HIPAA compliance has challenged businesses of all sizes to satisfy a stringent set of rules and requirements. Compliance is nothing new for traditional industries such as the healthcare arena, but keeping up is more challenging than ever.
Between January and August 2017, the Office of Civil Rights OCR agreed to monetary settlements connected to eight instances of HIPAA violations. The biggest violator, Memorial Healthcare System, received a $5.5 million penalty when employees disclosed Protect Health Information (PHI) belonging to more than 100,000 patients to affiliated offices without permission.
These settlements drive home two important points. Number one: policies must be implemented to enforce proper checks and balances of access controls on confidential information in healthcare systems. Number two: HIPAA compliance is an ultra-complex, multilayered beast. Each penalty listed coincided with a different violation, which means the requirements and pitfalls are both great in number.
HIPAA and IT Security
HIPAA compliance has major implications for IT. According to the HIPAA Security Rule, IT departments that operate within, or provide services to, the field must satisfy requirements that include but are not limited to:
- Maintaining the integrity, confidentiality, and availability of healthcare data
- Protecting healthcare data from unauthorized access and disclosure
- Using reliable encryption for the transmission and storage of healthcare data
- Ensuring company-wide compliance with security guidelines
- Implementing a comprehensive backup and recovery plan
Any organization that manages PHI is responsible for protecting that data throughout its lifecycle. That means it is their responsibility to safeguard it from time of creation to the time of proper disposal. This is where managed service providers come into play.
An MSP can alleviate the pressures of HIPAA compliance in a number of ways. For example, the provider may take on a consulting role that sees them advising healthcare IT personnel on procuring the best security tools and ensuring that their systems are up to date. MSPs can also play a more active role by providing ongoing maintenance and monitoring that helps detect security threats before they attack.
The MSP Edge
In an ideal scenario, HIPAA compliance is a mutually beneficial arrangement for all parties involved. We’ve discussed what’s in it for the healthcare provider. Now let’s take a look at how MSPs can prosper.
New Business Opportunities
According to Reuters’ Cost of Compliance 2017 Report, more than half of respondents said they expect their total compliance budget to increase this year. Firms are rightfully investing money into compliance management, and those who need help won’t hesitate to outsource their needs to a capable third-party. By adding compliance to their existing portfolio, MSPs can generate new business from a phenomenon that is sure to trend many years into the future.
Increased Revenue Potential
Performing thorough risk-assessment is a key HIPAA requirement. This process helps healthcare practitioners dramatically reduce the probability of security breaches by identifying potential threats to sensitive data. A risk assessment can uncover vulnerabilities such as:
- Lack of encryption across servers, laptops, and mobile devices
- Insufficient patch management processes
- Vulnerabilities in specific applications and systems
- Critical need for penetration and vulnerability testing
- Ineptly designed disaster recovery plan
The silver lining here is that the aforementioned findings can be addressed via commonly offered managed services. Backup and disaster recovery, patch management, and managed security are core service offerings on many MSP menus. In addition to identifying threats, a HIPAA risk assessment can help MSPs increase their revenue potential by selling services designed to safeguard medical records, payment history, and other PHI.
HIPAA Compliant Business
MSPs that provide services to clinics and other covered entities are considered business associates under HIPAA. That makes you subject to many of the same regulations and penalties that apply to healthcare organizations. Needless to say, you’ll need to be just as vigilant in making sure you have the proper controls in place. In the process of creating a HIPAA-compliant infrastructure, you will essentially be creating a more secure and resilient network that benefits your business as a whole—not just your healthcare clients.
Not everyone is ready to hop on the HIPAA bandwagon. The fear of liability and hefty fines is sure to keep some MSPs on the outside looking in. Dedicating the effort to train your staff and transform your infrastructure around HIPAA provisions will allow you to stand out from the crowd and become a go-to source for healthcare organizations in need. By the time the competition decides to take that leap of faith, you’ll benefit from having gained an edge through actual experience.
There’s no tiptoeing around it. Taking on compliance work in any regulated field can be a double-edged sword for MSPs. Fastening on that HIPAA hero cape is akin to giving the government an invite to audit your systems and potentially levy hefty penalties should your organization fail to meet requirements. But if you’re up for the challenge, HIPAA compliance can be the key to unlocking a lucrative world of untapped potential and opportunity.