The Health Insurance Portability and Accountability Act, commonly known as HIPAA, is the law that sets rules, guidelines, and standards for protecting sensitive patient data. HIPAA’s rules are wide-ranging and can potentially affect many businesses and organizations, which can often lead to compliance issues.
The Health Insurance Portability and Accountability Act of 1996 was enacted on August 21, 1996 by the United States Congress and signed by President Bill Clinton. It includes Title I, which protects health insurance coverage for workers and their families when they change or lose their jobs, and Title II, known as Administrative Simplification (AS) provisions, which establishes national standards for electronic health-care transactions and national identifiers for providers, health insurance plans and employers.
In brief, HIPAA governs protected health information (PHI), which includes any and all information created or received in any medium, form, or transmission method (including verbal) by a variety of organizations, including:
- health care providers
- health plans
- public health authorities
- life insurers
- schools and universities
- health care clearinghouses
This information can involve—for any individual—past, present or future health conditions; provisioning of health care; or payment for provisioning of health care.
All companies that deal with protected health information in any way must have in place all physical, network, and process security measures that HIPAA requires, and must ensure compliance at all times.
Groups who deal with PHI generally fall in three groups: covered entities (healthcare organizations), business associates (service providers that deal with PHI on behalf of a covered entity) and workforce (employees, volunteers, and trainees of covered entities or business associates). Additionally, subcontractors or business associates of business associates must also be in compliance to HIPAA guidelines.
Key Terms & Definitions
HIPAA—The Health Insurance Portability and Accountability Act of 1996; legislation enacted to set national standards for the security of health information. HIPAA is far reaching and complex, and HIPAA compliance affects many industries beyond health care providers.
Protected Health Information (PHI)—Any information about the health status, the provision of health care, or payment for said health care that can be linked to an individual.
Electronic Protected Health Information (ePHI)—Protected Health Information that is created, modified, stored, transmitted or received electronically.
Covered Entities (CE)—Any person or organization that provides treatment, payment and/or operations in healthcare. Examples include hospitals, doctors’ and dentists’ offices, clinics, pharmacies, nursing homes and other residential healthcare operations. Additionally, health plans, health insurance companies, health clearing houses, company health plans and government health programs are also covered entities.
Business Associates—Typically, covered entities do not perform all of their activities and functions by themselves—they employ service providers, collectively known under HIPAA as business associates, to fulfill certain services and functions internally and/or externally. These business associates must act pursuant to the HIPAA Privacy Rule. Business associates include anyone or any organization that has access to PHI, be it indirect, direct, physical or virtual. Additionally, support organizations that provide services such as billing, claims processing, legal, accounting, and IT are also considered business associates.
Workforce—Employees, volunteers and trainees of a business associate or covered entity. This includes anyone who is under the “direct control” of the organization, whether or not they are paid.
Compliance—The act and status of adhering to and being in accordance with the HIPAA Privacy Rule
Security Risk Assessment—A procedure required by covered entities under the HIPAA Security Rule that helps an organization determine and ensure that they are compliant with HIPAA’s administrative, physical and technical safeguards.
HIPAA Security Rule—A part of HIPAA legislation that establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. Administrative, physical and technical safeguards are required by covered entities to ensure compliance with the Security Rule.
HIPAA Privacy Rule—A part of HIPAA legislation that establishes national standards to protect individuals’ medical records and other personal health information and applies to covered entities and business associates. Compliance to the Privacy Rule requires appropriate safeguards to protect PHI and disclosure of the limits and conditions on the use of PHI without patient authorization, including patient rights to examine and obtain a copy of health records and to request corrections.
Health Information Technology (HIT)—The transmission and reception of health information within an electronic environment, including the hardware and software used for storage, retrieval, sharing, and use of PHI. HIPAA exists as a standard for privacy and security that HIT administrators must be in compliance with.
HIPAA Final Omnibus Rule—Enacted in 2013 as part of the American Recovery and Reinvestment Act of 2009 and the Genetic Information Nondiscrimination Act of 2008 (GINA), this new rule provides updates and greater protection to patient privacy PHI as digital communication continues to expand. The rule states that data storage companies qualify as business associates under HIPAA, if they have access to PHI, no matter how frequently or infrequently they view that information.
Business Associate Agreement (BAA)—A contract between a covered entity and a business associate for the purpose of setting expectations of HIPAA compliance and the implementation of appropriate safeguards.
HITECH Act—The Health Information Technology for Economic and Clinical Health Act. Legislation that states that the Secretary of the Department of Health and Human Services must prepare and submit to Congress annual reports on breach notifications and HIPAA Privacy and Security Rule compliance, which are also made available to the public on the Department’s web site.
Electronic Medical Records (EMR)—Records that contain standard medical and clinical data collected in one provider’s office.
Electronic Health Records (EHR)—A more comprehensive patient history, going beyond data from a provider’s office.
Administrative Safeguards—Actions, policies and procedures that oversee the selection, use and maintenance of security measures that protect ePHI. Administrative safeguards also protect ePHI in regards to security measures that govern the conduct of a covered entity's workforce.
Physical Safeguards—Physical measures, policies, and procedures designed to protect the electronic information systems, equipment, and related buildings of a covered entity from hazards, disasters, and unauthorized access.
Technical Safeguards—Technology, policy and procedure that protects and controls access to electronic health information.
HIPAA Compliance and IT
Any organization that regards itself as being HIPAA compliant is one that follows the Privacy Rule to the letter. However, there is a distinction between agreeing to be HIPAA compliant and being entirely in accordance with the law. Business Associate Agreements do not guarantee or certify HIPAA compliance. Rather, BAAs act as the first step; a pact between a covered entity and a business associate that the BA will undertake the necessary steps to be HIPAA compliant in all their actions for a covered entity.
First, business associates must conduct a proper security risk assessment of their business to determine how PHI is currently being handled. This assessment will investigate how it is created, stored, transmitted and received, as well as a variety of other processes. The findings from the security risk assessment are then used to create a risk management plan. In this plan, issues are mitigated, and gaps in HIPAA Privacy Rule compliance are closed, based on the information brought to light in the assessment.
Next, business associates must develop ePHI procedures, processes and policies that adhere to the guidelines set for in the HIPAA Security Rule. These fall into the larger subsections of the Security Rule: physical Safeguards, technical safeguards and administrative safeguards. Typically, this is in the form of explicit documentation that addresses the Security Rule specifically, created and managed by health information technology (HIT) resources.
With the expansion of HIPAA regulation through the Omnibus Rule of 2013 and the HITECH Act, IT professionals—including MSPs—who do business with covered entities or with business associates are nearly always legally required to also be HIPAA compliant to the same degree as a covered entity or business associate, and as such, are also susceptible to the same liabilities and penalties as CEs and BAs.
Penalties for HIPAA noncompliance are severe, so it’s important for MSPs to understand their responsibilities. Parties that are guilty of HIPAA law violations can be fined anywhere from $100-$50,000 per violation with an annual maximum of $1.5 million.
The MSP Opportunity
Speed. Reliability. Efficiency. Security. The modern healthcare industry requires all of these to operate at optimal levels and provide the care patients need. With so much of health-care information being transmitted electronically, it may literally be a matter of life and death for a hospital to have the proper IT management, data security, and business continuity—all while abiding by HIPAA guidelines.
This scenario has created a prime opportunity to tap into a growing market—the healthcare vertical—where covered entities as well as business associates have a need for optimal, proactive IT management that’s HIPAA compliant. By 2020, IDC Health Insights projects that 42% of all healthcare data created in the Digital Universe will be unprotected but needs to be protected, as use of data and analytics continues to proliferate and more stakeholders are involved in delivery of care. These are no longer large organizations, either; a multitude of business that are required to be HIPAA compliant necessitate everything from remote monitoring and management (RMM) solutions, to email security and endpoint encryption, to backup and disaster recovery (BDR) and data retention solutions.
Across the healthcare industry, from smaller doctor’s office to labs to specialty clinics, MSPs have a major opportunity to benefit from higher-margin revenues by offering cloud-based services.
By 2020, 80 percent of healthcare data is expected to pass through the cloud, according to IDC Health Insights, and as such MSPs are primed to secure the networks that connect covered entities and other business associates. For organizations that must be HIPAA compliant, IT management in this space will only increase and will require more expertise to prevent the harsh fines that come with noncompliance.
Protecting sensitive data is the priority in the healthcare vertical, and MSPs have a wide variety of products that can service these requirements. However, it is important for MSPs that decide to specialize in healthcare IT to be positively HIPAA compliant. This can be seen as a value proposition that is a necessity for the industry, and is crucial to build brand awareness and trust with clients. MSPs that establish themselves as uncompromisingly HIPAA compliant have often seen significant revenue growth as they grow their business within the vertical, because they become trusted IT experts to their clients. Additionally, MSPs have the opportunity to become the HIPAA compliance resource for business associates, allowing those responsibilities to be managed by a knowledgeable, expert MSP that can guide their clients confidently to compliance, while the BA moves forward with their business.
Managed service providers in the IT channel possess a valuable chance to become experts in the emerging healthcare vertical at this time. As the healthcare industry grows, and HIPAA regulations become stronger in the digital age, covered entities and business associates can become burdened and overwhelmed by their requirements while also running their business. MSPs are primed to step in and provide expert services that can mean the difference between optimal HIPAA compliance and costly violations for many organizations—a situation that makes MSPs even more valuable for an ever-growing number of organizations.
Watch Webinar: MDM in Healthcare: What MSPs Need to Know to Be Successful| Visit: MSP Resource Center