You May Be the Fall Guy
Your MSP business is likely going to find that majority of clients are represented by small practices which are unlikely to be audited by those enforcing HIPAA. As a result, they won’t be HIPAA compliant, but the trail of breadcrumbs will lead to your MSP, and suddenly, you’ve got this organization dogging your heels. That’s a teaser pertaining to the necessity for having HIPAA compliance, but there are many other reasons.
For those who aren’t familiar with HIPAA, it stands for the “Health Insurance Portability and Accountability Act.” It’s been in play since 1996 and is especially pertinent to data. And, with typical government overkill, the vast majority of HIPAA seems to revolve around meting out penalties to those who aren’t compliant, rather than actually protecting those to whom the act was designed to safeguard. Remember: you will be penalized even if those whose information was (in the eyes of individuals enforcing HIPAA) compromised haven’t experienced any kind of loss. When it comes to government agencies, you will find the trend is more about establishing a precedent for enforcement than actually providing protections. But that’s life! So just consider some of the penalties which can come for not being HIPAA-compliant:
- Millions in penalties for not erasing drives on photocopiers leased from a company
- Exceptionally dire penalties for “unsecured” online health databases
- Fines of more than a million dollars for failing to encrypt physicians’ laptops
- Fines for posting patient appointments on website calendars
- Millions in payouts for single-person data breaches
- Thousands paid for a stolen computer
- Fines for sending patient data over unsecured email
- Thousands in fines for the loss of a single flash drive
Get In Compliance
Now, if your MSP business hasn’t fully apprised clients of HIPAA compliance issues, you’ve got to. They’re known as “covered entities,” while you’re known as “business associates.” The way the laws are written, there are certain penalties that can be leveled at the both of you if some bureaucrat finds you’re not in compliance. So what you’ve got to do is sit down, review all the codes and requirements, and ensure you fully inform your clients of the issues, while fully safeguarding your MSP. You can’t be held responsible if a client loses a laptop or a thumb-drive, but you can be held responsible if you haven’t educated them against the use of such things. You want to inform clients, then note the date and document the session of information. You can’t control what all clients do, but you can control your responsibility in the matter.
To that end, several things you can do to help ensure your HIPAA compliance is “up to par” include:
- Broad application of encryption protocols
- Conduct security assessments
- HIPAA business associates agreements
- Document everything (memos, memos, memos)
- Facilitate an SIRP (security incident response plan)
If you’ve got everything properly encrypted, you’ll be able to cover issues before they become issues. This is a basic means of ensuring that you’ve got your bases covered. Wherever encryption can be brought to the table, use it; it’s best to be cautious and err on that side of the fence.
To that end, you want to assess the security of your operations and those of your clients to find weaknesses. Wherever weaknesses can be found, you want to patch them up. After you’ve found them, draft up an agreement so that your clients understand where weaknesses are and what actions they are responsible to take. This establishes documentation which covers you should the “covered entity” not comply with your previously established agreement as a business associate. Then, they may get fined if they don’t comply, but you’re not sucked into the penalty vortex.
A final measure of protection for your MSP business against HIPAA is SIRP or a Security Incident Response Plan. This is a means of keeping operations in compliance even should a security incident happen that was entirely unpredictable. Hacks, power outages, viruses, malware— these things can come out of nowhere, so plan ahead.