Reducing Legal Risk Of MSPs Working With Healthcare Clients
By Jon Senger, CTO, Vertiscale and healthcare IT and security advisor to MSPs
Recent regulations in the healthcare market have serious implications for MSPs and their healthcare clients, but the right compliance strategy can add value for everyone.
MSPs Under The Microscope
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2010 widens the scope of patient privacy and security protections under HIPAA. It increases the potential legal liability for non-compliance and results in more enforcement. It also requires that third parties who have access to protected health information (PHI), including MSPs, sign Business Associate Agreements that make them liable to fines as well.
In 2013, the agency’s Omnibus Rule enhanced privacy protections and strengthened the government’s ability to enforce the law.
Risk And Reward
Due to the increase in legislation, MSPs are inclined to back away from dealing with healthcare clients rather than address the operational and technology challenges presented by delivering HIPAA compliant services. While this may be a valid risk avoidance strategy, MSPs that take this approach are ignoring a significant revenue channel. The healthcare market is gigantic and it keeps growing, and MSPs that gear up, educate themselves, and recognize that HIPAA, HITECH, and the Omnibus Rule create new and lucrative business opportunities will outpace their competition.
The new rules mean that MSPs need to do more than implement simplistic “documented risk” mitigation strategies. Pursing such a strategy not only exposes them to potentially large fines and costly litigation, but they are also making their business vulnerable to competitive MSPs that take HIPAA seriously.
The Office of Civil Rights is charged with enforcing HIPAA laws, and they have already begun issuing fines of up to seven figures in the wake of data breaches and other violations. If an MSP is hit with a fine, there are two distinct effects: The direct monetary cost associated with the fine itself, legal fees, and staff time. In addition, such an occurrence can irreparably damage the reputation of the business, leading to mass defections of clients.
There are clear benefits to MSPs that choose to address the healthcare market properly, and those MSPs that can understand and implement secure infrastructure will have a distinct advantage. There are many thousands of SMB healthcare providers, including doctor’s offices, dental practices, nursing homes, vision care centers, mental health clinics, and chiropractors that need IT services. A properly positioned and equipped MSP can take market share away from competitors and grow profitably while minimizing or even eliminating the risks.
EHR Systems Are Just The First Step
To be successful, MSPs must be proactive in educating their clients and prospects about the HIPAA laws, and take the steps they can take to protect themselves. For example, many providers believe that implementing a cloud-based, HIPAA-compliant Electronic Health Record (EHR) system makes their practice HIPAA compliant. While this is a step in the right direction, the EHR is only one of the many software systems used in any modern medical practice. All systems containing PHI, or having access to PHI, including underlying EHR infrastructure, shared storage, email systems, peripherals, etc., must be secured and managed with a HIPAA compliant technical strategy to avoid legal risks and fines. Simply ensuring the physical security of servers and client devices containing PHI and controlling electronic access to them (perhaps using VPNs to support remote workers) is not sufficient.
Identify Comprehensive HIPAA Solutions
MSPs who have made healthcare a part of their go-to market strategy should look to software that makes deploying a fully HIPAA compliant IT infrastructure efficient and cost effective. There are numerous options today that handle individual components of the compliance puzzle, including encryption, logging, and application publishing system, but, since they are generally designed for enterprise deployment instead of in a multi-site and multi-tenant operations typical for MSPs, these solutions often come at a high cost in terms of the time required to implement them, training fees, plus licensing. New targeted Software-as-a-Service offerings, like Vertiscale (www.vertiscale.com), provide comprehensive solutions that eliminate piecemeal integrations and provide the combination of capabilities MSPs need in order to provide healthcare customers with truly secure, HIPAA-compliant IT infrastructures.
Spending time now to learn about alternatives and select the right technologies will position an MSP to grow profitably and thrive within the healthcare industry. Thanks to these new tools, it’s relatively easy to convert what might have been perceived as a segment too risky to do business with into a major growth sector for any MSP willing to make that investment.