The HIPAA Paradox: Why MSPs Offering HIPAA Compliance Must Practice What They Provide
By Cam Roberson Director of the Reseller Channel for Beachhead Solutions
It’s unfortunate that the Health Insurance Portability and Accountability Act (HIPAA) is so complex. Not only do many health organizations under its law not understand what is required of them when it comes to safeguarding the personal health information (PHI) of medical patients, but the complexities of HIPAA can even create awkward and paradoxical situations for the MSPs serving these medical practices.
The fact that HIPAA has a history of extraordinarily costly enforcement actions for non-compliance only intensifies the need for health organizations to seek help in following the law strictly, even with all its nuances. And most do just that. However, HIPAA creates a paradox that arises from this fact: an MSP that possesses or has access to a HIPAA Covered Entities (CE) PHI is required to be HIPAA compliant as well. This, of course, is a Catch-22: how can a business that hires an MSP in order to handle their data security and implement HIPAA compliance possibly have the expertise to judge whether the MSP’s own practices around HIPAA are adequate? The mind reels at the thought of secondary MSPs hired to check the HIPAA-related precautions of health organizations’ primary MSPs (and then if those touch the HIPAA-protected data they could require other MSPs for tertiary checks). It’s HIPAA hurdles all the way down.
Given this reality, though, the best way forward is for MSPs to ensure their own HIPAA compliance on behalf of the organizations they serve by making it part of their service duties. What HIPAA requires of a business is that any “business associate” – meaning any entity that has or has had access to PHI entrusted to a HIPAA-covered business – must do their work under a business associate agreement (BAA). This BAA requires the business associate to work within data security requirements delineated by the HIPAA-covered organization (which, as I’ve pointed out, often wouldn’t know how to go about that). It also calls for the implementation of technology measures such as encryption to secure PHI in accordance with certain provisions of HIPAA’s security rules. The kinds of business associates who must operate under such as agreement can include all types of MSPs, from technology providers to medical claims processors, data analysts, and providers of quality assurance, billing and collections, practice management, legal services, accounting, and consulting.
The BAA establishes the legal responsibilities of the involved parties and gets specific about how PHI may be used and handled. It also touches on breach-preventing data protections that the business associate is required to have in place. Per HIPAA requirements, the BAA must also legally require the following: that the business associate report breaches or unauthorized uses of PHI, that any subcontractor used by the business associate is also legally bound by the BAA, and that the business associate must return or destroy all PHI when the BAA is terminated.
As a best practice, MSPs should proactively offer and commit to BAAs when dealing with any client covered by HIPAA, both for the client’s benefit and their own. As the more knowledgeable member of the relationship, MSPs must be responsible for making sure both themselves and their clients conform to HIPAA’s strict guidelines. MSPs must understand that failing to fulfill HIPAA’s BAA requirements means exposure to fines and penalties as severe as those they’ve been hired to protect their clients from. HIPAA enforcement fines are often in the five figures for a single violation, plenty large enough to act as a knock out punch for many small or medium-sized businesses.
MSPs should explain the HIPAA paradox to clients and demonstrate how they resolve it by offering an airtight BAA. They should consider it just another part of delivering fully HIPAA-compliant data protection. MSPs that take this tact can carve out an important competitive differentiator in the marketplace. Providing a seamless solution showcases their professional knowledge and worthiness of trust, one that their clients might not have even know they were legally obligated to have.
Cam Roberson is the director of the reseller channel for Beachhead Solutions, a company offering a PC and Mobile Device encryption service platform for MSPs.