HIPAA (Health Insurance Portability and Accountability Act of 1996) is nothing new for healthcare organizations. The legislation ensures patient data is secure and kept private due to its sensitive nature. Therefore, it’s an obvious and natural concern for the 800,000 or so organizations across the U.S. delivering healthcare services as their primary function (defined as “covered entities” under the law).
However, HIPAA rules apply to a far broader spectrum of companies, many of whom may not even realize they’re required to be HIPAA compliant. Since 2013 (after the Omnibus Rule went into effect), any company dealing with PHI (Personal Healthcare Information) is responsible for following the same rules and is subject to penalties if found to be out of compliance.
These “business associates” include law firms, accounting firms, transcription service providers, and document storage or disposal companies. Any entity that touches PHI qualifies, yet many of these organizations are unaware of their responsibilities and the risks they face by ignoring compliance issues.
All told, there are more than 2 million businesses considered “business associates” under the law, while only a fraction have taken the necessary steps to be HIPAA compliant.
The cloud isn’t protection
A common misconception among businesses that are aware HIPAA compliance applies to their organization is that utilizing cloud services provides adequate data security protection. Their thinking is that if things are in the cloud – and the cloud services provider is HIPAA compliant – then nothing is “local” so their own networks and devices don’t count.
While cloud services reduce potential weak points in PHI protection, they are not by themselves fully adequate in the eyes of the law. For example, most cloud services allow for data exports, and once that data is extracted there’s nothing stopping it from falling into the wrong hands.
This export capability means environments must be secure and comply with HIPAA standards, including locking down who has access to export capabilities, protecting the local network and securing credentials to prevent unauthorized access to both the cloud service and the company’s own systems.
Uncomfortable truths
Bringing these issues up with management or clients may seem awkward, but ignoring the dangers is a disservice and puts everyone at risk. A potential liability of up to $1.5 million per year warrants having that conversation.
Best Medical Transcription exposed the data of 1,654 patients from Virtua Medical Group. Best Medical Transcription (since shut down as a result) was subject to a $200,000 fine as a business associate and the owner was barred from owning a business in New Jersey for life. This is on top of the $418,000 fine Virtua had to pay.
Nobody wants to pay huge fines or cause their clients to owe money as well. Plus, the reputational damage to everyone involved can have major consequences.
How MSPs can profit from the HIPAA compliance market
MSPs have much to offer business associates, as maintaining HIPAA compliance is even more complicated when PHI is stored digitally. Here are some steps to make the most of the opportunity:
- Start with yourself – Before offering HIPAA compliance services, make sure your own environment is fully compliant. This will protect you from any fines and increase your familiarity with the standards. Remember, if you have healthcare organizations as customers, YOU are a business associate. And if you have business associates as customers, you could also be at risk if you’re handling PHI.
- Research your customer base – Figure out which customers could potentially be business associates. Start with what type of services they provide, then dig deeper into their clientele. Don’t be afraid to pick up the phone or schedule a meeting to investigate potential opportunities.
- Formalize your offering – Create a standard package of HIPAA compliance services.
- Educate and inform – Many current and potential business associates may be unaware or misinformed about their responsibilities when it comes to protecting PHI and potential liabilities. Don’t expect them to already know what they need; instead, get a sense of their level of familiarity with the situation. Leverage your role as a trusted adviser and not just a vendor.
- Fill your funnel – With 2 million business associates out there, MSPs have no shortage of prospects to target. Concentrate on the niches most likely to be dealing with PHI.
IT is the key to managing compliance
Whether you manage IT for a company with ties to the medical industry or have clients with similar ties, HIPAA regulations are here to stay and keeping yourself and others HIPAA compliant isn’t optional. Compliance Manager GRC makes the compliance process easier and provides guidance and support for HIPAA and a variety of other regulatory standards.
Want to find out more about Compliance Manager and how it can help you manage HIPAA compliance and other mandated regulations? Request a demo of Compliance Manager GRC today.
