and helps its customers go from contracts to go-live much faster than with traditional HIPAA compliant hosting options.

4. Direct Sales Assistance

Security and compliance are always a step in the sales process. Catalyze gives customers a significant shortcut, sometimes shaving off 6 to 9 or even 12 months. The step typically includes a series of calls centering around a set of questions related to information security and compliance; the only standard set of questions seen has come from a large, midwest system that asked Business Associates to complete the Compliance Cloud Matrix. Some of these questionnaires are lengthy and quite similar to the questionnaires HIPAA auditors utilize in their audits.

At Catalyze, we provide links to resources on our site to help customers quickly answer questions about things like backup and logging. We also help answer these questions directly for customers, removing the burden of generating responses. Before, after, or during the process of completing these questions, Catalyze will happily join phone calls for customers to help answer questions related to infrastructure security and compliance. Having gone through multiple HIPAA audits, we have addressed most of these questions and verified answers.
The ability for our customers to lean on Catalyze as audited, trusted compliance partners during the sales process expedites go-lives.

5. Transparency in Compliance

"Catalyze made things easy for us as we developed our own privacy and security policies, and then went through the security gauntlets of some of the big health systems. Many of our policies directly quote or refer to Catalyze's policies that they make available on a well-organized public page. And often when big systems have had security questions about our deployment, I could either refer them to Catalyze's HIPAA page, or simply copy and paste from the page myself."
— Mayank Thanawala, SVP - Research & Development, HEALTHLOOP

Risk is a big concern for healthcare enterprises. Modern technologies, especially cloud-based systems, are outside the control and purview of enterprises. The lack of associated transparency into these platforms and systems increases the risk for enterprises. The interconnectivity through APIs and multiple cloud vendors (hosting, monitoring, logging, integration, etc.) presents additional challenges. At Catalyze, we take a proactive approach to transparency in our compliance and information security posture— including mappings and obligations under HIPAA, as well as our internal policies and procedures. We are compliant by design, and we publish the data and tools to prove that both for our customers, as well as our customers' customers.

A good example is our public policies page. We list current policies followed at Catalyze. Each policy is mapped to specific HIPAA and HITRUST rules. We do this to make it easier for our customers to point to us as a compliant partner. We spent countless hours drafting policies and tweaking them through multiple audits to ensure they are in line with modern technology vendors while maintaining mappings to HIPAA.

We know several customers refer compliance and security officers to our policy page. With such positive interest feedback on our policies, we recently open sourced them so others can use or improve them, if they choose.

Conclusions

Healthcare is at a tipping point. The digitization of health data, proliferation of sensors and connected devices, and changing incentives around accountability and patient-centered care are driving entirely new technology solutions. Developers, companies, and investors are flocking to healthcare like never before. Healthcare enterprises are finally adopting new solutions. But, in order to succeed in distributing and scaling technology solutions, vendors must overcome the risk aversion of healthcare enterprises.

It is possible to build and maintain compliant cloud environments on traditional, dedicated infrastructure, but it takes time and energy. HIPAA compliance using cloud technologies requires a unique skillset. Healthcare enterprises like to see audit reports and other evidence related to compliance and information security. Catalyze customers lean on us as partners with expertise in HIPAA compliance. We in turn deliver value in the sales process for our customers, enabling them to overcome objections related to compliance and security.

If you want to learn more about how Catalyze can help you sell to healthcare enterprises faster, send us an email or give us a call at 888-377-3184.

About Catalyze

Catalyze is cloud computing for healthcare. We offer a HIPAA compliant platform to make achieving compliance easier. We also have platform solutions for building compliant mobile apps and integrating data to and from clinical systems. Customers such as the VA, Blue Shield of California, Healthloop, University of North Carolina, Zipnosis, and others utilize Catalyze for building and scaling innovative solutions for healthcare.