It’s been more than a year since a final wave of data privacy regulations mandated by the Health Insurance Portability and Accountability Act (HIPAA) went into effect. Are most channel pros up to speed on them?
“Not even close,” says Raj Goel, president and co-founder of Brainlink International Inc. A managed service provider based in Long Island City, N.Y., Brainlink also provides HIPAA compliance consulting to other MSPs. Goel estimates he’s received more pleas for help in the last 12 months than in the past 10 years combined.
No wonder. Previously, HIPAA put only “covered entities” like medical practices, clinics, and hospitals on the hook for keeping patient data secure. The HIPAA omnibus rule that went into effect in September 2013, however, extends that responsibility to “business associates”—including MSPs and the backup and disaster recovery providers whose services they use.
“You need to make sure those guys are actually HIPAA compliant as well,” says Kevin Edwards, director of healthcare services at Flexible Business Systems, a small business technology provider based in Hauppauge, N.Y.
Don’t take their word for it either, Goel advises. “Every vendor I’ve seen now claims HIPAA compliance,” he says, and they’re all willing to sign business associate agreements, the legally mandated contracts that officially commit them to safeguarding protected information. More often than not, though, they’re unknowingly in violation of key requirements, Goel contends.
That means every channel pro who backs up data for healthcare clients needs to take a close, hard look at their favorite BDR vendor’s security policies and safeguards, paying especially careful attention to issues like these:
Encryption: Confirm that the vendor encrypts data both “at rest” in its data centers and “in transit” across the Internet, says John Durant, director of channel sales at Boston-based BDR provider Carbonite Inc. “You want to make sure data is being transferred in the appropriate manner,” he says.
Access controls: You also want to make certain your BDR vendor takes rigorous steps to keep unauthorized viewers out of its databases and data centers.
Log-in monitoring: HIPAA requires covered entities to take action if hackers try to sneak into systems containing health information, so be sure your BDR provider tracks login attempts, provides audit logs on request, and blocks users who use incorrect passwords repeatedly.
Physical location: Ask your BDR vendor where your client’s data will reside. “It has to stay within the continental United States,” notes Rob Rae, vice president of business development at Norwalk, Conn.-based BDR provider Datto Inc., and your vendor should offer certification that it will.
Data retrieval and destruction: Can your clients get their data back if they cancel their account? What about if the BDR provider goes out of business? Does the vendor shred old storage systems after hardware upgrades or list them on eBay? Check their SLA to find out, Goel advises, and don’t hesitate to follow up if you have a question about something. “The good vendors will tell you the truth, or at least put you in touch with someone who can answer it,” he says.
Choosing the right partner is just the beginning though, Rae notes. Choosing the right customers is equally important. Covered entities are required by law to keep healthcare data not only safe but available, even after natural disasters; working with healthcare clients who refuse to invest in state-of-the-art backup technology could expose you to steep fines. “Ultimately, an MSP should probably walk away from that business as opposed to getting involved in there and potentially opening themselves up to risk,” Rae says.
Indeed, walking away from healthcare altogether may be a wise move for many channel pros. Goel has been studying HIPAA since 1997, yet he refuses to deliver managed services to healthcare providers and advises most MSPs to do the same. There are simply too many ways to break the law, he observes, and avoiding them all costs too much time and money.
“This is not a business for the underfunded or the weakhearted,” Goel says.