1. You yourself must be HIPAA compliant
When you work with healthcare clients, you are considered a business associate under HIPAA, and therefore must comply with many of the same standards that your clients must comply with.
HIPAA requires you to:
- Conduct annual self-audits
- Implement remediation efforts to address gaps uncovered through self-audits
- Develop HIPAA policies and procedures, and review them at least annually
- Train staff annually on HIPAA requirements
- Have signed business associate agreements
- Have a system for detecting, responding to, and reporting breaches
There are a couple of areas in which your HIPAA requirements differ from your healthcare clients’. Healthcare organizations that are involved in treatment, payment, or healthcare operations are considered HIPAA covered entities. HIPAA covered entities must implement all of the same requirements as you, however, since they work directly with patient information, they must implement additional privacy protections. To do so, they must perform a privacy audit (which MSPs are not required to do) and they must have more robust privacy policies.