HIPAA has been around since 1996, but most people’s understanding is limited to a vague notion of protecting private information and having to constantly sign waivers when they check in for a doctor’s appointment. But the Health Insurance Portability and Accountability Act has far wider implications than just some extra signatures in the waiting room–it also represents a major opportunity for MSPs.

Although HIPAA’s original purpose was largely related to the ability to change jobs and health insurance without losing coverage or impacting medical care, the HIPAA Privacy and Security Rules are very relevant for the IT side of the house. Compliance with the privacy rules went into effect in 2003–along with it the definition of Private Health Information (PHI)–and medical organizations became responsible for protecting “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

In 2005, HIPAA regulations got serious about “ePHI” (electronic versions of private health information), and organizations were now on the hook for adhering to additional safeguards specifically around administrative, physical and technical aspects of patient data stored electronically. When the Final Omnibus Rule went into effect in 2013, organizations were truly on the hook for compliance and faced serious financial penalties for breaches. This turned the tide for medical organizations as compliance became much less expensive than the potential fines they might face, not to mention criminal charges in more egregious cases.

ePHI Compliance

Let’s break down exactly what compliance looks like for ePHI and explore what role MSPs can play in helping clients achieve and maintain compliance.

 Administrative

This area covers the various policies and plans required to ensure an organization is following the rules. This includes:

MSPs have an opportunity to serve as a trusted advisor for the administrative compliance aspects of ePHI. Providing education, training, boilerplate templates and best practices, MSPs can reduce the time and energy required for medical organizations to put these processes and procedures into place.

This represents a one-time revenue opportunity for setting things up and ongoing revenue opportunities for periodic training and refreshes. Most importantly, it creates a deeper relationship with clients—one that goes beyond pure technology. Compliance can be overwhelming for medical offices more interested in servicing patients than deciphering regulations and securing their IT systems, so a helpful MSP willing to go the extra mile can be seen as a gamechanger.

Physical

Although most entities are worried about breaches and malware entering their systems via the Internet, the physical world also represents its own share of threats. The tasks of protecting devices, servers and facilities from natural and environmental hazards, as well as unauthorized entry and access, are also part of the HIPAA regulations.

While MSPs aren’t likely to be responsible for guarding medical offices and hospitals from these threats, they similarly apply to an MSP’s own facilities along with anywhere else that might be hosting sensitive data. To meet expectations, every location dealing with this information requires plans for disaster recovery, a facility security plan to prevent unauthorized access, person-level or role-based security access (so people only have access to what they require to do their particular job), and a full record of all maintenance activities for the facilities themselves, even renovations and changing the locks. Similar guidelines should be followed regarding physical access to servers.

Devices and media storage also require special care. If a device is being disposed of or reused, it must be completely wiped of all data. Additionally, there must be a record of any transfer of data from one device to another and documentation as to where any ePHI is present. And any data backups or storage–regardless of whether they are on a physical device or are cloud-based—require a contingency plan for removal and storage in the case of a physical incident.

Technical

MSPs may offer the most value to their customers when it comes to compliance with the technical aspects of ePHI data protection.

A Big Undertaking, a Bigger Opportunity

The previous overview merely scratches the surface of the full scope and complexity of protecting ePHI and achieving HIPAA compliance. For medical organizations and the firms that support them, it represents a significant undertaking and ongoing commitment to adhere to these regulations and avoid the significant penalties that accompany a lack of compliance.

Although essential to their daily operations, the skills, technical acumen and organizational bandwidth needed to ensure compliance with HIPAA regulations typically isn’t present outside of the largest operations and health systems. Yet every single health care provider, health plan and health care clearinghouse is subject to them, spanning tens of millions of employees across tens of thousands of organizations.

MSPs can therefore offer tremendous value to clients in these industries by not only managing essential technical services but also by partnering with them to become and remain HIPAA compliant. These value-added services represent a huge revenue opportunity for MSPs while also promising a healthy ROI for customers desperate to avoid the steep penalties for failing to comply.

For MSPs looking to leverage HIPAA compliance to grow their customer base in the medical industry and offer additional services to current clients, there are tools that can simplify and scale the compliance process. Kaseya Compliance Manager, for example, includes automation of assessments, risk analysis, network scanning and compliance report generation. Coupled with a consulting-oriented approach to assisting organizations with adopting and following best practices, MSPs can increase their monthly recurring revenue with these offerings while creating long-term customer relationships based on providing these essential services.

Joining Kaseya in 2012, Miguel Lopez brings over 20 years of experience to his role as SVP, Managed Service Providers (MSPs). In this position, he consults daily with MSPs to help them solve their clients’ business problems with technology solutions. Prior to joining Kaseya, Miguel served as the director of consulting services for All Covered, a nationwide technology services company that is a division of Konica Minolta Business Solutions USA Inc. In 2008, All Covered acquired NetCor Technologies, a leading MSP that Miguel founded and managed since 1997. NetCor specialized in serving highly regulated industries such as healthcare, CPAs, law firms and retail companies.

This guest blog is part of a Channel Futures sponsorship.