If you’re thinking about serving clients in the healthcare vertical, here are four points about HIPAA compliance to keep in mind.
1. You may be required to sign business associate agreements (BAAs)
Under rules passed in 2013, many MSPs are considered business associates under HIPAA and will need to adhere to many of the provisions of the HIPAA Privacy Rule, all of the HIPAA Security Rule, and the HIPAA Breach Notification provisions. Healthcare clients who are considered Covered Entities under HIPAA must require you to sign BAAs. In turn, you must obtain signed BAAs from vendors you work with such as BDR vendors, RMM platform vendors, and cloud providers to ensure they are in compliance. Failing to sign BAAs does not exempt you from your responsibilities under HIPAA or the potential liability (see number four below).
2. HIPAA and the HITECH Act: more data = more responsibility
The core of the Health Information Technology for Economic and Clinical Health (HITECH) Act is advancing healthcare IT and laying the foundation for widespread use of electronic health records (EHR). And with more health data comes a need for more security and privacy. Under this act, healthcare clients are required to report data breaches affecting 500 or more individuals to the Department of Health and Human Services (HHS) and the media, in addition to notifying the affected individuals. Some of the past data breaches reported to the HHS involved business associates, so MSPs need to strengthen their data security protocols.
3. Airtight security is more important than ever
Protecting patient health data has been redefined in a HIPAA-compliant world. Under the “Security Standards: General Rules” section of the HIPAA Security Rule, healthcare clients and their business associates must ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that they create, receive, maintain, or transmit. They must also protect against any reasonably anticipated threats and hazards to the security or integrity of ePHI. As an MSP, you may not directly handle patient files, but you might store ePHI in your data center, or access it to support your clients’ systems.
4. Noncompliance comes with consequences
As an MSP serving the healthcare vertical, you can now be audited by the Office for Civil Rights within the Department of Health and Human Services, held accountable for a data breach, and penalized for noncompliance. Penalties for noncompliance can range up to $50,000 per violation and up to $1.5 million per year across all HIPAA violation categories – so you’ll want to make certain your systems and processes are up to date.