I’ll never forget the sinking feeling I had in late 2001 when Kevin, one of the Directors of IT in the School of Medicine, leaned over to tell me “John, I really like you guys at Net Friends…which is why I’m giving you a head’s up that you will be out of Duke in about 12 months. Eighteen tops.” He went on to explain that there was a new Chief Information Officer (CIO) who had recently arrived who wasn’t fond of outsourced IT contractors like Net Friends, and he was going to use the new HIPAA law as the core reason to bring all IT support in-house.
I had worked a bit with Kevin over the past couple years as Net Friends rapidly took on more and more departments that we supported within various parts of Duke. At the time Net Friends was a scrappy group of six technicians, all working 100% at Duke, and with no other real prospects outside of Duke to keep us all engaged. Kevin was a great guy, and he wasn’t just trying to spook us. The new CIO really did work hard over the next few years to get contractors out of Duke, and just a few years later there were only two contractors like Net Friends left, and by 2006 we were the only option for outsourced support.
The reason we both survived and thrived long past the dire warning that Kevin gave us was we entered into a radical period of innovation. We knew that losing Duke’s business would be the end of Net Friends, as we had no other customer base to speak of. We innovated in direct response to the existential crisis before us, adapting our business model in a variety of ways. An added benefit was that as we adapted and developed new service offerings, our original and core business at Duke was both protected and continued to grow on its own as well.
We’ve found that in moments of crisis, or when it seems like there’s been real pressures that threaten our business, our response consistently has been to see the threat as an opportunity. When we learned the CIO was going to use the HIPAA law as a reason to eliminate contractors, we made a bet that we would remain useful to Duke if we became experts on all things HIPAA that relate to IT.
It was a really great bet, as our business at Duke went up three-fold over the next 4 years thanks to us repositioning ourselves as HIPAA experts with recurring services packages for “HIPAA Compliance Reports” to address the new requirements that came with the mandate. We saw that there was a collective anxiety by many people at Duke about whether or not they could comply with all the new mandates and rules. We focused on becoming experts in HIPAA, and using our unique position to really understand how the security and privacy rules could be translated into daily, weekly, monthly, and other periodic tasks.
Word traveled quickly within Duke that we were the equivalent of the “easy button” when it came to implementing security design plans and the like, and we also ended up as the subject matter experts on HIPAA by the Information Security Office (ISO) at Duke. This resulted in us getting dozens of opportunities to help various departments address the minimum requirements for HIPAA compliance at first, but later we were the go-to group to help with a variety of projects that helped Duke build up their cohesive enterprise IT environment. This was true even a decade later when Duke began to consolidate all their electronic medical records using EPIC, and we had to ramp up our business significantly into more of an IT staffing agency in 2011 when this time came. But that is a story for another day…