HIPAA Compliance and CaaS for MSPs:
5 Things to Be Aware of
Managed Service Providers (MSPs) that work with clients in the healthcare industry have an obligation to be HIPAA compliant. Under the Health Insurance Portability and Accountability Act (HIPAA), MSPs are considered business associates (BAs). The Department of Health and Human Services (HHS) recently released new guidelines for business associate HIPAA compliance. HIPAA law mandates that organizations working in healthcare must implement administrative, technical, and physical safeguards to secure protected health information (PHI). PHI is any individually identifiable health information such as name, date of birth, address, payment information, or health condition, to name a few. Healthcare organization need MSPs to help them navigate the technical aspect of the requirement. MSPs offering Compliance-as-a-Solution (CaaS) have the ability to service healthcare clients in a comprehensive manner.
What is HIPAA for MSPs?
- HIPAA fines can put an MSP out of business
As previously stated, MSPs with even one healthcare client, need to be HIPAA compliant. In recent years, HIPAA fines have increased in frequency as well as cost. With new state privacy laws, an MSP in violation of HIPAA can be fined at a federal and state level for the same incident. The HHS has recently renewed its’ efforts to come after business associates for non-compliance. With the average HIPAA fine at $1.5 million, one violation can easily put an MSP out of business, and that doesn’t even factor in the other costs associated with a breach and reputational damage.
- HIPAA risk assessments validate MSPs’ advanced security offerings
Not only is an annual HIPAA risk assessment required by law, it allows organizations to identify their gaps concerning HIPAA compliance. A risk assessment is essentially a list of questions regarding security practices around protected health information (PHI).
Many of the gaps identified by a risk assessment are related to technology security. Small to medium-sized businesses do not generally have a dedicated IT staff. As such, many organizations need the assistance of an MSP to close their gaps.
MSPs offering Compliance-as-a-Solution (CaaS) will differentiate their firm. CaaS allows MSPs to standardize their stack, while allowing for recurring revenue. HIPAA compliance is an ongoing process that needs to be addressed by any organization working in healthcare. Entering into the healthcare vertical and offering CaaS will allow an MSP to make the transition to a Business Solutions Provider (BSP).
- MSPs are responsible when clients are not HIPAA compliant
A large portion of recent HIPAA fines are the result of “willful neglect.” The HHS will no longer accept the excuse that an organization did not know that they needed to do something to be HIPAA compliant. An MSP is seen as a trusted advisor that healthcare clients will turn to for advice on securing PHI. Healthcare organizations don’t understand the technological requirements of HIPAA. MSPs must ensure that their healthcare clients are HIPAA compliant, with all of the necessary safeguards in place to protect PHI.
- MSPs must ensure that their clients have encryption
Although encryption is not mandated by HIPAA, it is the only effective way to secure PHI. Organizations are not fined for lost devices, but when an unencrypted device with PHI is lost, the Office for Civil Rights (OCR), the enforcement arm of HIPAA, will fine an organization. The HHS expects organizations to encrypt devices but they don’t mandate it, instead stating that organizations must have “reasonably appropriate” measures in place to protect PHI. It is therefore an MSPs responsibility, as a trusted advisor, to ensure that healthcare clients encrypt their data.
- “Evidence of Compliance” through proper documentation
Part of being HIPAA compliant is the ability to prove that an organization identified their security risks and created remediation plans to mitigate the identified risks. Offering Compliance-as-a-Solution (CaaS) allows an MSP to provide this documentation for their clients. CaaS covers all aspects of HIPAA regulatory requirements, including documentation of efforts. In the event of a data breach and subsequent HIPAA audit, documentation will prove an organization’s “good faith effort” towards HIPAA compliance.
Do Want to Add CaaS to Your Stack?
Compliancy Group’s cloud-based software platform the GuardTM gives you the tools you need to change the way you do business. Compliancy Group’s Compliance CoachesTM guide you through our Achieve, Illustrate, MaintainTM methodology, simplifying compliance, enabling you to confidently focus on our business. MSP partners have exclusive access to marketing and sales support teams. You don’t need to know anything about HIPAA compliance to take on healthcare clients, we manage your healthcare clients for you.