One Guy’s Opinion: MSPs and HIPAA Compliance

This post was originally featured on the StorageCraft Recovery Zone blog as part of One Guy’s Opinion,” where President Guy Baroan discusses the technology world through the lens of a successful IT managed service provider.

Photo Credit: Rosmary via Flickr

 It’s important for MSPs to understand what HIPAA compliance is, what they can do to be HIPAA compliant, and what might happen if they try to service clients in the medical field without being HIPAA compliant. Luckily, our friend Guy Baroan, expert MSP and owner of IT solutions provider Baroan Technologies, knows his way around HIPAA. Guy explained that a number of clients are medical practices with data that falls under HIPAA compliance standards, which means he’s got to have the necessary security and business practices in place to make sure these standards are met.

With that in mind, we chatted with Guy about how other MSPs can tackle clients in the medical field successfully, and without running into issues with auditing and fines.

StorageCraft: How familiar are you with HIPAA regulations?

Guy: We’re pretty familiar with what we need to have in place and what our clients need to have in place. There are really two main aspects of becoming HIPAA compliant.

The first thing you need to do is a security risk assessment to look over the whole practice. Once you’ve identified where some of the issues and challenges are—issues such as: who’s protecting passwords, who’s handling disaster recovery, and whether or not they have termination procedures—you’ve got to implement the recommendations you make.

The second part relates to policies, procedures, and training. Users within a practice need to be aware of what it means to be HIPAA compliant, just as much as you do.

StorageCraft: Do you feel like you can address all HIPAA compliance regulations or are there aspects that you aren’t able to meet or aren’t sure how to meet?

Guy: We’re technology partners with our clients. We can help them with everything from the technical perspective. Things like who has access to information, what are the security risks, and so forth, are things that we’re concerned with. Interestingly enough, the technology aspect is being affected more and more as electronic health records start to become the standard. I would say there’s a lot we can do with regard to HIPAA, but I wouldn’t say everything. As I mentioned, there are some business practices that they’ve got to be aware of and need to implement in order to be compliant.

StorageCraft: If you’re onboarding a new client, are you ever asked to verify that you are HIPAA compliant and if so, what’s involved?

Guy: We’ve certainly had clients ask us whether we are compliant. Compliance is going to become more of a requirement especially since all of these practices have to have these business agreements in place with any of their associates. This is a fairly new rule. In the past it used to be that just the medical practices had to be HIPAA compliant, but with this new ruling they said if a medical practice is using outsourced services, providers, or any other business associates, they need to be HIPAA compliant as well. HIPAA pretty much trickles down to anyone.

StorageCraft: Do you find it’s difficult to handle compliance? Is it intrusive in any way?

Guy: The regulations out there are really there to protect the information. If you look at everything they require from a security perspective, it’s not just useful for the medical industry—it’s not so bad having them in place yourself. That way you can restrict who has access to the servers, log who is accessing the servers, understand who is moving data where, and so forth—there’s a lot of good stuff. If, however, we had nothing in place, it would be difficult. Since we had security measures in place before HIPAA became an issue, it wasn’t tough for us to just get there and be compliant—it’s made a huge difference for us.

Anybody who isn’t doing anything—a fly-by-night company or someone who is working out of their home—probably doesn’t have these types of security and compliance standards in place and could be at a big risk for liability issues. If you’re not already doing something as far as security is concerned, it could be really difficult. If you’re doing some of it already, you’re probably not far from being fully compliant.

StorageCraft: Do you have any third parties that help you address some of the HIPAA concerns you have?

Guy: We found a company called HIPAA Secure Now. They specialize in the technology field and work to get us HIPAA compliant. They make sure that we do the security analysis and figure out everything we need to have in place. They also keep us up-to-date with training for our employees and keep us up-to-date with the newest requirements. They also allow us to resell their services to our clients—the medical practices. It’s really valuable. After we’ve assessed ourselves, the medical practices need to do many of the same things we did. Luckily, we can then help them become compliant.

StorageCraft: Are the HIPAA laws confusing or complicated?

Guy: Previously, the EMR programs practices had would provide the information, security, and compliance they needed, but at the time the compliance standards weren’t as precise. Now they are becoming more specific, which brings in the need for third parties to help with compliance.

StorageCraft: What have you heard about auditing?

Guy: While there haven’t really been many audits from any of the regulating arms like the Health and Human Services Department, they’ve recently approved an auditing process and will begin auditing. You’ll start to see more issues for companies that aren’t fully HIPAA compliant very soon. It’s going to be something that everybody needs to be looking at, even though a lot of companies haven’t given it much thought since they haven’t heard of audits happening. They seem to think, “Why go through all of this trouble if nobody is even checking?” Most are doing what they think they need to, but they’ll probably have to do a lot more when people start hearing about fellow practices being audited and fined.

StorageCraft: Do you know of a good resource that might help MSPs service clients in the medical industry?

Guy: The Health and Human Services Department goes over all the specifics about what businesses need to have in place. Additionally, there are third parties like HIPAA Secure Now that can help you and your clients become HIPAA compliant.

StorageCraft: How would a company know if it’s compliant enough right now?

Guy: From what I’ve read in the past, as long as you’re making a real attempt at being compliant you’ll be ok. As long as you have the software and security and you’re making sure that nobody is copying data and you’ve got termination policies and encrypted hard drives and so forth—if you’re doing everything you need to—I don’t think you’ll get a hard time from regulators. They probably can’t give you too hard a time in the beginning stages of the auditing process. But if you’ve got nothing in place and you’re not keeping track of compliance-related items, that’s just negligence and you’ll be in big trouble when audits do start happening.

StorageCraft: Do you have any other advice for MSPs with regard to HIPAA?

Guy: For us, not having HIPAA compliance would be a liability. If other MSPs don’t plan on following up on the rules and just assume they can handle a medical or dental practice but don’t keep close track of the laws, they could be fined over a million dollars if they get audited. That could be crippling to any business. If they aren’t willing to put in the effort to be HIPAA compliant, I’d suggest they don’t even work with clients in medical practices—practices need to be compliant, which means they need to work with people who are also compliant. My recommendation is that if a company isn’t willing to go out and do all the leg work, they shouldn’t work with any medical practices because they’re going to be open to a liability if they work with you, and you’ll be liable as well. Either do it right, or don’t do it.

StorageCraft: Are there benefits to servicing clients that have these requirements?

Guy: I think one of the benefits is that HIPAA is going to become more stringent and it’s going to be more difficult for practices to find business to work with that are compliant. Since we were willing to make the investment of time, effort, training, and infrastructure, it became more lucrative because now anyone we approach will know that we’re compliant. You’re going to need that as compliance standards become more strict and detailed.

For more StorageCraft articles by Guy, visit his author page on the Recovery Zone.


Make Outlook Work for You

Microsoft's email program, Outlook, is a surprisingly powerful and underutilized tool that has the potential to save users a lot of time and effort. So often we see our clients not using Outlook to its full potential and really making it work for their needs.

All it takes to be an email master is a combination of your time management skills with an awareness of all the tools Outlook has to offer. Below are Baroan's favorite Outlook best practices straight from Microsoft. Put a few into action and make Outlook work for you.


The 9 (Free) Tools You Need to Grow and Manage Your Company’s Web Presence

This post is for small businesses who...
photo credit: knitting iris via photopin cc
  • Have a website and blog.
  • Have a working knowledge of and presence on social media.
  • Feel like they don’t have enough time or resources to grow and manage their web presence.
  • Think there’s a more efficient way to go about growing and managing their web presence.
Once you setup the framework for your web presence – website, blog, social media – and understand how it all works and works together, then it’s time to save yourself. Save time, save money, work smarter not harder. Your key to that is free tools. And when I say free, I mean 100% free – no 30 day free trials, no one asking for your credit card “just in case.” As the marketing/social media/website manager for Baroan Technologies, as well as MSP Builder, these are my favorite tools that I have accumulated over the past 2 years (I even discovered one of these last week!). I use almost all of them every day, and I hope you find at least one that you can incorporate into your daily routine.


Webinar: Want to Make Disaster Recovery Easy for Clients? Ask Them the Right Questions

President Guy Baroan was recently a guest on StorageCraft's webinar, Want to Make Disaster Recovery Easy for Clients? Ask Them the Right Questions. Guy discussed his experiences putting together disaster recovery plans for our clients with StorageCraft Technical Marketing Manager Steven Snyder.


CryptoLocker: What It Is & How to Prevent It

The new malware on the block is Cryptolocker, which belongs to a particular strain of malware referred to as “ransomware.” Ransomware gets its name from the ransom it demands while holding your computer hostage. Cryptolocker asks for $300 in exchange for decrypting your files that it has locked down.

This post from Malwarebytes has all the details: http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

How does Cryptolocker get on my computer?
This ransomware is spread through email attachments. Read our previous post on malware for tips on avoiding harmful email attachments.

Is there anything that can protect my computer from Cryptolocker?
The only proven preventative tool is Malwarebytes Anti-Malware Pro. If you have this running and Cryptolocker tries to attack your computer, it will be blocked. However, if you do not have Malwarebytes running and Cryptolocker gets on your computer, there is nothing that the software can retroactively do to remove it.

malwarebytes white logo Baroan Technologies offers Malwarebytes Anti-Malware Pro and Kaspersky Antivirus as options you can include in your maintenance plan. Contact us for further information.

What happens if Cryptolocker succeeds in holding my computer ransom?
You are at risk of losing your computer’s files beyond recovery. If you have a backup that is NOT stored on your computer, then your files can be restored from that. Backups stored locally are at risk of infection.


Email's Secret Life

“Why does my email take so long?”

“Where is my email and why can’t you find it?”

These are questions that we often hear from our clients, and we do not always have a simple answer. It is easy to take email, and technology in general, for granted these days. We heavily rely on it not only for business, but more than ever in our daily lives. Email may not seem that complex on the surface – first you type a message, then you hit send and the recipient gets the message instantly in their inbox – but there is much more to your email’s journey than meets the eye....



Making Disaster Recovery Easy eBook

We are proud to share the latest StorageCraft Recover-Ability Guide, Making Disaster Recovery Easy, which was co-written by President Guy Baroan. Guy shares advice from his long experience as a managed service provider who provides disaster recovery for a diverse client base. The eBook looks at how asking questions can help you create solid documentation and easy-to-use disaster plans.

Download your copy today!

Making Disaster Recovery Easy (5.0 MiB)