As an MSP with healthcare clients, it is important to understand how HIPAA applies to you and your clients. As your clients’ trusted advisor, your clients will rely on you to help them comply with HIPAA. To help you understand your HIPAA obligations, and how to carry them over to your clients, MSP HIPAA compliance tips are discussed below.

MSP HIPAA Compliance Tips

  1. You yourself must be HIPAA compliant
  2. Conducting an annual security risk assessment is essential
  3. Encrypting devices that “touch” PHI is mandatory
  4. You must have signed business associate agreements
  5. Documentation proves HIPAA compliance
  6. You share your clients’ risk

MSP HIPAA Compliance Tips

1. You yourself must be HIPAA compliant

When you work with healthcare clients, you are considered a business associate under HIPAA, and therefore must comply with many of the same standards that your clients must comply with. 

HIPAA requires you to:

  • Conduct annual self-audits
  • Implement remediation efforts to address gaps uncovered through self-audits
  • Develop HIPAA policies and procedures, and review them at least annually
  • Train staff annually on HIPAA requirements
  • Have signed business associate agreements 
  • Have a system for detecting, responding to, and reporting breaches

There are a couple of areas in which your HIPAA requirements differ from your healthcare clients’. Healthcare organizations that are involved in treatment, payment, or healthcare operations are considered HIPAA covered entities. HIPAA covered entities must implement all of the same requirements as you, however, since they work directly with patient information, they must implement additional privacy protections. To do so, they must perform a privacy audit (which MSPs are not required to do) and they must have more robust privacy policies. 

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

2. Conducting an annual security risk assessment is essential

We already mentioned that you are required to conduct annual self-audits, one of which is a security risk assessment (SRA). A security risk assessment, also known as a security risk analysis, is arguably the most important self-audit. Not only do you need to conduct an SRA, it is likely that your healthcare clients will ask you to conduct theirs as well. You should therefore be well versed in the elements that make up an SRA.

These include: