HIPAA for MSPs
HIPAA for MSPs is a complicated subject to approach, as not only do MSPs count as Business Associates if they provide a service to a healthcare organization, they could also be a HIPAA-covered subcontractor if they provide a service to a company who provides a support service to a healthcare organization.
For example, if an MSP provides data storage services for an accounting firm, and the accounting firm provides bookkeeping services for a medical center, it may be possible the MSP is subject to HIPAA regulations depending on the nature of the data it stores on behalf of the accounting firm.
The HIPAA rules for MSPs will be applicable if the data consists of any personal identifiers considered to be “Protected Health Information” (the full list of personal identifiers considered to be Protected Health Information can be found on Page 7 of our “HIPAA Compliance Guide”).
Any MSP that creates, receives, uses or maintains Protected Health Information is subject to HIPAA regulations and is required to enter into a “Business Associate Agreement” all the time the MSP continues to provide a service to the healthcare facility or to the company providing a support service.
Why HIPAA for MSPs is Important
Historically, HIPAA for MSPs was not an issue. MSPs neglected to become HIPAA experts because they provided a service for clients who already were experts. MSPs knew about cloud technology, systems management, and security while healthcare organizations and their support companies knew about HIPAA.
That all changed in 2013 when the Final Omnibus Rule modified the HIPAA regulations. Now Business Associates and subcontractors have to comply with the HIPAA Rules, and can be found liable for a breach of Protected Health Information and can be fined directly if HIPAA Rules are discovered to have been violated.
The fines for noncompliance with HIPAA for MSPs can be significant (up to $50,000 per compromised record), and fines can be imposed even when a breach has not occurred , if a HIPAA violation is discovered during a compliance audit.
For this reason alone it is important Managed Service Providers take HIPAA for MSPs seriously. However, there are commercial advantages for MSPs who make the effort to learn about HIPAA and ensure the services they provide to healthcare facilities and support companies are HIPAA-compliant.
HIPAA for IT Service Providers
HIPAA for IT service providers is arguably more important than any for other business associate. IT service providers need to be able to remotely access their clients’ systems, monitor networks, and solve IT issues. Those systems are likely to contain electronic protected health information (ePHI), which makes it critical that the IT service provider is aware of the requirements of the HIPAA Privacy and Security Rules.
IT service providers must be aware of the need to protect ePHI from threats, ensure data is not moved to any insecure locations to protect against unauthorized access and disclosures, and also ensure all members of their workforce are trained to be compliant with the HIPAA Rules.
MSPs serving the healthcare industry are actively targeted by threat actors, who are well aware that an attack on an MSP can give them access to the networks of their main targets – healthcare providers. By completing the HIPAA compliance process and ensuring safeguards are in place to comply with the HIPAA Security Rule, MSPs will be making it harder for hackers to attack their own networks.
The Commercial Benefits of HIPAA for MSPs
Research into HIPAA compliance suggests over two million Business Associates and subcontractors who provide a service to healthcare facilities are not aware of the HIPAA regulations and who they apply to. Indeed, many healthcare facilities take a “better-safe-than-sorry” approach and execute Business Associate Agreements with every company they have a business relationship with – irrespective of whether the company has access to Protected Health Information or not.
Being able to demonstrate a knowledge of HIPAA and compliance with its Security and Privacy Rules can place an MSP head and shoulders above its competition – and not only from the perspective of an organization within the healthcare industry. Compliance is a major growth area in many regulated industries. MSPs who can demonstrate compliance with complicated HIPAA regulations will attract clients from the financial and legal industries as well.
Being able to show that your company understands the needs clients in regulated industries will differentiate you from the competition and you will win more business – many healthcare organizations will only consider a HIPAA managed service provider!
Establishing You are a Managed Service Provider for HIPAA Covered Entities
One of the best ways to demonstrate a knowledge of HIPAA and that you are a managed service provider for HIPAA covered entities is through accreditation. Compliant-conscious businesses in regulated industries look for awards or certificates that show a service provider has undergone some level of HIPAA training. As there are no formal HIPAA training requirements, these awards and certificates are not officially sanctioned by the Department of Health & Human Services; however, they demonstrate a service provider has made the effort to learn about HIPAA for MSPs and ensure their policies, procedures, and technologies meet the required standards for privacy and security. These accreditations clearly demonstrate that an MSP has implemented a HIPAA compliance program and is committed to ensuring the privacy and security of regulated data.
If an MSP takes advantage of an accreditation scheme, it is important to be aware that accreditation alone will not prevent a fine being imposed for noncompliance with the HIPAA Rules. Being assessed for compliance with HIPAA only demonstrates that at a single point in time – when the assessment takes place – the MSP was HIPAA compliant. It is vital for a program of HIPAA compliance to be established that will ensure an MSP remains HIPAA compliant moving forwards.
It is recommended MSPs look carefully at the options available to them in order to find a company providing suitable and comprehensive training on HIPAA for MSPs, which is tailored to the services the MSPs provide, with relevance to the healthcare facilities or support companies they are providing those services to.
MSP HIPAA Compliance Services Can Significantly Increase Revenue
An MSP that has access to systems containing PHI must be compliant with the HIPAA Rules, but there is scope for MSPs to take this further by offering services to help their clients become or remain HIPAA compliant. Despite it being mandatory for healthcare organizations and their business associates to be HIPAA compliant, many are not. The HHS reported that 70% of healthcare organizations are not fully compliant with the HIPAA Rules, with incomplete HIPAA risk assessments one of the main areas where compliance failures occur. Security risk assessments must be conducted regularly, with annual security risk assessments the best practice. MSPs who are already HIPAA compliant can offer security risk assessment services to their healthcare clients and support companies serving the healthcare industry.
MSPs need to become HIPAA compliant but they do not need to be HIPAA experts – They can partner with third-party HIPAA compliance experts and offer their HIPAA compliance software solutions under referral schemes. Some HIPAA compliance companies will also provide white-labeled sales and marketing material to help MSPs sell HIPAA compliance services to their clients. Not only will offering HIPAA compliance improve revenue, it will strengthen relationships with healthcare clients. Further, when clients go through the compliance and risk assessment process, it invariably highlights gaps in security that need to be addressed. MSPs often have the security solutions to address those gaps and can profit from offering additional services with the compliance process helping to justify the need for those services.
HIPAA Managed Services
When MSP clients go through the compliance process and undergo security risk assessments, security gaps are likely to be discovered that pose risks to the confidentiality, integrity, and availability of ePHI. To be HIPAA compliant, those risks must be managed and reduced to a low and acceptable level.
MSPs can assist with that process. They can develop remediation plans to reduce risks, which are likely to involve additional security solutions that the MSP can offer. Common security gaps involve communication, which can be addressed through secure messaging. Disaster recovery is another area where failures are identified. MSPs can help to resolve these by providing backup and disaster recovery services.
MSPs can also help by providing secure cloud storage, encryption software, and system monitoring and auditing, with each additional service adding MRR to a healthcare client and boosting MSP profits.