Q: My MSP partners with clients that frequently work with sensitive medical data that falls under HIPAA protections. How can my MSP ensure that this data remains protected and that our clients are not subjected to penalties from HIPAA?
Despite the great business opportunity to work with healthcare organizations, many MSPs are hesitant to do so because of the presence of HIPAA regulations, the associated workload of maintaining compliance, and the threat of penalties should they be found in violation.
To help MSPs get a better understanding of HIPAA, we sat down with Mike Semel, Founder and President of Semel Consulting, and a former owner of a HIPAA-certified IT solution provider. Mike provided his observations on common mistakes and misconceptions that he sees MSPs make about HIPAA and suggested best practices that MSPs can utilize to maintain HIPAA compliance for their clients.
Common mistakes and how to avoid them
The biggest mistake is that some MSPs only focus on protecting server data, while clients and their end users have been saving data in other locations that doesn’t align with the formal data protection policies. That makes it difficult to back up the data and restore it should the data be lost or compromised, encrypt it from theft attempts, and save it in the proper locations to prevent unauthorized access.
There are tools capable of scanning networks in search of data stored on medical devices that are not secure enough to be storing that data. Automated tools and policies can redirect folders to ensure data is sent and saved to the proper location. Automation is particularly valuable because it can minimize human error, both in this example and many others.
Another common mistake is when end users put sensitive files in their ‘Recycle Bin.’ The reason why this is such a critical mistake is that users believe that putting these files in the Recycle Bill will permanently delete the data. Over time, these Recycle Bins amass a large amount of sensitive data that remains vulnerable to being accessed on a device. Setting a group policy to automatically empty the Recycle Bin when the device restarts is an easy fix.
Prove that your MSP knows what they need to protect
A common misconception is that only healthcare organizations are required to be HIPAA compliant. In reality, any organization that deals with healthcare information is required to be HIPAA compliant, not just organizations that explicitly or solely deals with healthcare. For example, an accounting or law firm, or MSP that is working with a doctor’s office must also be HIPAA compliant.
Many MSPs worry about HIPAA regulations because they feel it is difficult to comply with, but in most cases, that is not true. An easy way to remain compliant is to set up a program that provides clear guidelines for how medical data should be handled and ensures that those handling the data are doing so responsibly.
Keep documentation that shows that you have policies and procedures in place to maintain clients’ compliance. As an added measure, make sure that anyone from your help desk has received proper training on how to properly handle medical data. Once an MSP sets its HIPAA-compliant standards and practices for its clients that deal with healthcare information, those same standards can be set across all clients, regardless of the industry. This provides consistency and reduces the chance of error as they work across different clients.
Don’t over-complicate things
MSPs should not position themselves as general HIPAA experts (unless they are one), but instead they should position themselves as someone who is HIPAA compliant. Remaining compliant is a constant journey that requires consistent audits of the MSP’s client. The frequency of depends on the size of the client and their medical data.
Learn more about HIPAA to protect yourself and your clients who may be unaware of everything that HIPAA is relevant to. Also, provide training to help clients operate in a HIPAA-compliant fashion.
The last tip is simple: don’t misspell HIPAA. It’s a mistake that happens more commonly than you think. It hurts the credibility of any MSP that advertises itself as one that can help an organization remain HIPAA compliant. Remember, it’s HIPAA with two As, not HIPPA with two Ps. Double-checking that one letter difference can prevent many lost business opportunities.
Using Mike’s advice on dealing with HIPAA guidelines will provide numerous opportunities for your MSP business. By earning a reputation as a HIPAA security expert, your MSP will have a strong attribute to use to differentiate itself in a crowded market.
Photo: Oleksiy Mark / Shutterstock