ASP is the acronym du jour in healthcare technology. It stands for application service provider, but to physician executives, it means two things.
An ASP is a tool of finance; it also is a form of Internet-based technology.
ASPs can be, but do not have to be, both things at the same time.
Proponents say ASPs hold the key to lowering adoption costs of new technologies for physicians, particularly electronic medical records, prescription writing and charge capture systems. However, ASPs also can reduce the upfront costs of upgrading aging scheduling and practice management systems (see related story on page 27).
Technically speaking, proponents say, an ASP offers the promise of outsourcing most of the data processing and communications needs of a medical practice, including Internet-based communications with patients and other providers.
But ASPs also raise concerns among physicians about the control and security of medical data in their care.
"We're bullish on ASPs," says Stewart Gleichman, M.D., vice president of market development for The TriZetto Group, of Newport Beach, Calif. TriZetto, a healthcare consulting and data processing company, provides ASP services for computer software developers who don't want to run ASPs themselves.
ASP-based systems "don't require doctors to be computer wizards," says Gleichman. He likens the relationship between a physician and an ASP provider to that between a physician and the local power company. "What we all want is when we plug something in, the electricity is there, but you don't want a generator in your basement."
The Wakefield, Mass.-based ASP Industry Consortium estimates there are about 500 ASP entities in existence today, including for-profit and not-for-profit organizations.
John Carpenter, worldwide healthcare industry manager for Microsoft Corp., says the ASP is not a new idea. Data processing companies have provided a key ASP service, connecting customers to off-site computers, since the 1960s.
What's new is the Internet and the Web. These tools have enabled ASP vendors to broaden the market for off-site data processing services beyond hospitals and large group practices. Small groups that can't afford and don't want all the technology on site can use an ASP to share time on some of the best data processing systems available, Carpenter says.
Internet service providers, or ISPs, that most people use to connect their home computers to the Internet are kissing cousins to the ASP, according to Carpenter. The difference, he says, is ISPs generally don't run software applications for use on home or office computers; they only provide Internet access.
Security, reliability concerns
Yet for all their potential benefits, ASPs have their detractors.
Physicians particularly are concerned about potential problems with the stability and security of the new technology, says Alan Urech, senior vice president, corporate strategy and marketing for ASP start-up MRxonline of Kennesaw, Ga. MRxonline sells Web-based practice management and billing systems.
Urech surveyed about 100 doctors in doing market research for his company and prepared a top 10 list of physician concerns about ASPs. Reliability of the system was the highest physician concern, Urech says, but maintaining the security and integrity of medical information was second.
Urech's findings about the importance physicians attach to security were supported recently by two healthcare groups.
In December, the AMA weighed in on one aspect of the security issue at its House of Delegates meeting in Orlando, Fla., unanimously passing a resolution to oppose the use of prescription data by pharmaceutical companies to develop physician prescribing profiles (see Jan. 1, page 3). Delegate testimony on the resolution called the profiling "an inappropriate intrusion into the privacy of the physician-patient relationship" and warned of e-healthcare companies that produce computerized tools "to track prescribing patterns and sell the information for marketing purposes." Though not mentioned specifically in the resolution, ASP-based computerized prescription and electronic medical records systems are capable of extracting and moving this data outside the physician's office.
The MedicAlert Foundation, the not-for-profit, Turlock, Calif.-based corporation that provides emergency warning bracelets and pendants for more than 2.7 million people with serious medical conditions, recently commissioned the Gallup organization to measure attitudes about security and confidentiality of medical records.
Maintaining privacy was considered "very important" for 77% of 1,000 adults surveyed by Gallup, with 61% saying they were "very concerned" about their information falling into the wrong hands. Doctors were trusted by 90% of those surveyed to do a good job maintaining the privacy and security of their medical records, but 88% said they would not trust a Web site to do the same.
Yet for James Greenberg, M.D., the benefits of an ASP outweigh the fears. Even though he admitted initially feeling some discomfort about releasing data to an outsider, Greenberg switched in May from an 8-year-old practice management system (PMS) residing on his office computer server to an ASP system offered by athenahealth.com of Waltham, Mass. Change to ASPs throughout the medical profession, he says, is inevitable.
"After a time, any client-server system is going to hit a wall, and that wall is compatibility," says Greenberg, one of four doctors in Brigham/ Faulkner OB/GYN Associates of Boston.
"I have a sense the insurance industry is going to automate systems as much as they can. The industry won't bother building separate interfaces to connect all the dozens of office-based PMS systems. Unless you're going through the Web and on an ASP system, you won't get paid."
Greenberg says he isn't worried that his data is being transmitted over the Internet and stored outside his office. He says the commonly expressed fear that a physician's data will fall prey to hackers is illogical. His line of reasoning: Why rob a candy store when you can knock off a bank?
"If a hacker can get into the Defense Department, I have no doubt they can get into Blue Cross/Blue Shield. I'm betting they wouldn't do that to me."
Linda Oberstein, M.D., an internist practicing in San Mateo, Calif., says she pays $20 a month to use an ASP-based prescription writing tool loaded on her Palm Pilot. The system from ePhysician of Mountain View, Calif., uses a wireless modem to pass prescription information from Oberstein's handheld device to her office computer. From there, the data travels via the Internet to a central computer at ePhysician, which sends a fax of the prescription to the pharmacy Oberstein has specified.
"I've been really satisfied with how it works," Oberstein says. "It's all encrypted. I don't have any problem with the security or the privacy."
A toe in the water
Not all healthcare software companies are sold on the ASP model. Several are approaching ASPs slowly, focusing on selling their software for installation as a traditional client-server application and offering an ASP only through third-party vendors.
PenChart of Glastonbury, Conn., makes available its electronic medical records system as an ASP only through TriZetto, says Paul Ritz, senior project manager, marketing, for Pfizer Health Solutions. Pfizer is marketing the system for PenChart. ASPs are so new to healthcare, "we want to get a toe in the water," Ritz says.
Raleigh, N.C.-based Medic Computer Systems has sold its AutoChart EMR through several independent ASP providers, says Scott Sanner, vice president of clinical sales.
"As we ran the (ASP business) model, we couldn't make it make money for us," Sanner says. "And, we didn't see a lot of physicians willing to have their chart data stored on the Internet right now. So it was fear and money. But those are temporary. As HIPAA is rolled out, I think it will become more acceptable to do that."
The Health Insurance Portability and Accountability Act of 1996 will require healthcare providers who electronically transmit patient data to comply with standards for data coding, security and privacy.
Gwen Hughes is a practice manager with the 40,000-member American Health Information Management Association, a Chicago-based trade association for medical records professionals. In November, AHIMA released 39 recommendations on ensuring the privacy of personal health information on the Internet.
Physicians using an ASP should see spelled out in their contracts what information ASP vendors can and cannot disclose, Hughes says. Doctors are "covered entities" under HIPAA, so if they learn their ASP partner is violating the law, HIPAA obliges them to "terminate the contract or arrangement, if feasible, or notify the secretary (of HHS)," Hughes says. "The covered entity is considered noncompliant if their business associate is violating the contract and the provider doesn't fix it or notify the secretary. I can just see the OIG getting into this like the other compliance stuff."
Consultant John Bogacz, principal of Healthcare Management of West Springfield, Mass., is no fan of ASPs, even though his clients, exclusively small New England practices, could avail themselves of the economies of scale afforded by ASPs.
Final HIPAA regulations on standardized data transmission protocols went into place in August while the regulations governing patients' rights to protect information about them were released last month. Security rules to cover the technical protection of all data are expected in late January. Large healthcare entities have 26 months from the date of publication of the new HIPAA standards to comply. Smaller entities with less than $5 million in annual revenues have an extra year.
"Until the HIPAA rules are in place, and that's not going to be for three years, I'm not interested in jumping on an ASP's bandwagon," Bogacz says. "It's too open. They (ASP vendors) are talking about 128-bit encryption, which is more than the Pentagon is using right now. In a few years, technology will outstrip that. You give enough (computer) speed there, these hackers will be having a good time with someone's data."
Special Agent Patrick Gray has worked for the FBI for 19 years, the past three with the computer crimes squad in Atlanta. Gray says doctors are not overreacting if they take vendor security pledges with a grain of salt.
"I'll give you two words: due diligence," Gray says. "Prior to outsourcing anything, they (physicians) have to ensure that data is secure."
Gray says that means doctors must satisfy themselves that their medical information will continuously be protected and watched. Doctors probably will need some independent, professional help "to peel down to get to the meat" of an ASP's security system, Gray says.
The FBI does not endorse security firms, but many reputable ones are available, he says.
Raising legitimate concerns about security is no knock on ASPs, Gray says. The systems are deployed throughout the business world. Still, it is the physician's reputation that is on the line.
"Once it leaves the doctor's control, it's out of his control and in somebody else's hands. If it's connected to the Internet, it's exploitable in some fashion."
Lyle Berkowitz, M.D., an internist with Northwestern Memorial Physician's Group in Chicago and the medical director for an Internet consulting company, Proxicom of Reston, Va., says due diligence also means getting out of the office.
"The main thing is I want to do a site visit," says Berkowitz, who is evaluating EMR systems for use in his own practice. "I want to speak with everybody, not just the one or two physicians they (the vendor) want you to talk to."
Questions to ask the vendor include what happens when the system crashes, who's responsible for getting it back up and what happens to the physician's data if the company goes belly up. Will it be returned in a format that is compatible with other software systems?
"It's less the technology and more the policies you want to watch," Berkowitz says.
Carpenter, the Microsoft healthcare manager, expresses sympathy for physicians deciding whether to stick with a client-server application or switch to an ASP when making their next software purchase.
"I don't think this is going to be a no-brainer," Carpenter says. "That's something each physician and each practice is going to have to sit down and figure out for themselves."
Carpenter's advice: Learn as much as you can. You may be the best ASP consultant you can find.
"I don't know what kind of experience is out there. It's still a new technology. Talk to colleagues. Ask for a reference list. I would make sure they have experience in doing this.
"Healthcare is such a complex industry," Carpenter says. "There are tons of things that people need to worry about. If they're straight out of a community college, they may be great with technology, but if they don't know what HIPAA is, I don't know what good they'd do."