Don’t Let Lack of HIPAA Compliance Make Your Business Sick
There are millions of American companies that don’t realize they have a HIPAA compliance problem. They’re not doctor’s offices or medical labs or hospitals or insurance companies, so many falsely believe HIPAA doesn’t apply to them.
HIPAA, after all, is shorthand for the Health Insurance Portability and Accountability Act of 1996, so if your core business isn’t delivering healthcare-related products such as insurance, it may be easy to think you’re in the clear. But this moniker is misleading.
Since 2013, a new Omnibus Rule extends HIPAA regulations to any company handling personal healthcare information (PHI). Known as business associates, they must sign agreements with any partners or customers in the healthcare space with which they do business. This makes them subject to the same rules that have been governing healthcare organizations for decades, even if they didn’t know it.
Education and Opportunity
As an MSP, HIPAA compliance services are an extremely profitable value-added service you can provide to your customer base. Offering HIPAA compliance requires that you provide a portfolio of specific offerings.
- Automated assessments – HIPAA compliance isn’t something that’s ever “complete.” It requires an ongoing commitment to securing PHI, and that includes ongoing assessments to identify any personal healthcare data lurking in any aspect of a client’s digital ecosystem and ensuring it is secure.
- Spotting problems, offering solutions – Regular scans identify any potential vulnerabilities and recommend courses of action to shore up potential soft spots.
- Automatic documentation – In the event of a breach of other non-compliant event, the ability to provide proof that preventative measures were taken is a huge plus and can lead to major mitigation of fines and penalties.
- Audit readiness – When an auditor comes knocking, MSPs and their clients must be fully prepared to hand over all required evidence and documentation they’ll be asked to provide.
However, before you extend HIPAA compliance services into this vast and largely untapped market, you must first make your clients aware of the problem they must address. This requires proactive sales efforts that are as much an informational overview to bring attention to the problem as they are a pitch on an actual solution.
So many of these companies have no idea that they’re supposed to be complying with HIPAA. These SMBs include accounting firms, payment processors, law firms, and even document storage and disposal companies.
These organizations are definitely not delivering healthcare services, but they are handling Personal Healthcare Information (PHI) that falls under the umbrella of HIPAA. Regardless of why a company might deal with this data, it is still responsible for handling it as meticulously as a hospital might.
When it comes to hammering this point home, it’s a good idea to emphasize the stick versus the carrot. The fines and penalties for HIPAA violations can be quite lofty, not to mention the reputational damage that comes with a violation making the headlines.
Since these companies previously were not conscious of their legal obligations in this department, referring to comparable examples is a good tactic to