The new HIPAA regulations are making us all work harder to protect the privacy of patient health information – and for good reason considering the growing use of electronic medical records. Right now managed services providers (MSPs) need to understand their status and requirements as “business associates” in order to comply with the Omnibus Rule and final implementation deadline of September 23, 2013.
Those MSPs that qualify as business associates must implement their own HIPAA compliance program so that they can sign Business Associate Agreements with their healthcare clients and protect themselves from liability. HIPAA requirements are broad – encompassing administrative, technical and physical controls. Since virtually all MSPs use third-party tools and services to serve their clients, they should ensure that they are using these properly to enhance their information security programs.
Obtain Business Associate Agreements (BAAs) from Vendors
MSPs that are required to sign BAAs with their clients may in turn need to obtain signed BAAs from their providers. For example, MSPs may need BAAs from their professional services automation (PSA), remote monitoring and management (RMM), backup and disaster recovery (BDR), and cloud or data center vendors, particularly if they are hosting client protected health information (PHI) off site.
Ensure that your third-party tools can only be accessed by authorized personnel. Take advantage of access control features such as multi-factor authentication and enforce minimum password length and rigorous password complexity requirements.
Only transmit and store critical data in encrypted form. For example, passwords and PHI should always be encrypted during transmission and storage. And ensure your solutions use strong encryption algorithms such as AES-256.
When you or your service providers are speaking directly with your clients, how are they authenticated? Review end-user authentication processes to ensure that only authorized personnel receive service.
Most MSPs are quite disciplined about ensuring that their clients’ environments have the latest patches and up-to-date AV and anti-malware software. Third-party RMM tools help by automating assessment, deployment and out-of-compliance reporting. It’s equally critical that MSPs themselves follow best practices for their own environments and confirm that their providers do the same.
In a new era of stricter privacy regulations, it’s more important than ever for MSPs to be equipped with the best possible backend tools and services, and ensure sure that both they and their healthcare clients meet HIPAA requirements. Continuum has achieved HIPAA compliance and is focused on helping our MSP partners to do the same. Continuum’s RMM platform and integrated services support and enable the security best practices described above. And Continuum is prepared to sign BAAs with its MSP partners that require them.