MSP Blog Logo

BDR

Business Growth

Cybersecurity

Help Desk

MDM

RMM

Sales & Marketing

Subscribe

Empowering Your MSP Business to Grow and Prosper—One Post at a Time

5 Ways to Improve Your MSP Service Level Agreement (SLA)

Featured Post

5 Ways to Improve Your MSP Service Level Agreements (SLAs)

SLAs are the foundation of your MSP business. They are essential to building strong client relationships and must be clear, reasonable and well-constructed.

Read Now

HIPAA Compliance Checklist - Updated for 2016

Posted May 20, 2016by Brandon Garcin

HIPAA (Health Insurance Portability and Accountability Act) compliance is designed to protect patient privacy and set standards for how medical records can be shared and how they must be safeguarded. HIPAA compliance isn’t just for those directly within the healthcare industry, however - in fact, nearly anyone dealing with electronic Protected Health Information (ePHI) including doctors, hospital technicians and yes, the healthcare Managed IT Services Providers (MSPs) who manage hospital computers and networks in the cloud are required to be HIPAA compliant.

What does that mean for YOU?

For MSPs, HIPAA compliance is a very serious matter, and should be treated with the gravity it deserves. In fact, if your MSP is chosen to be audited by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) and you are found to be noncompliant, you may be served penalties ranging from up to $50,000 per violation, and up to $1.5 million per year across all HIPAA violation categories. That type of penalty can severely hurt your MSP’s bottom line, so ensure that you’re always HIPAA compliant. And the best way to stay compliant is with our ultimate HIPAA Compliance Checklist.

 

3 Core Components of the HIPAA Security Rule

Recent rule changes to HIPAA compliance means that all Business Associates (BAs) are now subject to the requirements of the security rule, including risk analysis, implementation of security procedures, training and having a breach response plan in place. At its core, the HIPAA compliance security rule can be broken down into three distinct components:

Physical safeguards - This means actually and physically protecting your facility and servers - locking doors, using access badges to get into secure areas, and with surveillance cameras monitoring. Most compliance experts suggest that one of the best physical safeguards you can have is simply controlling access of the ePHI, based on job functions.

Technical safeguards - These safeguards govern the electronic access to the ePHI within the cloud networks that your MSP is managing. Some key components of this to include in your HIPAA compliance checklist include:

  • Access control - each user requires a unique ID and password

  • Multi-factor identification - all electronic logins require multiple pieces of data to sign in, such as an auto-generated PIN number

  • Encryption on everything - encryption scrambles your ePHI so that those records can only be accessed by people who hold the encryption key. This should include all data in motion, using a TLS-secured connection to access records in the cloud, and should ideally be end-to-end encryption.

  • A comprehensive backup and disaster recovery plan - Much of HIPAA compliance is centered around security and prevention, but there is a component that includes what to do when disaster strikes. Your BDR plan should consist of disaster declarations, a detailed disaster list, data backup and alternate site guides, and a ePHI recovery plan.

 

Learn more about the right backup and disaster recovery solutions for your MSP!

 

Administrative safeguards - This sounds like a lot of paperwork (cue the groans from your MSP technical staff) but this type of training, process-implementation and documentation is actually some of the most important aspects of getting HIPAA compliance right. Some recommended administrative safeguards to include in your HIPAA compliance checklist include:

  • Signing Business Associate Agreements (BAAs) with all your partners. The term Business Associates (BAs) has expanded in recent years to include anyone who transports, stores or processes ePHI, any subcontractors or subcontractors under a subcontractor, no matter how far downstream from the original entity, and all third-party data and document storage companies.

  • Listing out each business associate and set out rules for what data they have access to and what to do in case of accidental disclosure.

  • Making sure all your MSP employees understand data security, create strong passwords, and avoid inadvertently downloading malicious software or sending sensitive data in unsecured emails.

  • Creating a process for auditing data and controlling how that data is preserved, changed or destroyed

  • Creating systems to prevent leaks

  • Reviewing all changes at least once a year

 

Other Considerations for Your HIPAA Compliance Checklist

The three aforementioned safeguards - physical, technical and administrative - are a great start to ensuring that your MSP is fully HIPAA compliant, but there are always additional measures to take to really feel like you are no longer at risk of uncovering a breach during an audit.

Compliance experts suggest conducting a risk analysis in accordance with the National Institute of Standards and Technology (NIST) guidelines. The NIST produces Standard Reference Materials (SRM) that you can refer to when conducting your risk assessment.

MSPs should also maintain as many credentials as possible. While there is no official HIPAA compliance certification or seal of approval, the presence of other certifications (SSAE-16, SOX, PCI DSS) within your MSP or hosting provider will indicate that you have a high level of security and compliance expertise, and reassure your healthcare partners that you will never be in breach.

Service-level agreements (SLAs) are also an important part of staying HIPAA compliant between you and your partner. One great way to improve your SLAs is to have more precise terms, especially in offering guaranteed response times for routing changes, security threats and non-critical additions.

Finally, along with security rules, HIPAA compliance also entails several privacy rule obligations. This includes having an accounting of disclosures available, all PHI to be kept in a designated record set and the cooperation with all compliance investigations performed by the OCR.

 

HIPAA compliance is no laughing matter, and using this HIPAA compliance checklist to ensure your MSP and its partners remain fully compliant at all times is a great way toward staying out of the hot spotlight of OCR audits, avoid paying hefty fines and maintaining your reputation as an expert in security and compliance.

View Continuum's Statement of Compliance!  


hippa-compliance-managedit-healthcare

Brandon Garcin is Continuum's Senior Content Strategist, and is responsible for the creation and execution of a variety of resources designed to win new business and support existing customer accounts. He has authored more than a dozen eBooks which have generated thousands of downloads, and has consulted with hundreds of Continuum partners to help improve their marketing and lead generation efforts through website optimization and content development. Brandon is also the host of The Weekly Byte, a video and audio series produced by Continuum that provides quick, digestible tips and best practices that MSPs can use to help their business succeed.

RMM 101: Must-haves for Your IT Management Solution
MSP Guide to Managed Services SLAs  [white paper]
comments powered by Disqus