A managed service provider (MSP) is an entity that remotely manages a covered entity’s IT infrastructure and/or end-user systems. IT Infrastructure is defined by ITIL (formerly known as the Information Technology Infrastructure Library) as “the sum of an organization’s IT related hardware, software, data telecommunication facilities, procedures, and documentation.” End-users are the people that a software program or hardware device are designed for – the “people sitting at the computer desks.” Managed service providers who support even one medical client must be HIPAA compliant. An essential part of this compliance consists of having MSP security incident response procedures in place, in the event of a cyberattack.
What Must Managed Service Providers do to be HIPAA Compliant?
Managed service providers are recognized by HIPAA as business associates of their covered entity healthcare clients. An MSP is also regarded as HIPAA covered subcontractor, if that MSP provides a service to a company, which, in turn, provides a support service to a healthcare facility. In such situations, the MSP is regarded as a business associate of a business associate.
Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.
MSPs, if they store data that consists of protected health information (PHI). are required to comply with the HIPAA Privacy Rule and the HIPAA Security Rule. If an MSP is responsible for a breach of unsecured PHI, that MSP can be fined by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR).
What do MSP Security Incident Response Procedures Consist of?
MSP security incident response procedures are specific steps to take in response to a cyberattack. These steps include:
- The MSP must execute its response and mitigation procedures and contingency plans. The MSP should, in doing so, immediately fix any technical problems to put a stop to the incident. In addition, the MSP should also take measures to mitigate any unauthorized or impermissible disclosure of PHI caused by the incident. The MSP may fix technical problems and take measures to mitigate unauthorized PHI disclosure, using its own staff. The MSP may also contract with an outside entity to perform these functions. This outside entity is considered a subcontractor of the MSP business associate; as such, the entity is a business associate to the extent it has access to PHI.
- The MSP should report the security incident or cyberattack to law enforcement agencies. These agencies may include state or local law enforcement, the Federal Bureau of Investigation (FBI), and/or the Secret Service. Reports submitted to these agencies should not include PHI, unless the HIPAA Privacy Rule allows it. If a law enforcement official informs the MSP that any potential breach report would impede a criminal investigation or be harmful to national security, the entity must delay reporting a breach for the time requested in writing by the law enforcement official. If the law enforcement official makes the request orally, the MSP must delay reporting the breach for 30 days.
- The MSP should report all cyber threat indicators to federal and information-sharing and analysis organizations, including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs. Reports should not include PHI.
- MSPs, as business associates, are subject to breach reporting obligations. Business associates of HIPAA covered entities must report a breach of unsecured PHI to a covered entity within 60 days of discovery. Business associates may not unnecessarily delay notification. OCR advises that business associates rapidly issue breach notifications to covered entities, and to provide further information on the individuals impacted once the breach investigation has been completed.
- Under the terms of a HIPAA compliant business associate agreement (BAA), a business associate may be required to issue breach notifications to affected individuals. If the BAA imposes this requirement, the business associate must follow the HIPAA breach notification rules for notification of affected individuals.