Knowing HIPAA isn’t just important for healthcare work – it is an absolute requirement.
You must be provably HIPPA-compliant. An MSP can’t do any HIPAA-related work without being HIPAA compliant. The good news is that once you are certified you can vie for HIPAA contracts, and because you are credentialed and knowledgeable, you can charge a premium for your services.
1. Penalties are serious.
Huge healthcare operations all know HIPAA. They have to. They are the ones most impacted by the rules, and most likely to be subject to frequents audits. Smaller operations aren’t always prepared for the risks. But penalties are more than serious.
Here are just a few of the fines dished out in the United States in recent years:
- Affinity Health Plan paid $1.2 million because it didn’t erase the drives on its advanced photocopiers before returning them to the company that leased them.
- WellPoint didn’t secure an online health database and paid $1.7 million.
- The Massachusetts Eye and Ear Infirmary failed to encrypt physicians’ laptops and was hit with a $1.5 million fine.
- Phoenix Cardiac Surgery posted patient appointment on an online calendar and paid $100,000.
- A Walgreens in Indiana breached a single patient’s privacy and paid her $1.44 million.
- An Idaho-based hospice lost a laptop due to theft. The fine was $50,000.
- A medical practice in Phoenix sent patient data over insecure email, and was fined $100,000.
- A pediatric practice in Massachusetts lost a flash drive and settled for a $150,000 fine
- Another stolen laptop in Boston had the doctor paying $1 million.
- A lost backup drive cost the Alaska State Health Department $1.7 million.
This only scratches the surface. The HSS keeps an extensive list of violations.
2. Encryption is your friend.
HIPAA calls for all PHI data that is transmitted electronically to be protected, which is best done by strong encryption. In fact, if the data is strongly encrypted the MSP and client are pretty much immune from penalty if that data is somehow breached, or a lost device is already encrypted.
3. MSPs are responsible when clients run afoul of HIPAA.
Clients are known as covered entities and by definition are responsible for being in compliance with all aspects of HIPAA. MSPs that work with healthcare are called Business Associates and are just as responsible as the client themselves.
4. Your potential clients probably don’t care about HIPAA nearly as much as you do.
Very large hospitals and other big healthcare organizations care about HIPAA. And they can most afford to take HIPAA seriously, pay for the technology to support compliance, and train their workers. Unfortunately, the majority of small practices don’t much care about HIPAA – they haven’t been audited and don’t expect to.
Your job is to convince them otherwise. They need to know that a HIPAA fine could be financially devastating and ruin the trust between them and their patients – a real business crusher.Smaller healthcare organizations are most in need of MSP HIPAA services since they aren’t closely aligned with large insurance companies and hospitals.
5. The security assessment is the first major step in an MSP HIPAA engagement.
In some cases, an MSP may do a basic security assessment to convince a healthcare prospect that HIPAA compliance is actually important and they need outside help to achieve it. Once a client is hooked, a deep-dive security assessment will define what needs to be changed immediately, what new technologies should be put in place, and how MSP services such as RMM and authentication and access management can help achieve HIPAA compliance. With a rich-enough set of offerings, you’ll be able to sell Compliance-as-a-Service to healthcare – and hopefully beyond.
6. It pays to document.
HIPAA rules require that MSPs, as business associates, must document the protective measures in place for ePHI. These documents must be given to all staff and they should understand what they mean.
7. You need a HIPAA Business Associate Agreement (BAA).
The HIPAA Omnibus Final Rule required that Business Associates get BAAs with their clients, the covered entity. This basically says that the BA promises to stay in compliance with all HIPAA regulations and keep ePHI safe.
8. Encryption is a confusing aspect of the rules, but err on the side of caution anyway.
Encryption is one area where HIPAA isn’t completely explicit. Instead, the HHS talks about doing “what is reasonable and appropriate” to protect ePHI, and then says:
In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification:
- Implement the addressable implementation specifications
- Implement one or more alternative security measures to accomplish the same purpose
- Not implement either an addressable implementation specification or an alternative
This basically says the healthcare player or BA must find an effective way to secure data. One of the biggest issues is data in transit. Here the only way to know the data is protected is to strongly encrypt it. So while HIPAA doesn’t specifically require encryption, encryption is the only reasonable and viable way to meet HIPAA demands that ePHI be always protected.
9. Why you want encryption anyway.
Chances are your risk assessment, even an early stage assessment, called for encryption. That makes it a need. Encryption can keep you out of trouble. Many HIPAA fines are due to lost or stolen devices containing ePHI. The good news is there are no fines for lost or stolen devices if the device is encrypted – you don’t even have to report it.
10. The risk assessment is your friend.
This is another great idea that is codified by the HIPAA Omnibus Ruling. The assessment is required for covered entities and Business Associates.
The assessment covers:
- Security policies relative to HIPAA
- An analysis of vulnerabilities, risks and system threats
- A plan for protecting and securing ePHI no matter where it is
11. You must have a security incident response plan (SIRP).
Also, a HIPAA need-to-have, a SIRP details and documents what will be done in the case of security breach or other security event. Part of this is tracking security events, hopefully to prove no successful exploits have taken place. In the event of an attack or breach (even just an attempt) you should document what happened, and the incident’s severity. Attacks of organizations with more than 500 employees, patients or partners must report the incident to HHS.
12. An MSP is the best defense in the case of an audit.
An audit is when a healthcare organization is vetted to make sure it is in compliance. The aim is to define the state of the organization and see what steps are needed to improve performance. These are supposed to be annual. Most healthcare organizations, even large ones, are not generally equipped to handle an audit, with all its complexity.
An MSP is best equipped for an audit because the MSP has put in place all the needed security measures. The MSP has all the event logs and reports on who accessed what and when through Remote Monitoring and Management (RMM).
13. Access safeguards and controls require a new approach to authentication and access management.
One of the biggest issues, in fact the crux of the HIPAA matter, is making sure only those with the proper authority can access ePHI and the systems that contain it. Information access management policies, and procedures are key to locking down unauthorized access to ePHI and other health data.
Learn more about HIPAA compliance and how to avoid pitfalls.