The Revelations of HIPAA Compliance Assessments

Back to Blog

The Revelations of HIPAA Compliance Assessments

By Michael Mittel,  RapidFire Tools GM

HIPAA presents a tremendous opportunity for MSPs to gain new customers and increase revenues through ongoing HIPAA compliance assessments. If you’re a managed service provider looking to increase or build your HIPAA compliance business, you should be aware of the some of the most common pitfalls that healthcare companies face as they try to comply with the complex regulations. Here are some of the most typical and/or impactful problems that tools like Compliance Manager can reveal about healthcare data networks—and how managed service providers can help their customers address them:

Review Business Associates: All agencies that work with the healthcare organization (known as “Business Associates”) must be HIPAA compliant along with the healthcare organization itself.  This includes accounting firms, financial services companies and resellers that work with the healthcare organization including MSPs. Much of the industry still doesn’t realize that these ancillary partners to healthcare companies must be compliant in order to fulfill the legislation and truly secure electronic healthcare records. If you are an MSP, make sure that you comply with the HIPAA regulations . . . and make sure your healthcare clients ask you to reivew their business partners for HIPAA compliance as well.

Remove Former Employees: One of the first things healthcare network assessment reports often show is that ex-employees still have official access to the network. As with many business organization, healthcare companies often add and drop employees. These companies must ensure that all former employees have been removed from the system, and use a product like Compliance Manager to identify these unauthorized users.

Perform Regular Risk Assessments: Compliance assessment audits, when conducted on at least a quarterly basis, will reveal patterns and changes from one period to the next that 1) allow businesses to more quickly identify risk factors and questionable behavior, and 2) produce ongoing evidence of compliance for audit purposes which show that the company has taken steps to remain compliant. Such documentation often helps companies elude fines in the case of an audit.

Implement the Fix: Make sure your clients not only conduct compliance assessments, but take seriously the responsibility to address any issues they uncover. Leon Rodriguez is a former director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, the agency responsible for enforcing HIPAA and HITECH regulations. Rodriguez noted that the “failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis” was the area in which most healthcare companies suffer the most audit failures.

Savvy MSPs can keep these basic tenants in mind as they ramp up a HIPAA Compliance practice, gaining the trust and loyalty of these healthcare entities in the process.