CEs and BAs are on the hook for this too. The OCR reported levying $28,638,400 in Civil Money Penalties to CEs and BAs who failed to comply with HIPAA and adequately safeguard patients’ PHI.
The takeaway? While it may seem like a great idea to support group medical practices (and I am not saying it isn’t) you must have a concrete and well-thought-out HIPAA compliance program in place that includes policies and procedures on handling and securing PHI for your company and clients. Start by conducting an honest security risk analysis (preferably by a qualified third party), which will shine a light on your strengths and weaknesses for protecting PHI, and then create a risk mitigation plan.
If you can court a group medical practice by showing you’ve already done the legwork on HIPAA compliance, you will have a built-in advantage over other MSPs. However, if you go into this market blindly you could be one breach away from financial ruin.
MICHAEL O’HARA, CISSP, CHP, CSCS, CCSA, is a security consultant. Contact him at firstname.lastname@example.org.