Why HIPAA Compliance Matters for MSPs
HIPAA compliance is a complicated and delicate undertaking. And when we say delicate, we mean delicate like a nuclear reactor, not delicate like a flower. You can’t just give your clients a few HIPAA policies and go about business as usual, just like you cannot build a nuclear power plant and leave it alone. In fact, both require auditing, constant supervision, good staffing, good policies and procedures, and excellent reporting and investigation of any issues.
Compliance with the federal government regarding Patient Health Information (PHI) and electronic Patient Health Information (ePHI) is a full-time job; a few careless mistakes can lead to a total meltdown. Compliance requires constant monitoring of both technical, physical, security, and administrative practices. As MSPs, your lives are already busy enough; adding HIPAA compliance on top of all the other obligations you have can seem like a daunting task.
In this article, we’ll cover what it means to be compliant and provide you with some resources to help keep your company and your clients compliant.
Training staff and employees
You wouldn’t just pick a random group of unqualified people to operate and man a nuclear power plant, so why would it be any different for HIPAA compliancy?
Both your company and your clients’ must train all staff in basic HIPAA rules and requirements. And in preparation for audits, the training sessions should be documented and recorded. Since HIPAA laws are constantly changing or being tweaked, you should advise your clients to designate one person as the HIPAA Compliance, Privacy, and/or Security Officer. If an incident does occur, staff members should be able to anonymously report the issue.
Since neither your company nor your clients exist in an isolated bubble, the next group of people you need to think about are Business Associates (BA). MSPs are considered to be BAs, by the way, if they service a Covered Entity (CE) or other BAs. Any vendor that come in contact with PHI is considered to be a BA. Just like any outside workers who come into the nuclear power plant must first be vetted and outfitted with protective gear, BAs must sign a Business Associate Agreement (BAA) before they are allowed access to any PHI. They also need to be audited to make sure they are HIPAA compliant.
Audits are not fun, but they are necessary to make sure everything and everyone is doing what they are supposed to do. It’s important to conduct the following audits/assessments based on National Institute of Standards and Technology (NIST) guidelines:
• Administrative assessments to ensure that all staff are properly trained
• Privacy assessments to review policies, procedures, and testing of privacy controls
• Security risk assessments to give you an idea of how at risk your client’s system is
Once the assessments are complete, you should be able to identify the deficiencies within the system. These should be recorded and remediated as soon as possible.
Remediations and identifying deficiencies
What is the best way to fix deficiencies in a system? Well, it helps to have some outside help.
Compliancy Group is the industry leader in HIPAA compliance software. They assist with everything from compliance coaching to audit support to verified compliance. If going to the US Department of Health & Human Services (HHS) website strikes fear into your hearts like the words “nuclear core meltdown,” then Compliancy Group might be one of our vendors that can help alleviate some of those worries.
Policies and procedures
People do not just dive right into work on their first day at a nuclear power plant. There are probably a few days or weeks of training where they learn about all the procedures they must follow.
When it comes to HIPAA laws and regulations, the relevant policies and procedures are just as important. Not only do employees need to understand what they must do to stay HIPAA compliant, but there should be a written form of the policies for future reference or retraining purposes.
HIPAA policies and procedures are a documented and structured way to make sure everyone in the company follows the same rules. All staff must read and attest to the policies and procedures. The attestation along with annual reviews must be documented. And in the event of an incident or data breach, there should be a process set in place to manage it.
Reporting and investigations
Nuclear reactors are constantly under surveillance and any abnormalities are reported. Even minor incidents need to be documented in case they lead to bigger issues in the future. This is especially true in earthquake prone areas where even small tremors could damage the reactors. Small problems today can lead to disasters if they’re ignored.
With HIPAA compliance, you should set in place a system for both your company and your clients to track and report incidents and investigations. While you won’t have to deal with a nuclear meltdown if privacy is breached, you could end up paying significant fines. For many small and medium sized businesses, this is the equivalent of a meltdown.
To start, you will want to create reports to prove due diligence. You need to be able to show that each incident was reported, and then investigated. This investigation must be tracked and managed as well. Your staff should be well trained in what a breach is, the various kinds of breaches, and they need to be able to report any and all breaches that they see.
Too Many Things to Keep Track Of?
As you probably gathered from this article, there are quite a few similarities between running a nuclear power plant and staying HIPAA–compliant. Both are complicated, have many moving parts, require attention to detail, involve ever-changing federal requirements, and (occasionally) deal with a threat to human health or human health data.
Unlike nuclear power plants though, securing PHI is a lot less risky than handling and containing radioactive fission material. Software, like the one from Compliancy Group, helps manage risk, security, and government audits.
You can also check out our easy-to-use HIPAA Compliance Checklist. This quick, one-page list covers the most important points of HIPAA compliance and will give you a head start on avoiding fines, passing audits, and preventing that proverbial nuclear meltdown.
Please note: This article and checklist are meant for general self-evaluation. This article and checklist do NOT certify you or your organization as HIPAA-compliant or certified.