With physicians pooling their resources into group practices with multiple locations, medical clients are a potentially great opportunity for MSPs to provide VoIP, SD-WAN, desktop as a service, and IT support. What’s more, healthcare providers need at least 99.999% uptime, so they offer stable monthly recurring revenue as well.
Beware, though: If you are not properly educated on HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, you could face potential disaster and sizable fines.
HIPAA was originally passed by Congress in 1996 as a means of modernizing the flow of healthcare information and protecting that information from fraud and theft. HIPAA introduced a new classification of records to the medical industry known as protected health information (PHI). PHI is any record or data set that includes personally identifiable information (PII), demographic information, or medical information.
Under the original HIPAA privacy rule, it was the sole responsibility of “covered entities” (CEs)—doctors, practitioners, hospitals, and providers—to safeguard a patient’s PHI. CEs could farm out support services like medical billing, transcription, and IT to vendors known as “business associates” (BAs), but the responsibility to safeguard PHI remained with the CE and as such, only the CE could be held accountable in the event of a breach of a patient’s PHI. Even if a BA (perhaps an MSP) left thousands of patients’ ePHI (electronic PHI) on a thumb drive on a train, unencrypted and with a big red sticker saying “steal me,” only the CE could be held to blame and penalized under Title II of HIPAA.
In 2013, HIPAA got a much needed update in the form of the Final Omnibus Rule, which imported the HITECH Act’s security and breach notification rules. This rule change, for the first time, made BAs equally responsible for safeguarding a patient's PHI and subjected the BA to the same penalties as a CE for failing to do so. This means that if MSPs in any way handle or have access to PHI they must be able to prove HIPAA compliance; they must also have a business associate agreement (BAA) with the CE that outlines their roles and responsibilities. If an end user suffers a breach of PHI, their MSP can now be fined and held accountable under HIPAA at the same level as the CE.
There are five areas that all CEs and BAs must focus on to be HIPAA compliant, according to consultant Adam Greene, who spoke at the Healthcare Information and Management Systems Society 2019 (HIMSS19) conference in February:
- Develop a risk analysis and management process that is consistent with the expectations of HIPAA. This means understanding what components under HIPAA are auditable and how these components must be safeguarded.
- Document evidence that you have implemented sufficient security controls so you can respond to a regulatory investigation of HIPAA compliance.
- Develop policies and procedures that meet the expectations of HIPAA.
- Identify key areas of the HIPAA security rule that differ from your standard information security practices.
- Most important, prepare for a HIPAA security rule audit by:
- Making sure you have a current security risk analysis and risk management plan.
- Conducting a correlation between your policies and procedures and the Security Rule provisions.
- Reviewing your policies and procedures against the HIPAA audit protocol, which can be found at HHS.gov.
Roger Severino, director of the Office for Civil Rights (OCR) under the U.S. Department of Health and Human Services, who also spoke at this year’s HIMSS19, echoed the need for CEs and BAs to mitigate malicious activity by having strong controls in place for auditing access, data backup, disaster recovery, and security incident procedures. (For those of you new to HIPAA, the mission of the OCR is to enforce HIPAA compliance and to help educate professionals and the public about the law. Think of them as the “HIPAA cops.”) In his talk, Severino pointed to 2018 data showing that although the theft of PHI due to stolen or lost devices had declined by 66% since 2014, theft of PHI via hacking had increased by 74% in the same time period.