Everything You Know About HIPAA Is Changing: An Early Look at How to Prepare Your MSP

On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). The newly proposed HIPAA policy changes could have significant impacts on how MSPs and IT teams remain compliant with regulations.

The NPRM proposes to strengthen the Security Rule’s standards and implementation specifications with new proposals and clarifications, including:

  • Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required.
  • Require written documentation of all Security Rule policies, procedures, plans and analyses.
  • Add specific compliance time periods for many existing requirements. It also adds an annual audit of security controls at least once every 12 months.
  • Require the development and revision of a technology asset inventory and a network map at least once every 12 months.
  • Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
  • Require greater specificity for conducting a risk analysis. New express requirements would include a written risk assessment.

Why upcoming HIPAA policy changes matter to MSPs:

If you support healthcare companies, you will need to help them meet the new list of security, compliance and audit controls in 2025. Healthcare companies who historically have not seen an ROI on security or compliance are going to be forced to comply with the new HIPAA policy changes in order to remain licensed, get insurance, or be paid by Medicare/Medicaid.  Healthcare buyers are going to start asking about HIPAA, compliance services and security upgrades like penetration testing.

What should MSPs be doing to prepare:

This is the time to design and market a healthcare specific offering to meet your client’s needs, expand your business and manage risk. Evaluate your ability to properly assess network compliance and provide risk management solutions to your clients. Consider implementing solutions like Compliance Manager GRC to automate key components of compliance. Explore new security tools to help you design HIPAA compliant solutions for your customers, staying ahead of the trend before your competitors sell into your book of business.

Kaseya works hard to stay ahead of these changing regulations to make sure you can deliver automated and integrated solutions to meet these standards. Discover how you can master infrastructure audits, compliance and risk management with Kaseya’s Audit & Compliance Solutions.

Top Compliance Standards and the Differences Between Them: SOC 2, ISO 27001, NIST and PCI DSS

Businesses cannot afford to ignore IT compliance any longer. Not only does it help organizations meet regulatory requirements and avoidRead More

Regulation and Compliance Updates Every IT Professional Needs to Know

Keeping up with IT compliance is a challenging task, especially with regulations like HIPAA, PCI DSS and GDPR constantly changing.Read More

What is NIST Compliance? A Guide to NIST Standards, Framework & Controls

Data protection is a top concern for businesses both large and small, and that’s where NIST comes in. NIST, orRead More

IT Compliance: Understanding Its Purpose and Benefits

IT compliance refers to a set of statutory rules and regulations that businesses must follow to minimize the threat ofRead More

Archives

Categories