Don’t Let Lack of HIPAA Compliance Make Your Business Sick

HIPAA compliance services are an extremely profitable value-add you can provide to your customer base.

Kaseya Guest Blogger

December 4, 2019

5 Min Read
Frustrated young man massaging his nose and keeping eyes closed while sitting at his working place in office
Getty Images

There are millions of American companies that don’t realize they have a HIPAA compliance problem. They’re not doctor’s offices or medical labs or hospitals or insurance companies, so many falsely believe HIPAA doesn’t apply to them.

HIPAA, after all, is shorthand for the Health Insurance Portability and Accountability Act of 1996, so if your core business isn’t delivering healthcare-related products such as insurance, it may be easy to think you’re in the clear. But this moniker is misleading.

Since 2013, a new Omnibus Rule extends HIPAA regulations to any company handling personal healthcare information (PHI). Known as business associates, they must sign agreements with any partners or customers in the healthcare space with which they do business. This makes them subject to the same rules that have been governing healthcare organizations for decades, even if they didn’t know it.

Education and Opportunity

As an MSP, HIPAA compliance services are an extremely profitable value-added service you can provide to your customer base. Offering HIPAA compliance requires that you provide a portfolio of specific offerings.

  • Automated assessments – HIPAA compliance isn’t something that’s ever “complete.” It requires an ongoing commitment to securing PHI, and that includes ongoing assessments to identify any personal healthcare data lurking in any aspect of a client’s digital ecosystem and ensuring it is secure.

  • Spotting problems, offering solutions – Regular scans identify any potential vulnerabilities and recommend courses of action to shore up potential soft spots.

  • Automatic documentation – In the event of a breach of other non-compliant event, the ability to provide proof that preventative measures were taken is a huge plus and can lead to major mitigation of fines and penalties.

  • Audit readiness – When an auditor comes knocking, MSPs and their clients must be fully prepared to hand over all required evidence and documentation they’ll be asked to provide.

However, before you extend HIPAA compliance services into this vast and largely untapped market, you must first make your clients aware of the problem they must address. This requires proactive sales efforts that are as much an informational overview to bring attention to the problem as they are a pitch on an actual solution.

So many of these companies have no idea that they’re supposed to be complying with HIPAA. These SMBs include accounting firms, payment processors, law firms, and even document storage and disposal companies.

These organizations are definitely not delivering healthcare services, but they are handling Personal Healthcare Information (PHI) that falls under the umbrella of HIPAA. Regardless of why a company might deal with this data, it is still responsible for handling it as meticulously as a hospital might.

Scare Tactics

When it comes to hammering this point home, it’s a good idea to emphasize the stick versus the carrot. The fines and penalties for HIPAA violations can be quite lofty, not to mention the reputational damage that comes with a violation making the headlines.

Since these companies previously were not conscious of their legal obligations in this department, referring to comparable examples is a good tactic to inject some urgency into the conversation. Offering up case studies of how companies in the same line of business have been subject to fines and negative repercussions following a HIPAA violation is a great way to “scare them straight” on the subject. Seven-figure fines are typically a pretty good motivation to invest in upfront protection from these liabilities.

Preparing for the Attack

To effectively go to market, you need a plethora of resources to make a scalable, professional entry into the HIPAA compliance space. Many of these have nothing to do with your technical capabilities or acumen.

It begins with the pitch and the supporting materials needed throughout the sales cycle. This includes marketing strategies, positioning, pricing guidance, and sales training on how to create urgency and overcome objections. You will also need a plethora of content, from email templates to landing pages to sales presentations.

Extensive training for your sales teams and customer-facing personnel is another area of emphasis. These individuals must become well-versed in the subject matter and familiar with what it takes to close compliance-related deals (or extend current engagements to include compliance services).

Once the ink is dry, you need to figure out how to offer high-quality compliance services efficiently to maximize profitability. And post-implementation, MSPs must also develop playbooks for how to conduct quarterly business reviews to reinforce the value they’re providing and identify additional opportunities to grow their book of business.

Developing this arsenal of training and materials isn’t typically the strong suit of MSPs, who rightfully are focused on delivering excellent service to their customers and building on their expertise in providing a wide array of outsourced IT functions. That’s why Kaseya developed its Power Services 2.0 offering, which is essentially a go-to-market-in-a-box, pre-baked solution that MSPs can leverage and customize as needed.

Separate Offering, Same Platform

To offer compliance services while maximizing margin, MSPs can adopt solutions that integrate directly with their existing management tools or–better yet–are a fully embedded feature of their core management platform. A solution such as Kaseya Compliance Manager (which is a fully featured extension of our VSA platform) offers several benefits.

First, it makes compliance part of the day-to-day operations for your clients. Staff members don’t have to switch to different applications or dashboards to specifically check on compliance-related items as it’s fully embedded in their core view. Additionally, the training of staff is simplified because it’s a common interface. And, from an overhead perspective, it’s one fewer tool to manager, upgrade and maintain.

Making it easy for staff to use means it’s easier to offer HIPAA compliance services to as many clients as possible without increasing costs. That makes the incremental MRR even more valuable since there’s far less additional training and staffing costs than a stand-alone offering.

Compliance as Table Stakes

While current customers may or may not be clamoring for compliance services such as HIPAA, PCI or GDPR, their ability to ignore these industry standards is short-lived at best. Enforcement is surging, fines are climbing, and SMBs are suffering the consequences when high-profile data breaches tarnish their names and jeopardize their businesses.

MSPs have much to offer, if they can only keep up! Leverage the tools and solutions custom-made for MSPs to thrive! Even if your customers aren’t demanding them today, they’ll be non-negotiable before you know it.

Max Pruger is General Manager, Compliance, Kaseya.

 This guest blog is part of a Channel Futures sponsorship.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like