What Your MSP Should Know About HIPAA Compliance
The complexity of healthcare service demands robust technical infrastructure. Advances in patient treatment, research, diagnostic tools and even predictive analytics and AI have pushed technologies available to healthcare providers, which means that these organizations turn to expert providers to give them new tools and features to revolutionize their patient care models. This increased reliance on Cloud Service Providers (CSPs) or a Managed Service Providers (MSP) means that these organizations must rely on HIPAA-compliant technologies, which means counting on HIPAA-compliant vendors to provide them.
Here, we discuss why HIPAA compliance is so important to MSPs, and why MSPs must not only be compliant but work with security experts and compliant partners as part of their operations.
The Role of MSPs in Healthcare
Healthcare, like any other industry, is seeing explosive growth in terms of IT infrastructure and security. Companies like Microsoft, Amazon, and Google are making headway into the healthcare space with their cloud offerings, and smaller vendors are launching targeted cloud and SaaS services to meet the needs of healthcare providers.
One of the reasons that healthcare is such a ripe industry for managed service providers is that organizations like large hospitals, hospital networks, and even clinics want to offload operational tasks onto expert vendors that can take the burden of day-to-day tasks and streamline them efficiently and securely.
That being said, the healthcare industry has several adjacent operational verticals that are seemingly never going out of style. Some hospitals contain some instance of all of these necessary operational tasks, which include:
- Healthcare finance and payment processing
- Revenue cycle and integrity management
- Insurance claims and processing
- Customer service or patient support
- Data storage and access
- Analytics, business intelligence and strategy
- Security (physical, administrative and technical)
- SAP and/or ERP support
Note that not all these tasks are exclusive. For example, financial needs often overrun with each other.
When it comes to technical demands, hospitals often turn to MSPs with experience with the healthcare industry to provide critical technical and IT infrastructure. These MSPs can provide on-prem or cloud services like SaaS tools, data analytics, managed file transfers, Identity Access Management (IAM), and several types of security and compliance services (specifically when working with Managed Security Service Providers, or MSSPs).
These MSPs provide healthcare entities with the kinds of advanced tools these organizations need to better serve patients and staff while increasing operational efficiency. For example, an MSP may provide SaaS tools on a cloud for hospital staff to access patient data uniformly across the entire organization. This same MSP might build a database backend that allows hospital staff to access specific forms of user data based on roles in the company.
To fulfill these roles, a managed service provider will most likely manage electronic Protected Health Information (ePHI), which means that they must adhere to HIPAA regulations.
MSPs as Business Associates for Covered Entities
Before getting into what responsibilities that MSPs must meet to handle patient data, it’s necessary to understand how MSPs fit into working relationships under HIPAA.
Under HIPAA, three primary rules define the framework:
- The Privacy Rule, which details what constitutes ePHI and how it is to be protected (and, thus, maintain confidentiality).
- The Security Rule, which details the technical, physical, and administrative steps that should be taken to enact protection for ePHI.
- The Breach Notification Rule, which outlines the steps an organization should take to notify patients and the public when a security breach occurs.
Within these rules, special care is taken to define the parties to which HIPAA applies. These designations break down into two categories:
- Covered Entities (CEs), representing primary healthcare providers (hospitals, clinics, smaller practices) and insurance companies that will directly manage ePHI.
- Business Associates (BAs), representing third-party contractors or vendors providing services to CEs as detailed in the previous section—which includes many MSPs.
As part of any service agreement between any BA and a CE, there must exist a standing Business Associate Agreement (BAA) that states the responsibilities and expectations of the BA, including their responsibilities under HIPAA. Note that an organization doesn’t have to be either a CE or BA in all situations, and many CEs under one agreement might serve as a Business Associate under another.
In 2013, the Omnibus Rule revised and updated several aspects of the HIPAA rules, specifically as pertains to CEs and BAs. Under the Omnibus Rule, BAs working with CEs share the same responsibilities as the CE under HIPAA rules, including requirements and penalties.
What does that mean for an MSP serving as a BA with a healthcare organization? It means that they must handle data with the same standards as any CE or face fines as steep as $50,000 per incident (which can lead to millions in penalties in a year). Many unsuspecting BAs without proper security has been bankrupted by HIPAA fines for breaches of data.
What are the Responsibilities of an MSP under HIPAA?
Simply put, an MSP that handles ePHI for a healthcare CE must follow any and all HIPAA requirements that their partner organization does. Broadly, this includes the following:
- Maintaining appropriate technical security controls. This includes utilizing strong encryption algorithms for data at rest in servers or workstations or in transit during file transfers. This also includes implementing technologies like anti-malware software, firewall services, and identity access management technology as appropriate.
- Enacting physical safeguards over local systems. MSPs that offer cloud support must protect the physical systems that the data resides on. This includes keypad locks and security cameras for all data centers, protected access to workstations or laptops, and other preventative measures to keep unauthorized users from accessing physical systems.
- Maintaining administrative security controls. This includes creating, planning, and implementing organizational plans that support securing data, maintaining confidentiality regarding that data. Administrative safeguards include security management, workforce security measures, training and continuing education, development of incident response procedures, and the maintenance of BAAs.
For an MSP, these requirements will pertain to any system that handles ePHI, with no exceptions. Furthermore, if you work with any contractors as part of your operation (including security, storage, etc.) then you must also have a BAA with that organization. So, for example, if you develop a SaaS program hosted on Microsoft Azure, then you’d need to have a signed version of the Microsoft BAA as part of your HIPAA requirements. Likewise, if you work with a security partner that accesses or protects ePHI, then they too should have an agreement with you.
HIPAA Compliance is More Than Following Rules
HIPAA rules are not arbitrary. Some of the most private and important data that we generate are our health data. The loss or theft of ePHI can be devastating on the life or livelihood of the victim, not to mention the impact on other organizations that could be scammed through fraudulent use of that data.
That’s why it is critical that MSPs maintain HIPAA compliance, and ensure that HIPAA compliance is met by any partner. The problem is that many MSPs also work in other industries and may potentially balance system security across several compliance frameworks, which calls for several layers of expertise and technology to manage—a task that can distract the MSP from their primary task of providing services for their clients.
Is your MSP ready for a security partner that can help with compliance across the most rigorous frameworks today, including HIPAA, FedRAMP, CMMC, and more? Call Continuum GRC at 1-888-896-6207 or contact us with the form below to learn about our ITAMs auditing and compliance tools.
The Role of Compliance in Operational Resiliency - Continuum GRC
[…] risk. Organizations approaching resiliency must understand the challenges they face, or may face, in the future and assess effective and efficient infrastructure to meet those […]