A Managed Service Provider’s Top 5 Rules For HIPAA
Here's your list of the top five rules for HIPAA according to a Managed Service Provider.
Join the DZone community and get the full member experience.Join For Free
This post was originally published here.
Managed Service Providers, or MSPs, can be game-changing for organizations operating in the healthcare vertical. Leveraging a professional MSP for expert information technology solutions can help you optimize your core processes and embrace new innovations. As with many other sectors, the healthcare industry is constantly evolving when it comes to advancing technologies, and an MSP can help you stay on the cutting edge in the best possible way for your business and your patients. More and more healthcare organizations are turning to managed services providers to lower costs and improve productivity, but there are five key rules that MSPs need to remember when providing technology solutions to such businesses. Knowing these key rules will help healthcare clients know that their MSP is acting in their best interests and according to compliance best practices.
1. Sharing the Risk
MSPs are recognized in HIPAA as a Business Associate of a healthcare client. According to the definition in HIPAA, any MSP’s healthcare clients are known as ‘Covered Entities,’ which means they are responsible for complying with all aspects of HIPAA. At the same time, MSPs are also responsible for their healthcare clients’ data security as a Business Associate.
As an MSP and HIPAA Business Associate, it is a top responsibility to ensure compliance and protect the clients’ patient data. When working with larger healthcare institutions, this is not normally a challenge. Large hospitals and research institutions have the budget to ensure compliance; some even go as far as training every staff member with HIPAA best practices.
2. Risk Assessment Is a Must
It is important that MSPs complete a risk assessment based on HIPAA best practices when working with a new client. A risk assessment will reveal potential issues that still need to be addressed before further IT-based solutions can be implemented.
The Office of National Coordinator for Health Information Technology (ONH) actually has a security risk assessment tool. The SRA tool provides a clear guide on how a thorough risk assessment must be conducted. It also provides a clear way to mitigate identified risks as well.
Ideally, an MSP will start with a basic security risk assessment when working with a new client. This is helpful for demonstrating to the client that outside help is needed to achieve sufficient HIPAA compliance. Deeper analysis can then be conducted once the new client is onboard.
3. Encrypt Everything
Encryption sits at the heart of HIPAA compliance. Data ranging from Protected Health Information (PHI) to transmissions between machines and confidential communications between healthcare professionals must be sufficiently encrypted. PHI can exist in different forms—including Electronic Health Records or EHRs — and they need to be equally secured by the MSP at every stage.
Privacy is the next component of HIPAA. Privacy is described in the second stage of Medicare and Medicaid EHR Incentive Programs — the Meaningful Use Programs — as a key element to continuous improvement, especially in the use of electronic transmissions for supporting healthcare services.
The two components — encryption and data privacy — are what make HIPAA the standard to follow. If the MSP can comply with HIPAA and provide healthcare clients with sufficient supporting system for their services, they have the expert ability to provide sufficient data protection to other types of clients as well.
4. High Risk
We have talked about how MSPs share the risk with healthcare clients when it comes to protecting data. Now, it is time to acknowledge just how high that risk is. Failure to comply with HIPAA has bankrupted Covered Entities and their Business Associates in the past. This is a fundamental factor in taking the time to ensure that your MSP holds accountability for achieving compliance with a strategic plan.
Last year, there were 55 cases of non-compliance that resulted in penalties. The total amount of those penalties? A whopping $79 million. The University of Texas MD Anderson Cancer Center recently paid the highest fine for HIPAA violations — specifically for their failure to integrate sufficient encryption policies into the research center’s workflows. The fine was $4.3 million, and it was a staggering blow for MD Anderson.
HIPAA violation penalties come in tiers, with the lowest tier (for an unintentional violation of HIPAA requirements) costing between $100 to $50,000 per violation. In an average case, businesses may be looking at more than 10 violations due to a failure to comply with a basic requirement.
5. Documentation Is the Key
Documenting protective measures and additional steps — including regular risk assessments — is critical for MSPs to meet compliance with HIPAA rules. Documenting everything and providing sufficient documentation to all staff and stakeholders of the healthcare is equally important.
The same documents can then act as Evidence of Compliance in the event of a HIPAA audit and future risk assessments. That Evidence of Compliance shows all of the steps taken to identify security risks and mitigate those risks according to HIPAA requirements.
An MSP’s role is to help healthcare clients conduct regular audits internally. Combined with a better understanding of the risks and penalties — as we have discussed in this article — a great MSP can act as a trusted advisor and a leader in managed services for healthcare institutions. Ensure you’re working with one that keeps these top five rules in mind at all times on everyone’s behalf.
Published at DZone with permission of Vikram Nallamala. See the original article here.
Opinions expressed by DZone contributors are their own.