Everyone who does business in the healthcare industry knows that helping clients comply with the law best known as HIPAA is one of their chief responsibilities. Far fewer of them, however, recognize that as “business associates” of healthcare providers with access to protected data, they too have serious compliance obligations.
Those go way beyond signing a “business associate agreement” committing them to follow the law’s provisions too, according to Mike Semel, CEO of Semel Consulting LLC, a HIPAA compliance advisory firm in Las Vegas. “You as an MSP need to have a HIPAA compliance program,” he says.
Or else, warns fellow HIPAA expert Marc Haskelson, president and CEO of Greenlawn, N.Y.-based Compliancy Group LLC. The federal government is auditing business associates in rising numbers, and it’s just a matter of time before MSPs get swept up in those inspections. “If the MSP fails, the government will have the right to audit any of that MSP’s clients in healthcare,” Haskelson says, adding that if that doesn’t hurt your business the accompanying fines and reputation damage surely will. “It’s a big deal,” he observes.
So what can MSPs with healthcare clients do to avoid that fate? These four steps are a starting point:
1. Assess your risk. HIPAA requires that business associates self-audit their computer systems and operational processes for flaws that could leave patient information exposed to unauthorized viewers, and to keep doing it on a regular basis. “Once you’ve done that you need to be able to document your audits,” Haskelson notes, as well as your plans for remediating any gaps you find and responding to a breach should one occur.
2. Set appropriate internal compliance policies. This is more than just good sense. Business associates are legally obligated to have clear HIPAA policies in place, along with procedures for enforcing those rules and training employees to follow them.
Those policies should be thorough too, because HIPAA risks can lurk in subtle places. Bring a malfunctioning PC back to the office, for example, and HIPAA transfers primary responsibility for its contents from your client to you. Semel, who was once an MSP himself, used to require techs to get direct permission from him before removing devices from client sites for that very reason.
3. Disclose breaches promptly. If one of your customers suffers data loss despite your best efforts, keeping it under wraps is your worst mistake. “Any incident that occurs needs to be reported to the federal government,” Haskelson says. If the incident in question affected 500 or more people, notification must occur within 60 days. Breaches involving fewer than 500 people must be reported less than 60 days after the end of the year.
4. Fire your most foolhardy customers. Just as the government can audit all of your healthcare clients if you violate HIPAA, they can audit all of a client’s business associates if they break the law. Healthcare providers who refuse to follow your security and compliance advice therefore pose as big a threat to you as they do to themselves.
“Customers sometimes say we haven’t been audited, have never had a breach, and don’t want to spend the money,” observes Cam Roberson, reseller channel director at Beachhead Solutions Inc., a maker of PC data encryption software headquartered in San Jose, Calif. “My feeling is run, don’t walk, from those customers or you’ve got to do a better job of educating them.”
Needless to say, there’s much more MSPs must know about HIPAA compliance, but Haskelson encourages them to look at that as an opportunity rather than a burden. Compliant IT providers minimize risks not just for themselves but for their customers, giving them a competitive advantage over less diligent firms.
“There’s a huge benefit by being the person in your market [who] is already HIPAA compliant,” Haskelson says. “You’re either going to take clients away from your competitors or be able to open a whole new market that you never touched before.”