|Photo Credit: Rosmary via Flickr|
It’s important for MSPs to understand what HIPAA compliance is, what they can do to be HIPAA compliant, and what might happen if they try to service clients in the medical field without being HIPAA compliant. Luckily, our friend Guy Baroan, expert MSP and owner of IT solutions provider Baroan Technologies, knows his way around HIPAA. Guy explained that a number of clients are medical practices with data that falls under HIPAA compliance standards, which means he’s got to have the necessary security and business practices in place to make sure these standards are met.
With that in mind, we chatted with Guy about how other MSPs can tackle clients in the medical field successfully, and without running into issues with auditing and fines.
StorageCraft: How familiar are you with HIPAA regulations?
Guy: We’re pretty familiar with what we need to have in place and what our clients need to have in place. There are really two main aspects of becoming HIPAA compliant.
The first thing you need to do is a security risk assessment to look over the whole practice. Once you’ve identified where some of the issues and challenges are—issues such as: who’s protecting passwords, who’s handling disaster recovery, and whether or not they have termination procedures—you’ve got to implement the recommendations you make.
The second part relates to policies, procedures, and training. Users within a practice need to be aware of what it means to be HIPAA compliant, just as much as you do.
StorageCraft: Do you feel like you can address all HIPAA compliance regulations or are there aspects that you aren’t able to meet or aren’t sure how to meet?
Guy: We’re technology partners with our clients. We can help them with everything from the technical perspective. Things like who has access to information, what are the security risks, and so forth, are things that we’re concerned with. Interestingly enough, the technology aspect is being affected more and more as electronic health records start to become the standard. I would say there’s a lot we can do with regard to HIPAA, but I wouldn’t say everything. As I mentioned, there are some business practices that they’ve got to be aware of and need to implement in order to be compliant.
StorageCraft: If you’re onboarding a new client, are you ever asked to verify that you are HIPAA compliant and if so, what’s involved?
Guy: We’ve certainly had clients ask us whether we are compliant. Compliance is going to become more of a requirement especially since all of these practices have to have these business agreements in place with any of their associates. This is a fairly new rule. In the past it used to be that just the medical practices had to be HIPAA compliant, but with this new ruling they said if a medical practice is using outsourced services, providers, or any other business associates, they need to be HIPAA compliant as well. HIPAA pretty much trickles down to anyone.
StorageCraft: Do you find it’s difficult to handle compliance? Is it intrusive in any way?
Guy: The regulations out there are really there to protect the information. If you look at everything they require from a security perspective, it’s not just useful for the medical industry—it’s not so bad having them in place yourself. That way you can restrict who has access to the servers, log who is accessing the servers, understand who is moving data where, and so forth—there’s a lot of good stuff. If, however, we had nothing in place, it would be difficult. Since we had security measures in place before HIPAA became an issue, it wasn’t tough for us to just get there and be compliant—it’s made a huge difference for us.
Anybody who isn’t doing anything—a fly-by-night company or someone who is working out of their home—probably doesn’t have these types of security and compliance standards in place and could be at a big risk for liability issues. If you’re not already doing something as far as security is concerned, it could be really difficult. If you’re doing some of it already, you’re probably not far from being fully compliant.
StorageCraft: Do you have any third parties that help you address some of the HIPAA concerns you have?
Guy: We found a company called HIPAA Secure Now. They specialize in the technology field and work to get us HIPAA compliant. They make sure that we do the security analysis and figure out everything we need to have in place. They also keep us up-to-date with training for our employees and keep us up-to-date with the newest requirements. They also allow us to resell their services to our clients—the medical practices. It’s really valuable. After we’ve assessed ourselves, the medical practices need to do many of the same things we did. Luckily, we can then help them become compliant.
StorageCraft: Are the HIPAA laws confusing or complicated?
Guy: Previously, the EMR programs practices had would provide the information, security, and compliance they needed, but at the time the compliance standards weren’t as precise. Now they are becoming more specific, which brings in the need for third parties to help with compliance.
StorageCraft: What have you heard about auditing?
Guy: While there haven’t really been many audits from any of the regulating arms like the Health and Human Services Department, they’ve recently approved an auditing process and will begin auditing. You’ll start to see more issues for companies that aren’t fully HIPAA compliant very soon. It’s going to be something that everybody needs to be looking at, even though a lot of companies haven’t given it much thought since they haven’t heard of audits happening. They seem to think, “Why go through all of this trouble if nobody is even checking?” Most are doing what they think they need to, but they’ll probably have to do a lot more when people start hearing about fellow practices being audited and fined.
StorageCraft: Do you know of a good resource that might help MSPs service clients in the medical industry?
Guy: The Health and Human Services Department goes over all the specifics about what businesses need to have in place. Additionally, there are third parties like HIPAA Secure Now that can help you and your clients become HIPAA compliant.
StorageCraft: How would a company know if it’s compliant enough right now?
Guy: From what I’ve read in the past, as long as you’re making a real attempt at being compliant you’ll be ok. As long as you have the software and security and you’re making sure that nobody is copying data and you’ve got termination policies and encrypted hard drives and so forth—if you’re doing everything you need to—I don’t think you’ll get a hard time from regulators. They probably can’t give you too hard a time in the beginning stages of the auditing process. But if you’ve got nothing in place and you’re not keeping track of compliance-related items, that’s just negligence and you’ll be in big trouble when audits do start happening.
StorageCraft: Do you have any other advice for MSPs with regard to HIPAA?
Guy: For us, not having HIPAA compliance would be a liability. If other MSPs don’t plan on following up on the rules and just assume they can handle a medical or dental practice but don’t keep close track of the laws, they could be fined over a million dollars if they get audited. That could be crippling to any business. If they aren’t willing to put in the effort to be HIPAA compliant, I’d suggest they don’t even work with clients in medical practices—practices need to be compliant, which means they need to work with people who are also compliant. My recommendation is that if a company isn’t willing to go out and do all the leg work, they shouldn’t work with any medical practices because they’re going to be open to a liability if they work with you, and you’ll be liable as well. Either do it right, or don’t do it.
StorageCraft: Are there benefits to servicing clients that have these requirements?
Guy: I think one of the benefits is that HIPAA is going to become more stringent and it’s going to be more difficult for practices to find business to work with that are compliant. Since we were willing to make the investment of time, effort, training, and infrastructure, it became more lucrative because now anyone we approach will know that we’re compliant. You’re going to need that as compliance standards become more strict and detailed.
For more StorageCraft articles by Guy, visit his author page on the Recovery Zone.