By Derrick Wlodarz, FireLogic
If there’s one thing I find to be an absolute truth about HIPAA still it’s that there is an endless supply of FUD (fear, uncertainty, and doubt) that is awash online and in networking circles. Part of that reality is slightly surprising as we are north of half a decade into the ruleset that has governed how Covered Entities (CE) and Business Associates (BA) should be upholding their technology and process baselines around ePHI.
Yet another part of me isn’t entirely shocked that so much confusion still surrounds HIPAA. Trigger-happy vendors gladly peddle products as “HIPAA Compliant” which, when I’ve personally vetted, have sometimes found them to be fudging the truth in one way or another. And MSPs, along with their clients, stack these technology solutions into their portfolios at face value — flying under the false assumption that this is the end-all, be-all to compliance.
When it comes to HIPAA, what you don’t know (willfully or otherwise) can and will hurt your MSP and your clients’ organizations. Here are some tips to avoid falling victim to half-baked compliance.
Let’s face it. Many clients are already averse to discussing their HIPAA compliance gaps as they stand. Don’t make broaching the topic any worse. Meetings which focus on the solutions needed instead of stand-alone technology products fare much better in acceptance and overall understanding.
The problem with the tech needed in this arena is twofold. First, products such as backup/DR solutions are heavy with acronyms. Gigabytes, RTO/RPO, and numerous other terms which confuse clients. Second, and most importantly, the more numbers you put in front of a client, the more they will look for areas where they can look for a downsizing. Don’t open up a Pandora's box that could have entirely been avoided.
Many IT service providers make the mistake of believing that all threats need to be mitigated to meet HIPAA compliance. This is far from the case! While mitigation of risk always sounds like the best course of action, do remember that transferring risk (i.e. to an insurance provider) and accepting risk (i.e. the risk is far too expensive to control yet highly unlikely to be faced) are perfectly acceptable risk management techniques. The best tool to expose how risks should be categorized are objective risk assessments, ideally performed by third parties.
Would you take a client into an IT infrastructure overhaul or server migration without a grounded plan of attack? HIPAA cleanup and remediation shouldn’t be treated any differently, and the first step of this process should be a wholesale risk assessment of the clients’ current standing.
Numerous parties are out there which can help handle this, including HIPAA Secure Now and Compliancy Group. Regardless of who you go with, a risk assessment is absolutely vital since it establishes the current shortcomings of IT strategy and underscores areas that need improvement. Furthermore, a well-done risk assessment will establish which risks are high/low so that a cleanup plan can place importance on “need to have” vs “nice to have” improvements.
Instead of using your opinion as justification for remediation, let a third party’s objective baseline be the guiding factor behind any quoted remediation plans. You’ll have to do far less “selling” and merely be supporting a vision that has already been laid out for you!
In the eyes of HIPAA violations, issues which the client didn’t or couldn’t know of beforehand have the smallest associated fines in the case of any audit or breach scenario. But move up the scale, and you enter into territory where “willful neglect” is considered where there was no actionable remediation performed. Such fines can cripple a covered entity (CE) into bankruptcy.
It should go without saying that any MSP working with a client that has high-risk, high-probability risk factors on the table only has two realistic approaches as a goalpost. Either the client is willing to address these by mitigation or transference, or they are not a client that your MSP should be working with. MSPs that turn a blind eye to such items risk burrowing their own firm in hot water if the government came in for an audit, or worse, they got wrapped up in a breach on behalf of their client.
Clients who prefer sticking their head in the sand are clients best left for the next guy.
Any MSP worth their weight can identify and implement compliance cleanup in the technical arena. But where most MSPs drop the ball is in the documentation. If your firm is ever pulled into an HHS (Health and Human Services) audit, either directly or indirectly, having a clear and transparent system for documentation is key.
Do you have established Business Associate Agreements (BAAs) with all of your HIPAA covered entity clients? Likewise, do you have BAAs with any downstream vendors that may touch PHI-designated client data (cloud backup, colo providers, etc.)? Is your technical team keeping concise ticketing records on all engagements where client systems are accessed and/or data may be exported from their premises? Can you easily produce runbooks that cover critical details like all vendors a client uses and their DR plans?
If you can’t answer a clear yes to all of the above statements, a re-evaluation of how HIPAA clients are managed needs to be considered. My MSP FireLogic leverages popular tools like Autotask PSA and ITGlue to meet these criteria with relative ease.
Working In the HIPAA Space Needs A Holistic Approach
It should be pretty evident that supporting clients in the HIPAA space requires a multi-faceted approach by MSPs. Whether it’s ensuring risk assessments are being used as roadmaps, or documentation processes are being upheld with proper transparency – the MSP ready to play in the healthcare space is the one willing to admit that the usual winning formula absolutely needs tweaking here.
If you only take away one piece of wisdom from this article, remember: HIPAA itself is not a set of laid-out technical guidelines showing you exactly where to go. It’s merely a framework for how processes, technology, and people are expected to uphold their interactions with ePHI.
How you solve that equation for your own MSP and your clients is entirely up to you.
About The Author
Derrick Wlodarz is President and Founder of Des Plaines, IL (USA) based Managed IT Service firm FireLogic. He has 13+ years of IT industry experience spanning the private and public sectors. His firm specializes in providing SMB clients with managed IT support, consulting, and training. Derrick is a long-serving member of CompTIA's Subject Matter Expert Technical Advisory Council that shapes the future of CompTIA exams across the world. In addition to being an IT industry speaker, his work has been academically published in The Journal For Social Era Knowledge. FireLogic is a partner of TBI, a master agent who assists partners through their upmarket technology and marketing needs so they can communicate their expertise.