This article also appears on MSP Mentor.
I was recently at a training event for MSPs. When the cocktails came out, a few of them really started opening up about their biggest frustrations, one of which was the Health Insurance Portability and Accountability Act (HIPAA).
Surprisingly, though, most said HIPAA was only a pain because of doctors or owners of medical practices. Evidently, many of them don’t think or even care about HIPAA. They told me a handful of the most ridiculous things they heard doctors say about HIPAA, and why it made them mad. By the end, some of the MSPs were really fuming, but I still got some really good advice on how to address some of the dumb things doctors say about HIPAA.
I don’t care about HIPAA
For whatever reason, some doctors seem to think that HIPAA compliance doesn’t matter. This will change quickly when a fellow doctor or peer close to them gets fined heavily for not being in compliance—that’s if the practice in question is lucky enough not to be the one fined. Having a devil-may-care attitude about HIPAA is not only ridiculous, it’s downright negligent. A data breach could place a patient’s most personal information in a criminal’s hands, not to mention the cost the practice itself could incur—and there’s actually a long list of healthcare providers who’ve had to pay settlements. And that leads us to the next one.
HIPAA compliance is too expensive
Being HIPAA compliant isn’t the most difficult thing in the world, really. A good, knowledgeable MSP can move a small practice toward HIPAA compliance without a ton of trouble. It takes some work, and of course, their effort costs money, which is money many doctors would rather spend on golf clubs or a boat. Few doctors seem to realize that penalties for non-compliance can cost them over $200,000 on the low end, up to millions of dollars on the high end. Paying to do risk-assessments, penetration testing, and then fixing any issues that come up is a small price compared to what they could pay if the practice is audited and fined.
I won’t be audited
Audits are happening right now and will only increase. Practices could be audited at random, or because someone filed a complaint against them. All it takes is one complaint to ultimately result in an audit, which can expose a rule violation, or in the worst cases, a criminal violation. Is it really worth the risk?
My people don’t want to learn new processes
The IT aspect of HIPAA is really only half of the story. Once everything on the network end is in place, nurses, doctors, and any employees in the practice need to understand how to keep data secure and safe. They need to know what HIPAA is and what they need to do to be in compliance, which typically involves new processes they may not want to learn. The MSPs I spoke with said that even once they’ve got everything in place, it can be difficult to get doctors to actually perform the necessary processes that keep them in compliance. In any case, practices need to understand that training and education on HIPAA is every bit as important as the technology aspect.
I’m not an Obamacare practice—it doesn’t affect me
Yes, an MSP heard a client say this. HIPAA covers any practice that handles and transmits protected health information (and even third parties these practices work with)—Obamacare has nothing to do with it.
My practice is already HIPAA compliant so I don’t need to worry
A practice may consider itself compliant, but remember that HIPAA requirements are commonly amended, so practices need to make sure they’re continually up to date by doing annual risk-assessments, which can include network diagnostics, penetration testing, and even backup verification and testing. They’ll also need a compliance officer responsible for making sure policies and procedures are up to date (we’ll get to compliance officers later).
Also, don’t forget that HIPAA compliance affects a practice and anyone it works with. As StorageCraft partner Guy Baroan noted in an interview about HIPAA compliance and MSPs, HIPAA pretty much trickles down to everyone. If a practice’s vendors (including managed service providers) haven’t signed business associate agreements, that practice isn’t compliant. And according to an article by McDermott, Will, and Emory, phase two of the Office for Civil Rights’ audits will include audits of business associates. This means practices definitely want to have business associate agreements with their partners.
I don’t want to hire a compliance officer
According to the U.S. Department of Health and Human Services, HIPAA is designed to keep both small and large practices in mind. Some smaller practices may not be able to hire a person specifically for compliance, but practices do need to designate someone as a privacy official or compliance officer. This is somebody who is responsible for developing and implementing privacy policies and procedures. A privacy official can be somebody the practice already employs, but this position does require special knowledge.
HIPAA is in place for a reason, and it’s really not such a tough thing to deal with once the necessary precautions are in place. There are also third parties like HIPAA Secure Now that can help MSPs and clients become compliant, and it’s much easier than you might think. These experts will train MSPs on helping clients become compliant, and the practices themselves on the necessary processes.
Lastly, remember that your job as an MSP is to help clients understand the risks they face if they aren’t compliant. If they stubbornly refuse to take the necessary precautions, you’ll have to decide if they are a client you can reasonably continue working with.
Photo credit: Adrian Clark via Flickr