HIPAA for MSPs is a complex subject to tackle, as not only do MSPs count as Business Associates if they offer a service to a healthcare facility, they could also be a HIPAA-covered subcontractor if they supply a service to a company who offers a support service to a healthcare center or clinic.
For instance, if an MSP offers data storage services for an accounting practice, and the accounting firm provides bookkeeping services to a medical center, it may be possible the MSP is subject to HIPAA regulations depending on the manner of the data it stores on for the accounting firm.
The HIPAA rules for MSPs will be relevant if the data includes any personal identifiers considered to be “Protected Health Information”.
Any MSP that develops, is sent, uses or stores Protected Health Information is subject to HIPAA regulations and must enter into a “Business Associate Agreement” all the time the MSP continues to offer a service to the healthcare center or to the company providing a support service.
Traditionally, HIPAA for MSPs was not a problem. MSPs did not become HIPAA experts because they offered a service for clients who already were experts. MSPs were aware of cloud technology and systems management. Healthcare facilities and their support companies were familiar with HIPAA.
That all ended in 2013, when the Final Omnibus Rule amended the HIPAA regulations. At present, Business Associates and subcontractors have to adhere with the HIPAA Security and Privacy Rules, and can be found responsible for a breach of Protected Health Information – and the fines that can be applied.
The financial penalties for non-compliance with HIPAA for MSPs can be major (up to $50,000 per compromised record), and fines can be applied even when a breach has not happened – for example when offering a service to a medical center without having a Business Associate Agreement set up.
For this reason alone it is critical that Managed Service Providers take HIPAA for MSPs seriously. However, there are commercial benefits for MSPs who make the effort to learn about HIPAA and ensure the services they supply to healthcare facilities and support companies are HIPAA-compliant.
Research into HIPAA compliance suggests over two million Business Associates and subcontractors who supply a service to healthcare facilities are not knowledgeable of the HIPAA regulations and who they apply to. Indeed, many healthcare centers take a “better-safe-than-sorry” approach and execute Business Associate Agreements with every organization they have a business relationship with – regardless of whether the company has access to Protected Health Information or not.
Being able to show a knowledge of HIPAA and compliance with its Security and Privacy Rules can give an MSP a clear advantage over its competition – and not only from the perspective of an organization within the healthcare sector. Compliance is a major growth area in many regulated sectors. MSPs who can show compliance with complicated HIPAA regulations will attract clients from the financial and legal industries additionally.
One of the best ways to show a knowledge of HIPAA for MSPs is through accreditation. Compliant-conscious businesses in regulated sectors look for awards or certificates that show a service provider has undergone some level of HIPAA training. As there are no official HIPAA training requirements, these awards and certificates are not formally sanctioned by the Department of Health & Human Services. However, they show that a service provider has done its best to learn about HIPAA for MSPs.