MSP Blog Logo


Business Growth


Help Desk



Sales & Marketing


Empowering Your MSP Business to Grow and Prosper—One Post at a Time

5 Ways to Improve Your MSP Service Level Agreement (SLA)

Featured Post

5 Ways to Improve Your MSP Service Level Agreements (SLAs)

SLAs are the foundation of your MSP business. They are essential to building strong client relationships and must be clear, reasonable and well-constructed.

Read Now

4 Things MSPs Need to Know About HIPAA Compliance

Posted September 22, 2013by Rob Autor


If you’re thinking about serving clients in the healthcare vertical, here are four points about HIPAA compliance to keep in mind. 

1.     You may be required to sign business associate agreements (BAAs)

Under rules passed in 2013, many MSPs are considered business associates under HIPAA  and will need to adhere to many of the provisions of the HIPAA Privacy Rule, all of the HIPAA Security Rule, and the HIPAA Breach Notification provisions. Healthcare clients who are considered Covered Entities under HIPAA must require you to sign BAAs. In turn, you must obtain signed BAAs from vendors you work with such as BDR vendors, RMM platform vendors, and cloud providers to ensure they are in compliance. Failing to sign BAAs does not exempt you from your responsibilities under HIPAA or the potential liability (see number four below).

2.     HIPAA and the HITECH Act: more data = more responsibility

The core of the Health Information Technology for Economic and Clinical Health (HITECH) Act is advancing healthcare IT and laying the foundation for widespread use of electronic health records (EHR). And with more health data comes a need for more security and privacy. Under this act, healthcare clients are required to report data breaches affecting 500 or more individuals to the Department of Health and Human Services (HHS) and the media, in addition to notifying the affected individuals. Some of the past data breaches reported to the HHS involved business associates, so MSPs need to strengthen their data security protocols.

3.     Airtight security is more important than ever

Protecting patient health data has been redefined in a HIPAA-compliant world. Under the “Security Standards: General Rules” section of the HIPAA Security Rule, healthcare clients and their business associates must ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that they create, receive, maintain, or transmit. They must also protect against any reasonably anticipated threats and hazards to the security or integrity of ePHI. As an MSP, you may not directly handle patient files, but you might store ePHI in your data center, or access it to support your clients’ systems.

 4.    Noncompliance comes with consequences

As an MSP serving the healthcare vertical, you can now be audited by the Office for Civil Rights within the Department of Health and Human Services, held accountable for a data breach, and penalized for noncompliance. Penalties for noncompliance can range up to $50,000 per violation and up to $1.5 million per year across all HIPAA violation categories – so you’ll want to make certain your systems and processes are up to date.

View Continuum's Statement of Compliance! 

New Call-to-action

Rob is an operations and technology management wiz with a range of experience at companies like Sallie Mae, Price Waterhouse. He is responsible for driving superior service quality at Continuum’s network operations center (NOC) and Help Desk. Rob is also responsible for Continuum’s IT Division. When he was a kid, Rob wanted to be a professional tennis player. Now he’s our Senior Vice President of Global Service Delivery. He loves this business because he can build a world-class business bringing leading-edge technology to small businesses.

Topics: HIPAA, Healthcare IT

RMM 101: Must-haves for Your IT Management Solution
MSP Guide to Managed Services SLAs  [white paper]
comments powered by Disqus