Vox Channeli: Think You’re HIPAA Compliant? Think Again.

The Healthcare Information and Management Systems Society, or HIMSS as it’s better known, is holding its giant annual conference this week in Orlando, calling attention to a global healthcare IT market expected to grow 13.2 percent annually through 2022 to $297 billion, according to Allied Market Research.

Meanwhile, the federal government has been more quietly calling attention lately to a somewhat unappealing dimension of going after that spending: The potentially painful consequences of violating HIPAA, the regulation that among other things requires hospitals, medical practices, insurers, and others to safeguard patient data and report breaches promptly.

That big, broad “others” category includes “business associates,” which is to say third-party service providers, which is to say you, channel pros. And business associates are starting to get fined—heavily—for running afoul of HIPAA mandates.

Last September, for example, the feds levied a $400,000 fine against Care New England Health System, a healthcare provider headquartered in Providence, R.I., that qualifies as a business associate because it provides IT and administrative services to regional subsidiaries. Significantly, the company wasn’t nailed over the loss of a backup tape containing unencrypted data on 14,000 patients, but because government officials investigating the incident discovered that the written compliance agreement all business associates are required to have with their customers had fallen out of date in this case.

Last July, moreover, Catholic Health Care Services of the Archdiocese of Philadelphia got hit with an even steeper $650,000 fine for a business associate compliance lapse of its own.

All of which got us to wondering how well channel pros who work with clients in the healthcare vertical are insulating themselves from penalties like that. So we asked them about it in our latest reader survey, and learned the following:

Well that’s a relief! Everyone in the admittedly modest sample of channel pros with healthcare customers we polled is at least somewhat sure they’re on the right side of the law.

Except they probably aren’t, according to Mike Semel, CEO of Semel Consulting LLC, a HIPAA compliance advisory firm in Las Vegas.

“Your numbers are a symptom of MSPs who are overconfident in their compliance and their own cyber security,” he says in remarks emailed to ChannelPro.

That’s not mere speculation either. Semel has been performing compliance assessments of IT providers for 14 years, and still routinely runs across firms that don’t even have a complete understanding of how HIPAA defines protected health information, or PHI in legal parlance.

“We regularly get told by healthcare clients supported by MSPs that their local computers have no PHI yet we always find it. Always. 100%. Every time. After we are told it isn’t there,” Semel writes. “Even MSPs that are educated about HIPAA have trouble staying compliant.”