[BreachExchange] Why Healthcare Orgs Should Demand MSPs That Are Wise To HIPAA's Nuances

Audrey McNeil audrey at riskbasedsecurity.com
Mon Nov 13 19:51:56 EST 2017


https://www.healthitoutcomes.com/doc/why-healthcare-orgs-
should-demand-msps-that-are-wise-to-hipaa-s-nuances-0001


There tend to be two paths to go when learning any lesson: the easy way and
the hard way. In cases involving compliance with the Health Insurance
Portability and Accountability Act (better known as HIPAA), the easy way
for a healthcare organization to learn the nuances of the law is to be led
by a smart MSP with extensive HIPAA expertise. Alternatively, the hard way
is actually easy at first: simply ignore the detailed responsibilities of
HIPAA, do your best, and wait for the data breaches, government audits, and
substantial fines to arrive.

To be clear, HIPAA is a needed set of regulations: it keeps private
information about our personal health protected, and we all want that.
While it’s full of good rules, it’s also full of complexity – and
necessarily so. No one would accuse HIPAA of being simple to understand,
and, unfortunately, this means that HIPAA-covered organizations with the
best of intentions can end up out of compliance with the law, merely out of
ignorance of the responsibilities placed upon them. They say what you don’t
know can kill you, and it’s certainly true if you’re talking about a small
or medium-sized business hit with fines due to HIPAA violations. It’s
normal for these penalties to be in the mid-five figures, a blow that even
large companies would have trouble absorbing, and often a knockout punch
for many smaller ones.

Here’s a major example that demonstrates HIPAA’s complexity, and why
selecting an MSP with HIPAA expertise is so necessary for organizations
covered by the law. Note that this includes any organizations that handle
the protected health information (PHI) of patients – which commonly rely on
managed service providers to provide the technology solutions needed to
safeguard this information and ensure HIPAA compliance. A complex rule
within HIPAA actually requires that any MSP with access to (or even the
ability to access) PHI held by a HIPAA Covered Entity (CE) must itself be
HIPAA compliant in its own practices. However, the party responsible for
making sure the service provider complies with HIPAA is the CE – the
organization that in all likelihood hired the MSP precisely because it has
no HIPAA expertise internally. If the hired MSP fails to comply with HIPAA,
the CE is in as much trouble as it would be if it violated HIPAA directly.
In reality, it’s unimaginable that a CE that has hired an MSP to address
its HIPAA needs would have any idea about this responsibility, let alone
how to ensure that the MSP itself is HIPAA compliant.

MSPs with deep HIPAA expertise, however, do have an understanding of this
situation, and ought to be the ones to address it. Another relevant aspect
of HIPAA is that it requires any “business associate” of a CE to establish
a formal business associate agreement (BAA). This BAA is a legally binding
document that specifies exactly how a business associate handles the PHI it
can access, as well as the solutions – such as data encryption and other
capabilities – that are used to achieve HIPAA compliance. Because MSPs are
the knowledgeable party in these situations, they should take the
initiative and offer any HIPAA-covered client a BAA that obligates the MSP
to see to its own HIPAA compliance, thereby ensuring that the client
fulfills the responsibility of MSP oversight (which it likely would have
never known it had).

An MSP responsible for data security and HIPAA compliance should also be
sure to inform and help the client address the full scope of the law’s
business associate rules. These require a BAA and HIPAA-compliant practices
from not just technology providers but any associate handling PHI,
including providers of billing and collections, claims processing, data
analysis, accounting, legal services, and others (such as subcontractors).
Under HIPAA, the BAA must also require that the business associate report
any incidents where data is breached or used without authorization, and
must return or destroy all data at the conclusion of the agreement.

HIPAA compliance remains a greater challenge than most organizations
probably realize, but MSPs that attack this lack of understanding head-on
do themselves and their clients a valuable service. By offering a robust
BAA upfront and explaining the agreement’s critical importance, an MSP can
distinguish itself as deeply knowledgeable, trustworthy, and proactive in
meeting needs the client didn’t know it had. Embracing the BAA and the role
of HIPAA expert benefits both the MSP and its clients by ensuring that both
understand what to expect, and how to stay on HIPAA’s good side.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171113/b24398e8/attachment.html>


More information about the BreachExchange mailing list