MSP HIPAA Compliance for Managed IT Service Providers
MSP HIPAA compliance for managed IT service providers often consists of not only understanding the compliance capabilities of the services being provided, but also understanding the compliance obligations of clients that services are being provided to. Due to the many different types of HIPAA entity, understanding each client’s compliance obligations can be one of their biggest challenges.
Regardless of the type of IT service(s) being provided, managed IT service providers have multiple challenges to overcome. Common challenges include integrating MSP services with clients’ legacy systems, resolving expertise gaps between providers and users, establishing levels of client control, and securing clients’ networks, systems, and devices to ensure the MSP security stack works effectively.
When providing managed IT services to a HIPAA covered entity or business associate (collectively “HIPAA entities” for the purpose of this article), MSPs have a potentially bigger challenge to overcome – MSP HIPAA compliance. In many cases, there are three areas of MSP HIPAA compliance that can be challenging:
- Ensuring the MSP complies with all applicable standards of the Security Rule.
- Ensuring the services provided by the MSP are configured to support HIPAA compliance.
- Ensuring MSP support services have the HIPAA expertise required to answer clients’ questions.
MSP HIPAA Compliance with the Security Rule
When an MSP provides a service to a HIPAA entity, it does so as a business associate to the HIPAA entity if the service involves the creation, receipt, storage, or transmission of Protected Health Information (PHI). This “rule” applies even if the MSP cannot access PHI because it is encrypted by the client and the client controls the decryption key. Further information about HIPAA and the provision of “no view” services can be found in this HHS guidance.
As a business associate, MSPs must comply with all applicable standards and implementation specifications of the Security Rule and the Breach Notification Rule. The applicable standards and implementation specifications can vary depending on the nature of the service(s) being provided by the MSP and the content of the Business Associate Agreement between the MSP and the client. However, in most cases, MSP HIPAA compliance with the Security Rule includes:
- Protecting against any reasonably anticipated threats and vulnerabilities to the confidentiality, integrity, and availability of PHI.
- Implementing a security management process to prevent, detect, contain, and correct security incidents and HIPAA violations.
- Ensuring that all members of the workforce participate in a security awareness program that is adopted for MSP HIPAA compliance.
- Applying, monitoring, and terminating facility access controls, device access controls, and data access controls.
- Implementing and testing an emergency mode operating plan, contingency plan, and disaster recovery plan.
- Entering into Business Associate Agreements with third party service providers when third party services are used to create, receive, store, or transmit PHI.
Many of these activities will be an existing part of an MSP’s operations. MSPs will most likely have measures in place to protect (non-HIPAA) client data, prevent security incidents, promote security awareness, and maintain a service consistent with an SLA. However, in order to be a HIPAA compliant managed service provider, these activities must be documented as HIPAA activities and the documentation retained for a minimum of six years.
Configuring HIPAA Managed Services to Support Compliance
Most third party services are not HIPAA compliant by default. For example, if an MSP provides CRM services to a HIPAA entity via the Salesforce MSP Partner Program, not only does there have to be a Business Associate Agreement in place between the MSP and Salesforce, but the Salesforce services covered by the Business Associate Agreement must be configured to support HIPAA compliance when they are used to create, receive, store, or transmit PHI.
In cases in which a (HIPAA entity) client has retained a degree of control over how third party services are configured and used, it may also be necessary to limit the client’s access to some HIPAA managed services. This is because, if PHI is used in conjunction with a service not covered by a Business Associate Agreement, it may result in a violation of the third party’s Terms of Use or of the Business Associate Agreement – resulting in termination of the service.
Examples of HIPAA managed services that may need configuration, plugs-ins, or the limitation of access in order to ensure the services support HIPAA compliance include WordPress, Wix, and HubSpot. In addition, access to the controls of some security solutions may also need to be limited to prevent clients (for example) whitelisting email accounts in email filters, exempting websites from web filters, or integrating unsanctioned software into the MSP security stack.
In other scenarios, it may be necessary to enter into a separate agreement with clients to indemnify the MSP against penalties for HIPAA violations for which clients’ workforces are responsible. For example, storing PHI in Google Contacts is an impermissible disclosure of PHI, while integrating third party apps into “covered” Google Workspace services may also violate HIPAA if the apps have access to PHI and are not configured to support HIPAA compliance.
Understanding HIPAA for MSPs’ Support Services
Depending on the HIPAA managed services being provided to clients, and the client’s control over their configuration and use, it may also be necessary to ensure MSP support services have the HIPAA expertise to answer clients’ questions. This is because there are many exceptions to HIPAA and scenarios in which individuals (i.e. patients) can request or authorize exemptions to the Privacy Rule standards relating to permissible uses and disclosures of PHI.
Most MSP support services have the capabilities to answer technical questions relating the services they provide and how to troubleshoot them. Not so many understand clients’ compliance obligations and the best course of action to take when an out-of-the-ordinary event happens. However, in a competitive marketplace, being able to demonstrate a knowledge of MSP HIPAA compliance in interactions with clients can be an advantage.
For example, a client could call an MSP’s help service explaining that a patient has requested “confidential communications” via WhatsApp and asking for advice. A help service operator that understands HIPAA for MSPs will know WhatsApp is not HIPAA compliant, but that the patient has the right to request confidential communications via WhatsApp under §164.522(b) of the Privacy Rule, and that the request is reasonable to accommodate.
The advice to the client in such circumstances should be to agree to the patient’s request, export conversations to a HIPAA compliant managed service, and delete the conversations from the WhatsApp account once they have been exported. Being able to provide information of this nature to a client demonstrates an understanding of HIPAA for MSPs and the client’s compliance obligations, and could lead to increased revenues via positive reviews and referrals.
How to Become the Best Healthcare IT MSP
MSP HIPAA compliance is challenging, but overcoming the challenges can help you become the best healthcare IT MSP. To differentiate your business from every other healthcare IT MSP you need to not only understand your compliance obligations, but also those of your clients. To achieve this level of understanding, it is advisable for your Security Officer and members of the support services team to take basic HIPAA training in addition to security awareness training.
This will align your team’s knowledge of HIPAA with those of your clients, and although your clients are required to develop their own HIPAA policies and procedures, you will at least be talking the same language when it comes to terms such as PHI, permissible uses, and the minimum necessary standard. MSPs who need more information about the benefits of HIPAA training for their workforces are advised to speak with a HIPAA compliance professional.
HIPAA for MSPs: FAQs
Why do MSPs need to know about the HIPAA Privacy Rule?
Regardless of whether an MSP is providing a service directly to a covered entity or a service company, if it stores or manages ePHI on behalf of the customer, there may be a time when the subject of the data (i.e., a patient) requests access to their health information as they are permitted to do under the Privacy Rule.
Consequently, an MSP should understand Privacy Rule stands relating to patients´ rights, permissible uses and disclosures of individually identifiable health information, and the minimum necessary standard. There may also be other areas of the Privacy Rule that an MSP needs to comply with depending on the nature of services provided to the customer.
Could an MSP be fined for a right of access violation?
In theory, yes. If a patient requests access to their health information, the covered entity to whom the request is made has to respond within 30 days. If archived health information is stored by the MSP, and the MSP fails to respond to a covered entity´s request for the health information to be retrieved, the MSP would be considered liable if the patient subsequently complains to HHS´ Office for Civil Rights.
Are MSPs always HIPAA Business Associates?
If an MSP provides a service to, or on behalf of, a covered entity or a service company that involves the creation, storage, or transmission of ePHI, the MSP is usually considered to be a business associate and a Business Associate Agreement should be signed with the customer. Exceptions exist in cases where state law preempts HIPAA.
For example, under Texas´ Medical Records Privacy Act, there is no distinction between covered entities and business associates – all businesses subject to the Act have to comply fully with all its provisions. To complicate matters, the Texas Medical Records Privacy Act applies to the medical records of all Texas residents, regardless of where the business is located or where the resident was at the time the health information was acquired.
If an MSP supplies a “zero-knowledge” service to a covered entity, is a Business Associate Agreement still necessary?
Even when an MSP cannot view ePHI because it is encrypted – and the zero knowledge service means the covered entity has the decryption key – the MSP is still considered a business associate if it is storing ePHI or is involved in the transmission of ePHI on behalf of the covered entity and a Business Associate Agreement is still necessary.
What type of MSP HIPAA compliance training do employees of MSPs have to do?
If an MSP qualifies as a business associate, security and awareness training is mandatory for all members of the workforce regardless of their level of access to ePHI. Thereafter, the type of training required will vary according to the services provided by the MSP. For example, some members of the MSP´s workforce may require training on how to respond to patient access requests.
