Ever since the Health Insurance Portability and Accountability Act (HIPAA) went into effect in the United States over a decade ago, small and medium-size healthcare organizations and the MSPs that serve them have struggled to comply.
With new rules coming out regularly, the compliance process becomes more rigorous all the time. No matter how familiar you think you are with HIPAA, you could probably stand to learn a bit more – the rules are complex and subject to change. (Note that while HIPAA rules the roost in U.S. healthcare, there are similar regulations the world over.) If you are not familiar with HIPAA, now is the time to get acquainted. Noncompliance leaves you liable for some serious penalties and loss of reputation and business.
HIPAA is about much more than just compliance. The reason for compliance in the first place is to safeguard your data. Moreover, these breaches are very real. Proper HIPAA protections can stop most of these terrible breaches.
To get you started, here are 8 business and legal HIPAA terms every healthcare organization and service provider should know.
- Business Associates (BAs) are partners, such as MSPs, that have access to patient information. BAs must be HIPAA savvy and always remain in compliance.
- Covered Entities (CE) are providers that offer health treatment or services and generally collect payment for them.
- Due Diligence helps ensure compliance. When a healthcare organization is found in non-compliance, the answer is not just a blanket penalty. Mitigating circumstances and the organization’s behavior come into play. If the organization and its BAs have taken due diligence, the penalties are far less, perhaps just $100 for each incident.
- Electronic Protected Health Information (ePHI) is Protected Health Information (PHI) in electronic form. HIPAA covers PHI whether in paper or electronic form.
- Healthcare Clearinghouses are organizations, such as billing companies, that handle health information and often transfer it to a standardized form or format for easier use.
- Health Information Technology (HIT) is technology specifically designed for healthcare; it includes solutions meant to ensure HIPPA compliance. For larger healthcare operations that handle their own IT, there may be a HIT administrator.
- Reasonable Cause, like due diligence, demonstrates the organization has acted in good faith. When it comes to reasonable cause, in most cases steps have been taken to meet regulations but an area to ensure compliance is missing or not addressed. Fines here are a minimum of $1,000 per incident but usually less than the $50,000 maximum. Repeated incidents can be fined at a far higher rate.
- Willful Neglect is a worse-case scenario of a violation. If an organization is found to exhibit willful neglect by ignoring HIPAA but corrects the issue, the fines start at $10,000 per incident. If the organization doesn’t correct its error, minimum fines start at $50,000 per incident and quintuple for repeat offenses.
The Technology Answer
These days there is plenty of technology to make organizations of all sizes secure and compliant – and ready to defend themselves in the case of a HIPPA incident. PCs and servers must be protected from viruses and malware. That involves good antivirus and anti-malware tools, but also the ability to discover all the devices that need protection and easily install security software. At the same time, all machines need to be up to date in terms of patches and software updates, a job best handled by an automated solution mated with network and device discovery. Additionally, access to device and files must be carefully controlled through policies and solid password management. As a defense, should an organization run afoul of HIPAA, it is best to track who has access to what and when – and have this all in one easy-to-digest report.
Kaseya and HIPAA Compliance
As you can see, being a successful HIPAA-compliant healthcare provider or MSP takes much work, study, and a large dose of the right technology. You need a comprehensive endpoint management platform to make it all possible. VSA by Kaseya is that platform – and at a surprisingly affordable price. With VSA by Kaseya you can:
- Discover, audit, inventory, and monitor every system and software component, with all operational details
- Simplify and automate patch management, based on your predefined patch policies and schedules to minimize network impact
- Access and manage computers from anywhere at near-instantaneous connect times with extraordinary reliability, even over high-latency networks
- Deploy policy-based automation with proactive remediation to increase productivity and allow you to do more with your existing staff
- Gain insights into CPU, disk, memory, network bandwidth, files, logs and more — all from a single integrated console
Discover more about how VSA can help you address compliance challenges.
Kaseya AuthAnvil Access Management and Authentication
Controlling who has access to data can go a long way in being HIPAA-compliant. Single sign-on (SSO) and multi-factor authentication (MFA) are key tools in keeping a lid on access to confidential information.
With MFA, an end user validates his identity multiple ways, such as with a fingerprint or a piece of information only he would know. This type of access management and control is essential to keep IT systems HIPAA-compliant.
Kaseya AuthAnvil is an industry-leading identity and access Management (IAM) solution. It makes meeting audit and compliance requirements easier and simpler. In addition to SSO and MFA, with AuthAnvil you can track all activity, know the health of your passwords, and be informed when they are at risk of non-compliance. AuthAnvil’s powerful reporting analytics also allow you to monitor permissions and changes to ensure settings meet policy requirements.
For more information SSO and MFA in AuthAnvil visit https://www.kaseya.com/products/authanvil.