The New HIPAA Rule That Requires MSPs to Comply
The wait is over and the clock is ticking for MSPs working with healthcare customers. The Depart of Health and Human Services (HHS) last month issued the final omnibus rule governing patient data protection under the Health Insurance Portability and Accountability Act (HIPAA). Nearly a year ago, HHS sent the final rule to the Office of Management and Budget for review. The rule was expected to get the green light last year, but finally surfaced January 17.
The upshot for MSPs? The final rule covers “business associates” as well as healthcare organizations such as hospitals, physician practices and health plans. Mike Semel, president and chief compliance officer at Semel Consulting, which specializes in HIPAA compliance, said the business associate category includes companies that work with healthcare organizations and have access to patient data.
Semel said some MSPs he speaks with express surprise when they find out they may be classified as a business associate. Service providers, he noted, may not handle patient data as a core part of the their businesses, but could nevertheless stumble upon such information. For example, an MSP with a help desk operation and the ability to link to a healthcare provider’s computer remotely could end up seeing patient data, Semel noted. In another scenario, an MSP could come across protected information while migrating data from a physician’s laptop to a larger drive.
Semel’s company has been working to get the word out to MSPs.
Getting Past Denial, Shock
“Part of this is getting past the denial stage,” Semel said of his outreach efforts. “Some of these guys went into shock when we explained to them what a business associate is.”
Another new wrinkle in the final rule: companies that store protected health information — regardless of whether they actually view it — are now considered business associates.
The new rule states that “a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.”
That language suggests that MSPs offering remote backup services cloud be a business associate.
MSPs that function as business associates must follow the same compliance steps as a covered healthcare organization. Semel said those requirements include policies, written procedures, end user training and proof of HIPAA compliance. Business associates also enter into contracts — referred to as business associate agreements — with their healthcare customers. The business partner agrees to safeguard protected health information when they sign such a pact.
A Hefty Penalty
HHS said that penalties for noncompliance can run up to $1.5 million per violation. So, there’s ample incentive for MSPs to determine whether they fall within HIPAA’s regulations and pursue the necessary compliance measures if they do. Healthcare organizations and business associates have 180 days to comply with the final rule.
HIPAA, however, may represent more than a regulatory obligation for service providers. Semel said MSPs can sell security services to help get their customers HIPAA compliant. Indeed, a HIPAA service featuring continuous compliance tracking could prove a business opportunity for a managed security services provider.