Magazine Article | November 13, 2013

What MSPs Need To Know About The Latest HIPAA Rules

By Nick Bruno, Chief Information Security Officer, Continuum Managed Services

The revised set of security and privacy requirements set out by the Department of Health and Human Services (HSS) in January came as a surprise to many, particularly the final omnibus rule that impacts not just healthcare organizations but also a number of their contractors. With that recent issuance, followed by the even more recent (and now passed) deadline for achieving HIPAA compliance, what does your enterprise need to know about the latest HIPAA rules?

Does HIPAA Apply to You?

So many managed services providers (MSPs), resellers, and cloud service vendors are scrambling to figure out whether or not they fall under the now-broad scope of HIPAA compliance. Luckily, the answer to this question isn’t complicated:

  • Any contractor or vendor (even third party) that handles patient data on the behalf of a healthcare organization needs to be compliant.

The HIPAA regulations call this segment “business associates,” and it’s better to err on the side of generous when deciding if you are considered one. Companies that were not required to become HIPAA compliant previous to this year may now be considered business associates, and have to ramp up their compliance standards.

What Does This Mean?

MSPs who do fall under the definition of business associates will be required to meet the same requirements for data protection and handling as actual healthcare providers:

  • Compliance with any and all aspects of the HIPAA Privacy Rule
  • Compliance with any and all aspects of the HIPAA Security Rule
  • Your healthcare clients (“covered entities,” according to HIPAA) will ask you to sign a business associate agreement (BAA)
  • In return, you must also have your vendors (third-party remote monitoring and management (RMM), professional service automation (PSA), or backup and disaster recovery (BDR) partners, data centers, etc.), sign BAAs to ensure their compliance as well.

In the past, too many MSPs relied on their clients to inform them whether or not HIPAA compliance would be needed as part of their managed services. The problem with this model is that far too many covered entities were unsure themselves of their responsibilities under HIPAA, let alone the technical requirements. However, if a covered entity were found in violation of HIPAA because of a security fault on the MSP end, only the customer was held liable, so MSPs didn’t hold their own compliance as a particular priority.

This is another big change for MSPs. The HIPAA updates now hold MSPs directly responsible and answerable in case of any guideline violations or noncompliance, and the fees involved are not to be taken lightly.

Protecting Patient Data

The healthcare technology field is changing rapidly; HIPAA updates are a proactive response to protecting electronic protected health information (ePHI). This clearly applies to healthcare organizations, whether public facilities or private practices, but also includes vendors and contractors like MSPs. The confidentiality and integrity of ePHI must be protected at all times and across all platforms without compromising availability. This applies during data creation, transmission or maintenance, including backup and storage.

MSPs who are considered business associates are also responsible for protecting ePHI from any anticipated threats or hazards that could impact the security of patient data. Although MSPs don’t handle patient files directly, their data centers may store this sensitive data; patient information may also be accessed during system support actions for clients.

The Office for Civil Rights within the HHS can directly audit any MSP that serves the healthcare vertical and hold them directly accountable for any data breach. Penalties for noncompliance can range up to $50,000 per violation and up to $1.5 million per year; as intimidating as the upgrade investment to achieve compliance may be, it’s still on the conservative side when noncompliance fines are taken into consideration. 

The Good News

While all of this may sound intimidating, the truth is that HIPAA compliance actually gives MSPs the perfect opportunity to position themselves as trusted advisors to any of their healthcare clients. After ensuring your own grasp on compliance requirements, try reaching out to your healthcare-based clients to see if they need any guidance. If they’re as uncertain about HIPAA as the rest of the healthcare industry, this gesture will be most welcome.

Conducting physical and virtual security audits, verifying protective elements like security access and end-user authentication, and ensuring that any patching and anti-malware solutions are in place and effective help ensure that you and your client are taking the right steps toward achieving compliance together.