Ignorance of the law is no excuse for failing to follow it, but there are cases where the law is so intricate that no one without expertise in the subject should be expected to understand it. One such example within the Health Insurance Portability and Accountability Act (HIPAA) amounts to a true Catch-22, such that many well-intentioned HIPAA-covered organizations are hard pressed to even know what their responsibilities under the law are, let alone fulfill them properly or ensure that an MSP is fulfilling them properly.
Heightening the stakes, penalties for noncompliance with HIPAA regularly reach into the mid-five figures, high enough to deal a serious blow to the bottom lines of most organizations—and perhaps even a fatal one to smaller companies. This situation is a shame, because safeguarding the protected health information (PHI) and the privacy rights of patients—HIPAA’s core goals—are certainly essential. And, as a comprehensive, all-encompassing law, HIPAA is rightfully complicated. Unfortunately, this means that businesses lacking expertise in HIPAA will find it difficult to achieve full compliance.
The paradox built into HIPAA arises directly from the law’s challenging complexity. It is common practice for many organizations dealing with PHI (and therefore subject to HIPAA) to enlist the aid of a managed services provider with expertise in the law, and technology solutions designed to achieve effective compliance.
The issue is this: HIPAA requires any MSP with the ability to access PHI held by a HIPAA Covered Entity (CE) to be HIPAA compliant itself. And, the CE is responsible for ensuring this is so; if the MSP is not HIPAA compliant in its handling of PHI, that’s a compliance issue by the CE itself. However, as we’ve established, in these cases the CE has hired the MSP to be its HIPAA expert because it does not possess that knowledge internally. It’s more or less impossible to imagine a CE that has employed an MSP to handle its HIPAA compliance needs will somehow have the wherewithal to point out flaws in the MSP’s own handling of patient data.
MSPs Need to Solve the Paradox
MSPs should solve this paradox on behalf of their clients. HIPAA specifically requires that any “business associate” of a CE (referring to any external business with access to a CE’s PHI) must work under a formal business associate agreement (BAA). The BAA is a legal document laying out the specific requirements with which the business associate conducts the handling of PHI. It also covers the solutions that should be in place to provide protections in line with HIPAA rules. Data encryption is a strong method of ensuring compliance with these security requirements.
It’s important to note that every kind of MSP that handles PHI is subject to these business associate rules—providers of technology, medical claims processing, data analysis, quality assurance, billing and collections, legal services, accounting, and any others that fit this criteria. HIPAA also calls for the BAA to legally require that the business associate report any breach or unauthorized use of protected data, and that all PHI be returned or destroyed at the BAA’s conclusion. The BAA must also cover any subcontractor relationships with the same rules that pertain to the chief business associate.
Of course, the CE may not know about these requirements of HIPAA either. This is exactly why MSPs should proactively offer a thoroughly compliant BAA at the start of business with any CE, as well as a clear explanation of the agreement’s importance.
A forthright account of HIPAA’s paradoxical nuances—and the value and necessity of a tightly drafted BAA—serves an MSP both as a demonstration of HIPAA 
content knowledge and as a competitive differentiator, striking a clear contrast with other MSPs that don’t take HIPAA’s specifics so seriously. Following the letter of the law with these rules is absolutely in the interest of both the CE and the MSP, because failing to comply with HIPAA’s guidelines can expose an MSP to fines and penalties just the same.
Instead of shying away from HIPAA’s complexities when communicating with clients, MSPs should highlight the elegance of their solutions in this area and use the BAA to their benefit, incorporating the agreement as a key feature of their value add.
CAM ROBERSON is the director of the reseller channel for Beachhead Solutions, a company offering a PC and mobile device encryption service platform for MSPs.
Image source: Pixabay
