MSPs: You Must Be HIPAA Compliant Too
By Cam Roberson, Director of the Reseller Channel for Beachhead Solutions
The Health Insurance Portability and Accountability Act (HIPAA) is a complex law, to put it mildly. It contains no shortage of tricky nuances that any business dealing with medical patients’ personal health information (PHI) must understand and adhere to in order to remain in legal compliance (and thus avoid potentially devastating enforcement actions). Unfortunately, these same businesses often struggle to gain a firm grasp on just how precisely HIPAA requires them to behave in all phases of their operations. Because ignorance of the law is no excuse or protection, many of these businesses contract technology solution providers, which they entrust to implement and maintain HIPAA-compliant practices. However, in what amounts to be a Catch-22 in the HIPAA law, any HIPAA-covered entity is actually required to ensure that their technology providers are HIPAA compliant as well, even though they may — and often do — rely on these providers for the totality of their understanding of HIPAA in the first place.
Under HIPAA regulations, any “business associate” — defined as someone who has or has had access to the patient health data of a HIPAA Covered Entity — must be under a business associate agreement (BAA). Under this BAA, the business associate needs to follow the medical organization’s requirements for patient data security. That is to say, the covered entity (whether a hospital, medical practice, insurance provider, etc.) must make sure their business associates are HIPAA-compliant — specifically, the provisions of HIPAA’s Security Rule which require covered entities and their business associates to implement appropriate technology measures (including encryption) to secure PHI.
In addition to technology providers, examples of business associates which are required to be covered by a BAA may also include those performing medical claims processing, data analysis, quality assurance, billing and collection, practice management, legal services, accounting, and consulting. Of course, the irony that medical organizations look to their trusted technology providers for guidance on how to become HIPAA compliant means that many are unsure what their own obligations are under HIPAA, let alone their need to ensure that the MSPs and others they are working with are also fully compliant.
The BAA itself will legally establish the responsibilities of the parties involved, enumerating which uses of PHI are allowed and what protections the business associate must employ to prevent PHI breaches. HIPAA also requires that the BAA legally obligate the business associate to report any unauthorized use or breach of PHI, that any subcontractor of the business associate is also legally bound by these terms, and that upon termination of the BAA the business associate must see that all PHI is either returned or destroyed. I would argue that any MSP working with a medical organization regulated by HIPAA make certain to engage in a BAA, and take steps to see that they (as a BAA) are just as HIPAA compliant as their client. However, based on our research, this often isn’t the case. By failing to heed this requirement of HIPAA, many MSPs are leaving themselves exposed to the same fines and penalties as could be levied against their clients whose data they are trying to protect. And with HIPAA fines often reaching into five-figures for a single violation, HIPAA enforcement can be so severe as to easily knock a medical or MSP business out of business.
The best practice for an MSP is to be proactive in taking the lead on committing to a BAA with any HIPAA-covered client, and ensuring that both parties live up to stringent HIPAA guidelines. For MSPs, informing a client of their responsibilities in enlisting a technology provider and implementing earnest legal and technological safeguards to keep all involved on HIPAA’s good side should be standard practice. MSPs doing right by HIPAA, their clients, and themselves by properly executing these safeguards may find that they amount to a competitive differentiator as well, offering their knowledge and willingness to place themselves under a HIPAA-compliant contract — one clients wouldn’t have even known to ask for — as a powerful sign of their professionalism and trustworthiness.
Cam Roberson is the director of the reseller channel for Beachhead Solutions, a company that designs cloud-managed mobile device security tools.