13 Nov How to Sell HIPAA Compliance Services to Non-Healthcare Companies
HIPAA (Health Insurance Portability and Accountability Act of 1996) is nothing new for healthcare organizations. The legislation ensures patient data is secure and kept private due to its sensitive nature. Therefore it’s an obvious and natural concern for the 800,000 or so organizations across the U.S. delivering healthcare services as their primary function (defined as “covered entities” under the law).
However, HIPAA rules apply to a much broader cohort, many of whom may not even realize they’re also required to be HIPAA compliant. Since 2013 (after the Omnibus Rule went into effect), any company dealing with PHI (Personal Healthcare Information) is also responsible for following the same rules and is also subject to penalties if they’re found to be out of compliance.
These “business associates” include lawyers, accountants, answering services, transcription services providers, and document storage or disposal companies. Any entity that touches PHI qualifies, yet many of these organizations are unaware of their responsibilities and the risks they face by ignoring compliance issues.
All told, there are 2 million business considered business associates under the law, while only a fraction has taken the necessary steps to be HIPAA compliant.
The cloud doesn’t protect them
A common misconception among the business associates that are aware HIPAA compliance applies to their organization is that utilizing cloud services provides adequate data security protection. Their thinking is that if things are in the cloud – and the cloud services provider is HIPAA compliant – then nothing is “local” so their own networks and devices don’t count.
While cloud services definitely reduce potential weak points in PHI protection, they are not by themselves fully adequate in the eyes of the law. For example, most cloud services allow for data exports, and once that data is extracted there’s nothing stopping it from falling into the wrong hands.
This export capability means their environments must be secure and comply with HIPAA standards, including locking down who has access to export capabilities, protecting the local network and securing credentials to prevent unauthorized access to both the cloud service and the company’s own systems.
Bringing these issues up with customers may seem awkward, as they likely contracted with an MSP so they wouldn’t have to worry about this type of thing. But ignoring the dangers is a disservice to customers and puts both organizations at risk. Their potential liability of up to $1.5 million per year warrants having that conversation.
For example, Best Medical Transcription exposed the data of 1,654 patients from Virtua Medical Group. Best Medical Transcription (since shut down as a result) was subject to a $200,000 fine as a business associate and the owner was barred from owning a business in New Jersey for life. This is on top of the $418,000 fine Virtua had to pay.
MSP customers don’t want to pay huge fines or cause their clients to owe money as well. Plus, the reputational damage to everyone involved can have major consequences.
Another wrinkle is that healthcare organizations must have Business Associate Agreements in place with any vendor they contract with that could have access to any PHI. Before those organizations sign one of those agreements, they’ll want to know the vendor is compliant.
This provides another proactive sales opportunity for MSPs. Not only can they offer HIPAA compliance services to companies actively working with healthcare organizations, but MSPs can target companies that might want to enter that market in the future, pitching HIPAA compliance as table stakes to close any deals of their own.
Explaining to prospects or current customers that purchasing HIPAA compliance services will help them win business is a far more appealing pitch than relying on scare tactics and fears of fines.
Attacking the business associate HIPAA compliance market
MSPs have much to offer business associates, as maintaining HIPAA compliance is even more complicated when PHI is stored digitally. Here are some steps to make the most of the opportunity:
- Start with yourself – Before offering HIPAA compliance services, make sure your own environment is fully compliant. This will protect you from any fines and increase your familiarity with the standards. Remember, if you have healthcare organizations as customers, YOU are a business associate. And if you have business associates as customers, you could also be at risk if you’re handling PHI. For example, SAManage USA provided cloud-based IT support to WEX Health and was hit with a $264,000 fine for exposing 660 Social Security numbers in a publicly accessible spreadsheet.
- Research your customer base – Figure out which customers could potentially be business associates. Start with what type of services they provide, then dig deeper into their clientele. Don’t be afraid to pick up the phone or schedule a meeting to investigate potential opportunities.
- Formalize your offering – Create a standard package of HIPAA compliance services. Luckily for MSPs, there are great off-the-shelf products that automate HIPAA compliance auditing and reporting, such as RapidFire Tools’ Compliance Manager for HIPAA.
- Educate and inform – Many current and potential business associates may be unaware or misinformed about their responsibilities when it comes to protecting PHI and the potential liabilities. Don’t expect them to already know what they need; instead, get a sense of their level of familiarity with the situation. Leverage your role as a trusted adviser and not just a vendor.
- Fill your funnel – With 2 million business associates out there, MSPs have no shortage of prospects to target. Concentrate on the niches most likely to be dealing with PHI.
Compliance services are a very lucrative business for MSPs, with margins at nearly 300 percent of other types of MSP services. Offering them and aggressively expanding into the market can be a great growth driver and defensive bulwark. Remember, if you don’t offer them to your customers, someone else will.
Ready to increase profitability and add more value to your customer relationships? Request a demo of Compliance Manager for HIPAA today.