As an MSP with healthcare clients, it is important to understand how HIPAA applies to you and your clients. As your clients’ trusted advisor, your clients will rely on you to help them comply with HIPAA. To help you understand your HIPAA obligations, and how to carry them over to your clients, MSP HIPAA compliance tips are discussed below.
MSP HIPAA Compliance Tips
1. You yourself must be HIPAA compliant
When you work with healthcare clients, you are considered a business associate under HIPAA, and therefore must comply with many of the same standards that your clients must comply with.
HIPAA requires you to:
- Conduct annual self-audits
- Implement remediation efforts to address gaps uncovered through self-audits
- Develop HIPAA policies and procedures, and review them at least annually
- Train staff annually on HIPAA requirements
- Have signed business associate agreements
- Have a system for detecting, responding to, and reporting breaches
There are a couple of areas in which your HIPAA requirements differ from your healthcare clients’. Healthcare organizations that are involved in treatment, payment, or healthcare operations are considered HIPAA covered entities. HIPAA covered entities must implement all of the same requirements as you, however, since they work directly with patient information, they must implement additional privacy protections. To do so, they must perform a privacy audit (which MSPs are not required to do) and they must have more robust privacy policies.
2. Conducting an annual security risk assessment is essential
We already mentioned that you are required to conduct annual self-audits, one of which is a security risk assessment (SRA). A security risk assessment, also known as a security risk analysis, is arguably the most important self-audit. Not only do you need to conduct an SRA, it is likely that your healthcare clients will ask you to conduct theirs as well. You should therefore be well versed in the elements that make up an SRA.
These include: