As an MSP with healthcare clients, it is important to understand how HIPAA applies to you and your clients. As your clients’ trusted advisor, your clients will rely on you to help them comply with HIPAA. To help you understand your HIPAA obligations, and how to carry them over to your clients, MSP HIPAA compliance tips are discussed below.
MSP HIPAA Compliance Tips
- You yourself must be HIPAA compliant
- Conducting an annual security risk assessment is essential
- Encrypting devices that “touch” PHI is mandatory
- You must have signed business associate agreements
- Documentation proves HIPAA compliance
- You share your clients’ risk
1. You yourself must be HIPAA compliant
When you work with healthcare clients, you are considered a business associate under HIPAA, and therefore must comply with many of the same standards that your clients must comply with.
HIPAA requires you to:
- Conduct annual self-audits
- Implement remediation efforts to address gaps uncovered through self-audits
- Develop HIPAA policies and procedures, and review them at least annually
- Train staff annually on HIPAA requirements
- Have signed business associate agreements
- Have a system for detecting, responding to, and reporting breaches
There are a couple of areas in which your HIPAA requirements differ from your healthcare clients’. Healthcare organizations that are involved in treatment, payment, or healthcare operations are considered HIPAA covered entities. HIPAA covered entities must implement all of the same requirements as you, however, since they work directly with patient information, they must implement additional privacy protections. To do so, they must perform a privacy audit (which MSPs are not required to do) and they must have more robust privacy policies.
2. Conducting an annual security risk assessment is essential
We already mentioned that you are required to conduct annual self-audits, one of which is a security risk assessment (SRA). A security risk assessment, also known as a security risk analysis, is arguably the most important self-audit. Not only do you need to conduct an SRA, it is likely that your healthcare clients will ask you to conduct theirs as well. You should therefore be well versed in the elements that make up an SRA.
These include:
- “Collecting Data”
- “Identifying and Documenting Potential Threats and Vulnerabilities”
- “Assessing Current Security Measures”
- “Determining the Likelihood of Threat Occurrence”
- “Determining the Potential Impact of Threat Occurrence”
- “Determining the Level of Risk”
3. Encrypting devices that “touch” PHI is mandatory
Although encryption is not specifically mandated by HIPAA, it might as well be. The HIPAA Security Rule states, “The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.”
As you probably know, any alternative measure would likely be less effective and more costly to implement than encryption. Additionally, the Department of Health and Human Services often fines organizations for lacking encryption on devices that have the potential to access electronic protected health information (ePHI), especially when said device is lost or stolen. When an unencrypted electronic device is lost or stolen, and it stores or has access to ePHI, this is considered a reportable breach, subjecting the organization to scrutiny, reputational damage, and potential fines.
4. You must have signed business associate agreements
As a HIPAA business associate, you must have signed business associate agreements (BAAs) in place with all of your healthcare clients before working with them. You must also have signed BAAs with any vendor that you work with that has the potential to access your client’s data. BAAs are legal contracts that require each signing party to be HIPAA compliant, and be responsible for maintaining their compliance.
5. Documentation proves HIPAA compliance
Documentation is an integral part of HIPAA compliance, and protects you in the event of a HIPAA audit. Organizations that are subjected to HIPAA audits, whether it’s the result of a breach or complaint, will be asked to prove their “good faith effort” toward compliance, which is only possible with thorough documentation.
During an audit, you will be asked to:
- show proof that you conducted a thorough and accurate risk assessment;
- have documented remediation efforts to address gaps in compliance;
- have written policies and procedures;
- have documented proof of employee training with their attestations that they agree to adhere to HIPAA requirements;
- have signed business associate agreements with your healthcare clients and business associates;
- and have written procedures in place for responding to breaches.
Did you know that when you work with Compliancy Group, all of your HIPAA documentation is stored electronically in the Guard compliance tracking software? We can provide you with all of the documentation and support you need to get you through a HIPAA audit. What’s more is that our methodology has been tested against the letter of the law. We have never failed a HIPAA audit on behalf of our clients!
6. You share your clients’ risk
In many instances, your clients (as HIPAA covered entities), are not HIPAA compliant. This is especially true for smaller healthcare organizations that don’t have the time or resources to develop a HIPAA compliance program. This presents a risk to you, but also an opportunity. Your healthcare clients will often look to you for guidance on how to comply with the security aspects of HIPAA, but you can also help them fulfill all of their requirements. By partnering with or referring your healthcare clients to Compliancy Group, all you have to do is make the introduction, and we’ll handle the rest for you. We even offer white-labeling so that you can resell our services under your brand, and you still get the benefit of having us manage your clients’ HIPAA compliance for you!
