MSP Blog Logo


Business Growth


Help Desk



Sales & Marketing


Empowering Your MSP Business to Grow and Prosper—One Post at a Time


Featured Post

The Ultimate Guide to Success in Managed IT Services

What are the fundamentals to building a profitable managed IT services business? Keep reading to discover the four key ingredients for success.

Read Now

4 Things MSPs Need to Know About HIPAA Compliance

Posted September 22, 2013by Rob Autor


If you’re thinking about serving clients in the healthcare vertical, here are four points about HIPAA compliance to keep in mind. 

1. You may be required to sign business associate agreements (BAAs)

Under rules passed in 2013, many MSPs are considered business associates under HIPAA  and will need to adhere to many of the provisions of the HIPAA Privacy Rule, all of the HIPAA Security Rule, and the HIPAA Breach Notification provisions. Healthcare clients who are considered Covered Entities under HIPAA must require you to sign BAAs. In turn, you must obtain signed BAAs from vendors you work with such as BDR vendors, RMM platform vendors, and cloud providers to ensure they are in compliance. Failing to sign BAAs does not exempt you from your responsibilities under HIPAA or the potential liability (see number four below).

2. HIPAA and the HITECH Act: more data = more responsibility

The core of the Health Information Technology for Economic and Clinical Health (HITECH) Act is advancing healthcare IT and laying the foundation for widespread use of electronic health records (EHR). And with more health data comes a need for more security and privacy. Under this act, healthcare clients are required to report data breaches affecting 500 or more individuals to the Department of Health and Human Services (HHS) and the media, in addition to notifying the affected individuals. Some of the past data breaches reported to the HHS involved business associates, so MSPs need to strengthen their data security protocols.

3. Airtight security is more important than ever

Protecting patient health data has been redefined in a HIPAA-compliant world. Under the “Security Standards: General Rules” section of the HIPAA Security Rule, healthcare clients and their business associates must ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that they create, receive, maintain, or transmit. They must also protect against any reasonably anticipated threats and hazards to the security or integrity of ePHI. As an MSP, you may not directly handle patient files, but you might store ePHI in your data center, or access it to support your clients’ systems.

 4. Noncompliance comes with consequences

As an MSP serving the healthcare vertical, you can now be audited by the Office for Civil Rights within the Department of Health and Human Services, held accountable for a data breach, and penalized for noncompliance. Penalties for noncompliance can range up to $50,000 per violation and up to $1.5 million per year across all HIPAA violation categories – so you’ll want to make certain your systems and processes are up to date.

View Continuum's Statement of Compliance! 


Download HIPAA compliance eBook

Rob is an operations and technology management wiz with a range of experience at companies like Sallie Mae, Price Waterhouse and driving superior service quality at Continuum’s network operations center (NOC) and Help Desk. When he was a kid, Rob wanted to be a professional tennis player.

Topics: Healthcare IT, HIPAA

RMM 101: Must-Haves for Your IT Management Solution
MSP Guide to Managed Services SLAs  [white paper]
comments powered by Disqus