As an MSP, you know the importance of data security. HIPAA regulation has become an essential part of maintaining that security in today’s healthcare market. Some of your customers may be healthcare providers, clearinghouses, or businesses that deal with electronic protected health information (ePHI) and therefore, are concerned about their HIPAA compliance. MSPs need to be HIPAA compliant to service healthcare clients.
HIPAA, or The Health Insurance Portability and Accountability Act was first enacted in 1996. It sets regulatory standards that require healthcare organizations to implement controls to secure patients’ protected health information (PHI) or ePHI. PHI is any piece of demographic information that can be used to identify a patient, including names, addresses, Social Security numbers, and medical record numbers, to name a few. ePHI is any PHI that is created, handled, transmitted, or received in an electronic format.
As an MSP with even a single healthcare client, you are exposed to any ePHI stored or transmitted through their network. That means that you are considered a “business associate” under HIPAA regulation, even if you never directly access or view the information. The fact that you have the potential to view this data as a result of the services you’ve been hired to perform means that you are subject to HIPAA regulation. Being a business associate under HIPAA, you are legally required to have an effective program and can be held liable in the event of a data breach. The moral of the story is: if you plan on working with clients in healthcare, then you need to be HIPAA compliant.
Now you may be asking yourself, what does HIPAA compliance require when it comes to IT security, identity, and access management?
Good question. These are the bread and butter of any effective security program. However, these are just the tip of the iceberg when it comes to HIPAA compliance. There are many privacy and security guidelines involved when it comes to HIPAA compliance.
Compliance and Security
HIPAA security guidelines are outlined in the HIPAA Security Rule. The rule establishes national standards that outline the security safeguards that must be implemented by covered entities and business associates to protect the confidentiality, integrity, and availability of PHI.
The security standards of the HIPAA Security Rule must address three key elements of the regulation. These security standards include:
- Physical Safeguards: Businesses must have the appropriate physical safeguards in place to protect PHI or ePHI. Common examples are alarm systems, security systems, and locked areas where PHI/ePHI is stored.
- Technical Safeguards: These are the safeguards that deal with the cybersecurity of your office. Technical cybersecurity safeguards must be implemented in order to protect patients’ ePHI. Some examples include firewalls, encryption, and data back-up.
- Administrative Safeguards: These safeguards must be in place to ensure that all staff members are properly trained in order to execute the implemented security measures. Administrative safeguards include policies and procedures that document security safeguards you have in place, as well as employee training to ensure your staff understands these policies and procedures.
Business Associate Agreements are Not Optional
If you are an MSP working with healthcare organizations, you must also execute a business associate agreement (BAA) to keep your business safe.
Business associate agreements outline what business associates can or cannot do when they access PHI, how they will protect that information, how they will prevent PHI disclosure, and how they will report a breach of PHI if one were to occur. BAAs define liability in the event of a breach. Both you and your client will sign it and agree that whichever party is responsible for the breach will ultimately be held liable for the breach.
A business associate agreement must be executed prior to any PHI being shared, transmitted, or maintained between covered entities and business associates. If a BAA is not implemented and PHI is still being shared, both you and your client are at risk of a HIPAA violation and serious financial risk in the event of even a small-scale data breach.
According to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR), if there is no BAA established by either organization involved, it will be considered a violation of the HIPAA Privacy and Security Rule.
HIPAA violations can have a significant impact on your business’ reputation and can be avoided by implementing an effective HIPAA compliance program.
Business Associate Agreements Done Right
Here at Compliancy Group, we simplify business associate management with our web-based compliance tracking solution, The Guard™. The Guard provides users with the necessary tools they need to manage their business associate agreements, vendor audit questionnaires, annual tracking, and everything else that the law requires for HIPAA compliance.
Our Compliance Coaches™ guide our users through the entire process. They are always on call to help you confidently address your federal HIPAA requirements so you can focus on running your business.
Find out how Compliancy Group can help your business grow today!