Managed Service Providers and the HIPAA Privacy Rule

The basic definition of a managed service provider (MSP) is: A company that remotely manages a customer’s IT infrastructure, and/or end-user systems. IT Infrastructure is defined by ITIL (formerly known as the Information Technology Infrastructure Library) as “the sum of an organization’s IT related hardware, software, data telecommunication facilities, procedures, and documentation.” End-users are the people that a software program or hardware device are designed for – the “people sitting at the computer desks.” Managed service providers must be HIPAA compliant. Managed service providers and the HIPAA Privacy Rule is discussed below.

What Must Managed Service Providers Do to be HIPAA Compliant?

Managed service providers are recognized by HIPAA as business associates of their covered entity healthcare clients. An MSP is also regarded as HIPAA covered subcontractor, if that MSP provides a service to a company, which, in turn, provides a support service to a healthcare facility. In such situations, the MSP is regarded as a business associate of a business associate.

Whatever specific business associate role an MSP has, an MSP is required to comply with the HIPAA Privacy Rule and the HIPAA Security Rule, if the MSP stores data that consists of protected health information. HIPAA subjects business associates to fines if business associates are responsible for a breach of protected health information (PHI).

What Must MSPs Do to Comply with the HIPAA Privacy Rule?

The HIPAA Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”

“Individually identifiable health information” is information, including demographic data, that relates to:

• the individual’s past, present or future physical or mental health or condition,
• the provision of healthcare to the individual, or
• the past, present, or future payment for the provision of healthcare to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (i.e., name, address, birth date, Social Security Number).

Business associates are subject to the same HIPAA Privacy Rule restrictions as are covered entities. That is, business associates may not use or disclose protected health information, except as the Privacy Rule permits or requires. 

Business associates, like covered entities, must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule. 

Business associates must also enter into business associate agreements (also called business associate contracts) with their covered entity clients. The contract must:

• Establish specifically what the business associate has been engaged to do
• Require the business associate to comply with HIPAA

In addition, a business associate contract must limit the business associate’s uses and disclosures of, as well as requests for, protected health information to be consistent with the covered entity’s minimum necessary policies and procedures. Under the HIPAA minimum necessary standard, covered entities must make reasonable efforts to ensure that access to protected health information (PHI) is limited, per the HIPAA Privacy Rule, to the minimum amount of information necessary to fulfill or satisfy the intended purpose of a particular disclosure, request, or use.