Managing HIPAA compliance for MSP customers can be a double-edged sword: It is a great business opportunity but fraught with challenges because of the legal implications.
Medical professionals are responsible for staying abreast of the laws that govern them and cannot delegate their legal obligation to remain compliant with HIPAA (Healthcare Insurance Portability and Accountability Act), noted Charles Weaver, CEO of the MSPAlliance. "[Customers] can go to the MSP and say, 'Our backup for our medical data has to be in a secure location to stay compliant.' So that MSP technically is providing HIPAA services in the sense that they're helping the medical provider to stay compliant,'' Weaver said.
But the MSP is not advising the medical professional, he stressed. "So there is a distinction between advising on legal matters and helping with the administration of the client's IT [infrastructure]." Weaver said he knows of several MSPs that offer IT consulting services -- but not legal services -- to medical clients. He called the HIPAA compliance services tag that MSPs frequently use in marketing as "more of a catch-all phrase for IT-related services."
Typically, physician practices and hospitals have a legal office, and it is common to conduct an IT assessment before engaging an MSP for IT services by vetting them and ensuring their backup services are encrypted, Weaver said. For the smaller medical practice, "it is hoped that the MSP is knowledgeable … about the types of things they can and cannot do,'' he said. "That's the best case scenario for some of these [healthcare] providers, because they don't know IT."
The doctor or medical professional needs to be the one who says, "'Look, do I care about this unsecured Wi-Fi access point in the corner? Do I even know what it is? Maybe I should engage a third party to secure it and make sure my patient data is as secure as I can make it,'" Weaver said.
When a medical practice or hospital engages an MSP, the MSP performs a vulnerability scan, where they might find a whole host of issues, like unsecured devices, he said. "They could then go to the client and say, 'These things are probably not HIPAA compliant if you put patient data on them and it got lost.' That's basic. If you as an [MSP] lose patient data, that's bad. So MSPs advise on that all the time."
If an MSP is handling, creating, maintaining or storing protected health information (PHI) of a HIPAA-covered entity, "they have an obligation and a duty to … comply with the HIPAA privacy, security and breach notification rules, as well as any number of state law requirements, to ensure that sensitive information about an individual is safeguarded and appropriate actions are taken to notify an individual if there has been a breach of confidentiality,'' said David Holtzman, vice president of compliance strategies at CynergisTek, an information security and privacy consulting firm.
Having the proper safeguards in place to protect health information is "a business imperative" for an MSP, Holtzman said.
HIPAA compliance services: Certification is key
A particular area of concern for HIPAA compliance in healthcare entities is in print services. The largest clients of EO Johnson, a managed IT and print services provider, are hospitals and medical systems, so the company has become certified under MSPAlliance's unified certification standard for cloud managed service providers. "It's a Cadillac standard," said Peter Kujawa, president of EO Johnson Locknet, the managed IT division of EO Johnson.
EO Johnson supplies copiers and printers -- including large production print equipment -- to hospitals. The company also puts staff on-site to service and repair hardware, all of which has aspects of HIPAA compliance, said Kujawa. "For example, one of the things we do in the copier world is we don't ever leave the building with a hard drive."
All multifunction devices now have hard drives, which can contain PHI, so EO Johnson Locknet's technicians will pull the hard drive out and leave it in the health provider's possession when working on a copier, he said. If a copier needs to be replaced, the technician will take it out of circulation -- after pulling out the hard drive and leaving it with hospital.
"There have been cases in the industry where equipment gets recycled and ends up in someone else's possession with confidential information on it, so we don't take the chance,'' Kujawa said. Because its technicians are in proximity to see and hear things that are protected under HIPAA, they undergo background checks and are trained to not share that information with any unauthorized persons, he said.
He strongly advises that providers delivering services to medical entities "make sure you're delivering services that are HIPAA compliant," but added, "very few in our industry have any certifications." The annual audit is rigorous and isn't cheap: It costs in the range of $20,000 to $30,000, he said. But certification brings peace of mind.
"We wanted to know we were doing things in the most secure and best business practices [is the] way to do that, so we were willing to spend money" to make the company better prepared, he explained. "We wanted an independent document [that] current customers could view" on how EO Johnson Locknet does business. "It's been very good for growing our business and made us much better as an organization over the years having to meet the standard that's required."
Jon Sengerchief architect, Neverfail
Kujawa recommends that any MSP considering working with a HIPAA-regulated entity ensure that "the way you do business is up to snuff with what's expected." HIPAA requires MSPs to sign a business associate agreement (BAA) that essentially says PHI will remain safe. Additionally, "they need to make sure they understand what they're agreeing to in the BAA and that they can live up to it,'' he said. "You don't want to take on a million dollars of risk for couple thousand bucks a month."
EO Johnson Locknet has taken on healthcare clients that have been breached with other providers and then come to them after the fact to clean it up. "It's not fun. It's always better to invest in prevention and detection than to try and save money on that,'' Kujawa said. "You're going to end up paying more money in the long run than if you were doing things right."
The company does not advise the clients on compliance, he said. "We think that's a conflict of interest. We'll refer them to companies we think are very good at HIPAA compliance. … Our job is to deliver the services we know meet HIPAA compliance."
Depending on the size of the organization, EO Johnson Locknet works with either IT leadership or the compliance or legal team in the organization. It also often works with the customer's C-level decision-makers or all three areas, he said.
HIPAA audit program becomes a reality
In July, the DHHS' Office of Civil Rights (OCR) handed out a round of HIPAA audit notices to 167 healthcare organizations. The OCR will audit not only these healthcare organizations, but a selection of their business associates, as well. The revenue from the fines collected is expected to fund a permanent HIPAA audit program that the OCR could introduce as soon as 2017.
Software compliance platforms
Another participant in the HIPAA software space is Artisan Infrastructure, which recently acquired Vertiscale, a provider of workspace as a service and compliance offerings focused on the small and medium-sized healthcare market. With the acquisition, announced August 2016, Artisan has renamed itself Neverfail.
Jon Senger, chief architect at Neverfail, said the company has learned "MSPs generally are not comfortable in understanding end to end what compliance entails, so they're looking for solutions and someone to define that for them."
While MSPs know the names of the compliance standards they're trying to work with, such as Payment Card Industry and Financial Industry Regulatory Authority, Neverfail aims to provide the software that allows the MSP "to check the box in as many areas of compliance as we [can]," Senger said.
He also noted that not all rules are tech-based. There are a lot of processes and raw documentation involved. For example, he said, there has to be a physical guard in front of a data center to prevent anyone from going in without proper authorization.
"There are challenges across the board, and the MSP has to understand them end to end as they select infrastructure partners [and] hardware and software providers to provide an exhaustive HIPAA solution,'' he said.
Ensuring you avoid risk exposure
MSPs need to understand the potential risks involved with taking on HIPAA clients. "If you're an MSP and want to take on a medical client, make sure they're just as concerned about HIPAA as you are and understand the risks,'' Senger emphasized. "That's an uphill battle sometimes."
Some MSPs' clients think they'll never get audited, and, when they do, there is an "atrocious" failure rate of 90%, he said. However, he said a "big part of an MSP's job" is to educate its clients, which is another good revenue generator.
"Healthcare customers that refuse to invest in HIPAA compliance at all are exposing MSPs to risk, and I don't believe those are safe for [the MSP] businesses. So those are the ones I recommend they walk away from,'' Senger said.
Not all MSPs may agree with that approach if the client doesn't provide the MSP with access to medical information, he added. "If there is zero access to medical e-PHI, they're at less risk," he said, which means the MSP is not hosting services and has no ability to remotely log in to client machines.
Echoing Kujawa, Senger said, "If you're willing to sign a BAA with a healthcare client … it's your responsibility to take the client down the path for full HIPAA compliance. I don't see an alternative to it. But I wouldn't take on healthcare clients that don't see HIPAA compliance as being as important as I do."
Weaver said the MSPAlliance always advises MSPs to have strong managed services contracts with customers and cyber liability insurance to protect them and their customers in the event of a data breach. "In addition, I think it's a good idea for MSPs to reexamine phrases like 'We provide HIPAA compliance services.' I wouldn't want the end user to think, 'If I use this company, I will be HIPAA compliant,'" he said.
He also suggested the MSP may want to remove the compliance wording from their literature. "I wouldn't want to be in a lawsuit with a client and have the client say, 'I bought these services because they have the [word] compliance plastered over their website,'" he said. Alternative phrasing may be, "We deliver IT services to healthcare customers."
Kujawa agreed. "The price of poker to work with a regulated business is the table stakes are fairly high. Make sure you're fairly committed to it or don't do it at all, because there [are] plenty of providers out there that are very good at [healthcare services] and understand how to do it, and you're better off focusing on nonregulated businesses."
Learn about the emerging market of retail health clinics.
Find out whether you can use SOC 2 to assist with HIPAA compliance
Gain insight into cloud storage and HIPAA compliance