Gajus - Fotolia
Vertical markets such as healthcare can prove an attractive opportunity for channel partners. But there are risks involved. In this Ask the Expert, Austin Justice, vice president at Justice IT Consulting and an ASCII Group member since 2015, discusses the Health Insurance Portability and Accountability Act challenges from an IT services provider perspective. He outlines the issues channel partners confront when working with customers dealing with the requirements for HIPAA compliance.
What are the key challenges in supporting customers who must satisfy the requirements for HIPAA compliance?
Austin Justice: Supporting healthcare providers and organizations that need to maintain HIPAA compliance can be a lucrative yet challenging endeavor. IT providers are considered business associates under the HIPAA Security Rule. This classification brings a few important HIPAA-specific considerations.
- The provider's understanding of the HIPAA Security Rule
Smaller providers often are unaware that they are not in compliance and usually have the assumption that all the electronic protected health information (ePHI) is solely hosted with their electronic health records vendor. Conducting an inventory of ePHI and educating the provider on the Security Rule is a good option when fighting this assumption. As it happens, ePHI can be on their fileserver, in their voicemail, in their download directories and sent by email.
- Potential liability
IT managed service providers (MSPs) can face fines and fees in the millions of dollars per breach. Earlier this year, an IT MSP was fined $650,000 for a HIPAA breach. This means that an IT MSP that supports healthcare providers must be HIPAA compliant. They face the same level of scrutiny as the providers they support. Consulting a lawyer and an insurance agent can help mitigate some of this risk.
- Historical lack of enforcement
Over the past few years, less than 1% of providers faced a HIPAA Audit. The Department of Health and Human Services' Office for Civil Rights is stepping up its enforcement with a recent Phase 2 of the HIPAA Audit program. But most healthcare providers still have the same mindset they had years ago. IT MSPs need to consider their own increased risk as well as educate their clients on the risk.
- Skyrocketing breaches
In 2014, there were 2 million individuals affected by hacking-related ePHI breaches. In 2015, that number increased to a concerning 100 million individuals affected by hacking related ePHI breaches. Ransomware, viruses and phishing regularly result in a breach. Annual risk assessments, training employees on phishing techniques along with strong security measures are imperative.
Are you serving customers in heavily regulated industries? If you are a channel partner (i.e., VAR, MSP, SI, IT consultant, among others) with a tip on working with clients grappling with requirements for HIPAA compliance, or other regulatory duties, email John Moore, senior site editor.
Read more about how clients with HIPAA compliance requirements represent an opportunity and a risk
Find out how to meet HIPAA compliance requirements with cloud storage
Gain insight into whether SOC2 reporting can help with requirements for HIPAA compliance