HIPAA (Health Insurance Portability and Accountability Act) compliance is a complex, but critical issue for many businesses. For many of these businesses who outsource their IT management needs, the onus for ensuring HIPAA compliance falls on these managed services providers (MSPs), like yourself. Your clients in the healthcare industry will likely pepper you with lots of questions and concerns around staying HIPAA compliant and avoiding the costly consequences of a HIPAA violation.
Here are the three most commonly asked questions about HIPAA compliance for MSPs.
1. Who’s covered under HIPAA?
Virtually every business that falls under the broad umbrella category of healthcare - from private practice therapists to small doctors’ offices to health insurance companies - has to comply with HIPAA, and that includes the MSPs who manage these healthcare networks and data. Although many of these organizations think primarily about their in-office software and hardware, the truth is that HIPAA well extends beyond those boundaries. For example, if a doctor has access to corporate information or even electronic medical record systems on his or her cell phone, then that device needs to be HIPAA compliant as well.
2. Why the recent focus and industry-wide emphasis on HIPAA compliance?
Although the first pass point in HIPAA regulations dates back to 1996, it’s clear that there’s been a real push toward compliance more recently. One of the reasons for this is the new set of requirements that now must be met under the HITECH Act as of September 2013. Among other things, the HITECH Act requires that managed IT services providers sign a business associate agreement. By doing so, you’re assuming liability for dealing with the sensitive data found within electronic Protected Health Information (ePHI); without a business associate agreement in place, you can no longer work on clients’ systems if they require HIPAA compliance. This extends not only to vendors as covered entities but even to subcontractors.
3. What are the consequences of non-compliance?
If you’re functioning as part of the ecosystem of vendors and providers that are required to maintain HIPAA compliance, you’re also part of the liability chain. Violating HIPAA regulations results in fines from $1,000 to $5000 per instance on the low end of the spectrum up to $1.5 million for willful neglect (those companies who know the requirements, but violated them anyway). HIPAA compliance is not a luxury; it’s the law, and if your MSP or the healthcare clients you work with are found to be on the wrong side of this law, these violations can get pretty pricey pretty quickly.
Moving Toward Compliance
The average cost of a data breach is $3.8 million, with 94% of organizations reporting some type of data breach over the past two years. Approximately 44% of businesses believe they are HIPPA compliant, while 28% aren’t sure of the requirements themselves, let alone whether their own organization is capable of meeting them. Make sure you're not part of that 28%.
By Hunter Smith
By Richard Harber
By Gretchen Hoffman