Guest Column | November 13, 2017

Why Healthcare Orgs Should Demand MSPs That Are Wise To HIPAA's Nuances

HIPAA Rules With VARs

By Cam Roberson, Director of the Reseller Channel, Beachhead Solutions

There tend to be two paths to go when learning any lesson: the easy way and the hard way. In cases involving compliance with the Health Insurance Portability and Accountability Act (better known as HIPAA), the easy way for a healthcare organization to learn the nuances of the law is to be led by a smart MSP with extensive HIPAA expertise. Alternatively, the hard way is actually easy at first: simply ignore the detailed responsibilities of HIPAA, do your best, and wait for the data breaches, government audits, and substantial fines to arrive.

To be clear, HIPAA is a needed set of regulations: it keeps private information about our personal health protected, and we all want that. While it’s full of good rules, it’s also full of complexity – and necessarily so. No one would accuse HIPAA of being simple to understand, and, unfortunately, this means that HIPAA-covered organizations with the best of intentions can end up out of compliance with the law, merely out of ignorance of the responsibilities placed upon them. They say what you don’t know can kill you, and it’s certainly true if you’re talking about a small or medium-sized business hit with fines due to HIPAA violations. It’s normal for these penalties to be in the mid-five figures, a blow that even large companies would have trouble absorbing, and often a knockout punch for many smaller ones.

Here’s a major example that demonstrates HIPAA’s complexity, and why selecting an MSP with HIPAA expertise is so necessary for organizations covered by the law. Note that this includes any organizations that handle the protected health information (PHI) of patients – which commonly rely on managed service providers to provide the technology solutions needed to safeguard this information and ensure HIPAA compliance. A complex rule within HIPAA actually requires that any MSP with access to (or even the ability to access) PHI held by a HIPAA Covered Entity (CE) must itself be HIPAA compliant in its own practices. However, the party responsible for making sure the service provider complies with HIPAA is the CE – the organization that in all likelihood hired the MSP precisely because it has no HIPAA expertise internally. If the hired MSP fails to comply with HIPAA, the CE is in as much trouble as it would be if it violated HIPAA directly. In reality, it’s unimaginable that a CE that has hired an MSP to address its HIPAA needs would have any idea about this responsibility, let alone how to ensure that the MSP itself is HIPAA compliant.

MSPs with deep HIPAA expertise, however, do have an understanding of this situation, and ought to be the ones to address it. Another relevant aspect of HIPAA is that it requires any “business associate” of a CE to establish a formal business associate agreement (BAA). This BAA is a legally binding document that specifies exactly how a business associate handles the PHI it can access, as well as the solutions – such as data encryption and other capabilities – that are used to achieve HIPAA compliance. Because MSPs are the knowledgeable party in these situations, they should take the initiative and offer any HIPAA-covered client a BAA that obligates the MSP to see to its own HIPAA compliance, thereby ensuring that the client fulfills the responsibility of MSP oversight (which it likely would have never known it had).

An MSP responsible for data security and HIPAA compliance should also be sure to inform and help the client address the full scope of the law’s business associate rules. These require a BAA and HIPAA-compliant practices from not just technology providers but any associate handling PHI, including providers of billing and collections, claims processing, data analysis, accounting, legal services, and others (such as subcontractors). Under HIPAA, the BAA must also require that the business associate report any incidents where data is breached or used without authorization, and must return or destroy all data at the conclusion of the agreement.

HIPAA compliance remains a greater challenge than most organizations probably realize, but MSPs that attack this lack of understanding head-on do themselves and their clients a valuable service. By offering a robust BAA upfront and explaining the agreement’s critical importance, an MSP can distinguish itself as deeply knowledgeable, trustworthy, and proactive in meeting needs the client didn’t know it had. Embracing the BAA and the role of HIPAA expert benefits both the MSP and its clients by ensuring that both understand what to expect, and how to stay on HIPAA’s good side.

About The Author
Cam Roberson is the director of the reseller channel for Beachhead Solutions, a company offering a PC and Mobile Device encryption service platform for MSPs.