HIPAA for MSPs
HIPAA for MSPs is a complicated subject to approach, as not only do MSPs count as Business Associates if they provide a service to a healthcare facility, they could also be a HIPAA-covered subcontractor if they provide a service to a company who provides a support service to a healthcare facility.
For example, if an MSP provides data storage services for an accounting firm, and the accounting firm provides bookkeeping services for a medical center, it may be possible the MSP is subject to HIPAA regulations depending on the nature of the data it stores on behalf of the accounting firm.
The HIPAA rules for MSPs will be applicable if the data consists of any personal identifiers considered to be “Protected Health Information” (the full list of personal identifiers considered to be Protected Health Information can be found on Page 7 of our “HIPAA Compliance Guide”).
Any MSP that creates, receives, uses or maintains Protected Health Information is subject to HIPAA regulations and is required to enter into a “Business Associate Agreement” all the time the MSP continues to provide a service to the healthcare facility or to the company providing a support service.
Why Learn about HIPAA for MSPs?
Historically, HIPAA for MSPs was not an issue. MSPs neglected to become HIPAA experts because they provided a service for clients who already were experts. MSPs knew about cloud technology and systems management. Healthcare facilities and their support companies knew about HIPAA.
That all changed in 2013, when the Final Omnibus Rule modified the HIPAA regulations. Now Business Associates and subcontractors have to comply with the HIPAA Security and Privacy Rules, and can be found liable for a breach of Protected Health Information – and the fines that can be imposed.
The fines for non-compliance with HIPAA for MSPs can be significant (up to $50,000 per compromised record), and fines can be imposed even when a breach has not occurred – for example when providing a service to a medical center without having a Business Associate Agreement in place.
For this reason alone it is important Managed Service Providers take HIPAA for MSPs seriously. However, there are commercial advantages for MSPs who make the effort to learn about HIPAA and ensure the services they provide to healthcare facilities and support companies are HIPAA-compliant.
The Commercial Benefits of HIPAA for MSPs
Research into HIPAA compliance suggests over two million Business Associates and subcontractors who provide a service to healthcare facilities are not aware of the HIPAA regulations and who they apply to. Indeed, many healthcare facilities take a “better-safe-than-sorry” approach and execute Business Associate Agreements with every company they have a business relationship with – irrespective of whether the company has access to Protected Health Information or not.
Being able to demonstrate a knowledge of HIPAA and compliance with its Security and Privacy Rules can place an MSP head and shoulders above its competition – and not only from the perspective of an organization within the healthcare industry. Compliance is a major growth area in many regulated industries. MSPs who can demonstrate compliance with complicated HIPAA regulations will attract clients from the financial and legal industries as well.
One of the best ways to demonstrate a knowledge of HIPAA for MSPs is via accreditation. Compliant-conscious businesses in regulated industries look for awards or certificates that show a service provider has undergone some level of HIPAA training. As there are no formal HIPAA training requirements, these awards and certificates are not officially sanctioned by the Department of Health & Human Services. However, they represent a service provider has made the effort to learn about HIPAA for MSPs.
If an MSP takes advantage of an accreditation scheme, it is important to be aware that accreditation alone will not prevent a fine being imposed for non-compliance with HIPAA. It is recommended MSPs look carefully at the options available to them in order to find a company providing suitable and comprehensive HIPAA for MSPs training that is tailored to the services the MSPs provide, with relevance to the healthcare facilities or support companies they are providing services for.