Getting Hip to HIPAA

HIPAA has been around since 1996, but most people’s understanding is limited to a vague notion of protecting private information and having to constantly sign waivers when they check in for a doctor’s appointment. But the Health Insurance Portability and Accountability Act has far wider implications than just some extra signatures in the waiting room–it also represents a major opportunity for MSPs.

Although HIPAA’s original purpose was largely related to the ability to change jobs and health insurance without losing coverage or impacting medical care, the HIPAA Privacy and Security Rules are very relevant for the IT side of the house. Compliance with the privacy rules went into effect in 2003–along with it the definition of Private Health Information (PHI)–and medical organizations became responsible for protecting “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

In 2005, HIPAA regulations got serious about “ePHI” (electronic versions of private health information), and organizations were now on the hook for adhering to additional safeguards specifically around administrative, physical and technical aspects of patient data stored electronically. When the Final Omnibus Rule went into effect in 2013, organizations were truly on the hook for compliance and faced serious financial penalties for breaches. This turned the tide for medical organizations as compliance became much less expensive than the potential fines they might face, not to mention criminal charges in more egregious cases.

ePHI Compliance

Let’s break down exactly what compliance looks like for ePHI and explore what role MSPs can play in helping clients achieve and maintain compliance.

 Administrative

This area covers the various policies and plans required to ensure an organization is following the rules. This includes:

• Employee training-A defined, followed and documented schedule for making sure all employees understand the policies and awareness of identifying potential malware and attacks.
• Third-party access limits-Guarding against partners and subcontractors gaining access to ePHI, as well as ensuring business associate agreements are in place with any individuals or firms that will have access to ePHI as part of their agreed upon role.
• Conducting risk assessments-Identifying all areas where ePHI is utilized, along with any potential areas where a breach could occur.
• Risk management policy-Regularly scheduled risk assessments, along with a sanctions policy for employees found out of compliance.
• Contingency planning and testing of the plan-How to continue operations during an emergency without compromising the integrity and security of ePHI.

MSPs have an opportunity to serve as a trusted advisor for the administrative compliance aspects of ePHI. Providing education, training, boilerplate templates and best practices, MSPs can reduce the time and energy required for medical organizations to put these processes and procedures into place.

This represents a one-time revenue opportunity for setting things up and ongoing revenue opportunities for periodic training and refreshes. Most importantly, it creates a deeper relationship with clients—one that goes beyond pure technology. Compliance can be overwhelming for medical offices more interested in servicing patients than deciphering regulations and securing their IT systems, so a helpful MSP willing to go the extra mile can be seen as a gamechanger.

Physical

Although most entities are worried about breaches and malware entering their systems via the Internet, the physical world also represents its own share of threats. The tasks of protecting devices, servers and facilities from natural and environmental hazards, as well as unauthorized entry and access, are also part of the HIPAA regulations.

While MSPs aren’t likely to be responsible for guarding medical offices and hospitals from these threats, they similarly apply to an MSP’s own facilities along with anywhere else that might be hosting sensitive data. To meet expectations, every location dealing with this information requires plans for disaster recovery, a facility security plan to prevent unauthorized access, person-level or role-based security access (so people only have access to what they require to do their particular job), and a full record of all maintenance activities for the facilities themselves, even renovations and changing the locks. Similar guidelines should be followed regarding physical access to servers.

Devices and media storage also require special care. If a device is being disposed of or reused, it must be completely wiped of all data. Additionally, there must be a record of any transfer of data from one device to another and documentation as to where any ePHI is present. And any data backups or storage–regardless of whether they are on a physical device or are cloud-based—require a contingency plan for removal and storage in the case of a physical incident.