When it comes to the highly complex procedures performed every day in the healthcare field, knowledge and diligence are crucial to positive outcomes. This is just as true in the operating room as it is for healthcare organizations that must operate in complete compliance with the Health Insurance Portability and Accountability Act (HIPAA).
In this realm, the professionals that healthcare-related businesses put their trust in are, increasingly, MSPs. Many wise MSPs have now developed their portfolios to deliver more than just technology services. They provide both the data security solutions and the ongoing expert guidance to assist clients in successfully navigating their (often tricky) obligations under HIPAA.
Navigating HIPAA complexity
HIPAA is a tremendously beneficial set of regulations designed to safeguard the privacy of our protected health information (PHI). It’s also remarkably — and progressively — complex and nuanced, making it challenging for even well-intentioned HIPAA-covered organizations to maintain compliance without expert support. Falling out of compliance with the law is dangerous because HIPAA violations quickly lead to substantial fines and reputational damage. Those penalties average in the five-figures — high enough to cause many small and medium-sized organizations to close up shop.
Choosing an MSP that provides HIPAA expertise is certainly in the best interest of organizations looking for legal compliance and peace of mind. More than that, it’s all but required by the law itself. HIPAA mandates that any organization able to access PHI held by a HIPAA-covered entity (CE) must also act in accordance with HIPAA guidelines — and that includes MSPs providing technology or other services.
Here’s the wrinkle in these rules: It’s the duty of the CE to ensure that the MSPs it hires are HIPAA compliant. Failure to do so means that the CE itself is culpable in situations where its MSP violates HIPAA, and it is subject to the same enforcement actions as if the HIPAA violation were committed internally. Of course, in practice this is somewhat illogical. A healthcare organization often enlists an MSP because it doesn’t have the wherewithal to determine what exactly HIPAA requires of it. Such a CE would be in no position to police the activities of the MSP it hired to provide HIPAA expertise.
Capitalizing on your expertise
Thankfully, this predicament does come with a natural solution: MSPs worth doing business with because of their HIPAA expertise are also aware of this issue and have a means of alleviating it. Another HIPAA requirement that knowledgeable MSPs will explain to clients is that a CE’s “business associates” — such as MSPs — must operate within the bounds of a legally-binding business associate agreement (BAA).
A BAA delineates precisely how a business associate may interact with PHI, and it can set the parameters of how an MSP provides capabilities such as data encryption, remote wiping, and other capabilities to protect PHI and achieve HIPAA compliance. Within the BAA, expert MSPs can and should also take legal ownership of the responsibility to ensure their own HIPAA compliance, absolving their clients of the strange catch-22 they would face otherwise.
I believe MSPs with HIPAA expertise should even go a step further by assisting clients with their duties to oversee the practices of other business associates. Again, HIPAA’s rules apply to all associates handling PHI. The CE is responsible for establishing a BAA and requiring HIPAA compliance from providers (and even subcontractors) of all services, including accounting, data analysis, billing and collections, claims processing, legal services, and more. These business associates must be prepared to report any data breach incidents as well, and they must return (or destroy) all PHI whenever the BAA is terminated. The right MSP can guide an organization through the process of setting up BAAs and ensuring data is secured just as HIPAA requires.
While HIPAA’s complexity creates some unique challenges, MSPs that acquire the necessary expertise will find they are more than capable of guiding clients through them. And, by backing their expert guidance with a robust BAA, such MSPs can gain a valuable competitive differentiator as a trusted partner for managing HIPAA compliance across a client’s entire service ecosystem.
Photo: Guschenkova/Shutterstock.com
Great article! Thanks for sharing your insight and perspective. Will be sure to pass on to our MSP partners. Have a great week.