Here’s what compliance looks like for ePHI and the role MSPs can play in helping clients achieve and maintain HIPAA compliance.

6 Min Read
Getting Hip to HIPAA

HIPAA has been around since 1996, but most people’s understanding is limited to a vague notion of protecting private information and having to constantly sign waivers when they check in for a doctor’s appointment. But the Health Insurance Portability and Accountability Act has far wider implications than just some extra signatures in the waiting room–it also represents a major opportunity for MSPs.

Although HIPAA’s original purpose was largely related to the ability to change jobs and health insurance without losing coverage or impacting medical care, the HIPAA Privacy and Security Rules are very relevant for the IT side of the house. Compliance with the privacy rules went into effect in 2003–along with it the definition of Private Health Information (PHI)–and medical organizations became responsible for protecting “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

In 2005, HIPAA regulations got serious about “ePHI” (electronic versions of private health information), and organizations were now on the hook for adhering to additional safeguards specifically around administrative, physical and technical aspects of patient data stored electronically. When the Final Omnibus Rule went into effect in 2013, organizations were truly on the hook for compliance and faced serious financial penalties for breaches. This turned the tide for medical organizations as compliance became much less expensive than the potential fines they might face, not to mention criminal charges in more egregious cases.

ePHI Compliance

Let’s break down exactly what compliance looks like for ePHI and explore what role MSPs can play in helping clients achieve and maintain compliance.


This area covers the various policies and plans required to ensure an organization is following the rules. This includes:

  • Employee training-A defined, followed and documented schedule for making sure all employees understand the policies and awareness of identifying potential malware and attacks.

  • Third-party access limits-Guarding against partners and subcontractors gaining access to ePHI, as well as ensuring business associate agreements are in place with any individuals or firms that will have access to ePHI as part of their agreed upon role.

  • Conducting risk assessments-Identifying all areas where ePHI is utilized, along with any potential areas where a breach could occur.

  • Risk management policy-Regularly scheduled risk assessments, along with a sanctions policy for employees found out of compliance.

  • Contingency planning and testing of the plan-How to continue operations during an emergency without compromising the integrity and security of ePHI.

MSPs have an opportunity to serve as a trusted advisor for the administrative compliance aspects of ePHI. Providing education, training, boilerplate templates and best practices, MSPs can reduce the time and energy required for medical organizations to put these processes and procedures into place.

This represents a one-time revenue opportunity for setting things up and ongoing revenue opportunities for periodic training and refreshes. Most importantly, it creates a deeper relationship with clients—one that goes beyond pure technology. Compliance can be overwhelming for medical offices more interested in servicing patients than deciphering regulations and securing their IT systems, so a helpful MSP willing to go the extra mile can be seen as a gamechanger.


Although most entities are worried about breaches and malware entering their systems via the Internet, the physical world also represents its own share of threats. The tasks of protecting devices, servers and facilities from natural and environmental hazards, as well as unauthorized entry and access, are also part of the HIPAA regulations.

While MSPs aren’t likely to be responsible for guarding medical offices and hospitals from these threats, they similarly apply to an MSP’s own facilities along with anywhere else that might be hosting sensitive data. To meet expectations, every location dealing with this information requires plans for disaster recovery, a facility security plan to prevent unauthorized access, person-level or role-based security access (so people only have access to what they require to do their particular job), and a full record of all maintenance activities for the facilities themselves, even renovations and changing the locks. Similar guidelines should be followed regarding physical access to servers.

Devices and media storage also require special care. If a device is being disposed of or reused, it must be completely wiped of all data. Additionally, there must be a record of any transfer of data from one device to another and documentation as to where any ePHI is present. And any data backups or storage–regardless of whether they are on a physical device or are cloud-based—require a contingency plan for removal and storage in the case of a physical incident.


MSPs may offer the most value to their customers when it comes to compliance with the technical aspects of ePHI data protection.

  • Data transmission-Organizations dealing with ePHI must ensure that any data sent or received is properly encrypted to prevent breaches or “sniffing” of this sensitive information that could compromise its integrity. This includes both the implementation of secure transmission and training staff to ensure they’re using it properly.

  • Authentication and access control-Access to ePHI data must be closely safeguarded to both keep it from falling into the wrong hands and to maintain its integrity. Viewing or manipulating any ePHI data by patients or staff must be controlled to ensure only authorized individuals can view, alter or destroy anything. Systems for encrypting and decrypting ePHI should also be put in place and routinely evaluated for their resilience and sufficiency.

  • Auditing-Any access, alteration or destruction of ePHI must also be fully documented and auditable back to the individual. Policies should also be in place in the event of an employee violation.

A Big Undertaking, a Bigger Opportunity

The previous overview merely scratches the surface of the full scope and complexity of protecting ePHI and achieving HIPAA compliance. For medical organizations and the firms that support them, it represents a significant undertaking and ongoing commitment to adhere to these regulations and avoid the significant penalties that accompany a lack of compliance.

Although essential to their daily operations, the skills, technical acumen and organizational bandwidth needed to ensure compliance with HIPAA regulations typically isn’t present outside of the largest operations and health systems. Yet every single health care provider, health plan and health care clearinghouse is subject to them, spanning tens of millions of employees across tens of thousands of organizations.

MSPs can therefore offer tremendous value to clients in these industries by not only managing essential technical services but also by partnering with them to become and remain HIPAA compliant. These value-added services represent a huge revenue opportunity for MSPs while also promising a healthy ROI for customers desperate to avoid the steep penalties for failing to comply.

For MSPs looking to leverage HIPAA compliance to grow their customer base in the medical industry and offer additional services to current clients, there are tools that can simplify and scale the compliance process. Kaseya Compliance Manager, for example, includes automation of assessments, risk analysis, network scanning and compliance report generation. Coupled with a consulting-oriented approach to assisting organizations with adopting and following best practices, MSPs can increase their monthly recurring revenue with these offerings while creating long-term customer relationships based on providing these essential services.

Joining Kaseya in 2012, Miguel Lopez brings over 20 years of experience to his role as SVP, Managed Service Providers (MSPs). In this position, he consults daily with MSPs to help them solve their clients’ business problems with technology solutions. Prior to joining Kaseya, Miguel served as the director of consulting services for All Covered, a nationwide technology services company that is a division of Konica Minolta Business Solutions USA Inc. In 2008, All Covered acquired NetCor Technologies, a leading MSP that Miguel founded and managed since 1997. NetCor specialized in serving highly regulated industries such as healthcare, CPAs, law firms and retail companies.

This guest blog is part of a Channel Futures sponsorship.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like