The following is a guest blog post by Cam Roberson, Director of the Reseller Channel, Beachhead Solutions.
If you run a small business in the healthcare field, the challenge of delivering the critical services your organization provides likely keeps you busy enough. You probably aren’t itching to take a deep dive into the nuanced complexities of your legal responsibilities under HIPAA, or the details of how you must safeguard patients’ personal health information (PHI) from a data and technology perspective. Given the choice, you’d probably prefer to focus your attention solely on your business – that’s why you hire IT solution providers to fulfill your technology needs, and even to understand HIPAA on your behalf.
However, HIPAA happens to include something of an ironic catch-22, in that the regulation does demand you to be aware of at least one aspect of the law and responsible for meeting it on your own. The issue is this: the law requires that a HIPAA Covered Entity (any provider, health plan, or clearinghouse) must make sure that any “business associate” (your IT provider) who has the ability to access to its protected health information (PHI) must itself be fully HIPAA compliant. You read that correctly. The legal burden to ensure that your IT provider is a responsible caretaker of sensitive data is on you, even though you hire your IT provider to both handle that responsibility and provide the expertise to know about burdens such as this in the first place.
From a regulatory perspective, this requirement makes complete sense: it would be a huge and dangerous loophole if passing PHI to a third party placed it outside of HIPAA’s safeguards, and who better than the company enlisting any third parties to continue to be responsible for its own PHI? It’s only as a practical matter for small healthcare businesses relying on providers for IT and related compliance expertise that the requirement becomes somewhat absurd. Unfortunately, with HIPAA violations carrying penalties averaging in the five-figures – not to mention the often-costlier reputational damage done when a business is publicly cited for unsafe data handling practices – most small healthcare providers literally can’t afford to be found out of compliance.
To navigate this catch-22, here’s what you need to do. You must be aware of HIPAA’s business associate standards, and you must carefully vet your managed service providers (MSPs) to ensure that they fully understand (and comply with) this aspect of HIPAA. You also need to understand one other HIPAA requirement: a covered entity’s business associates must sign and operate under a business associate agreement (BAA). A BAA is a legally binding document that specifies the conditions under which a business associate is allowed to interact with PHI, and can include details such as the exact tools – data encryption, device access controls, etc. – that an IT provider delivers in order to achieve effective and HIPAA-compliant data protections. A BAA must be executed with your vendors before any PHI is shared.
Therefore, when it comes to your responsibility of vetting IT providers, one valuable technique is to enlist providers that proactively delineate your responsibilities under HIPAA, and offer a robust BAA as part of their services to you. In reviewing and vetting existing providers, it’s essential to make sure not only that any MSP your company works with is HIPAA compliant, but also that they have a thorough knowledge of both their responsibilities as a business associate and their requirements under HIPAA’s BAA criteria. Any current MSP should have effective procedures, processes, and services in place to ensure that you, as their covered-entity client, are compliant as well. It’s common for covered entities to work with service providers, such as Compliancy Group, that explicitly provide HIPAA risk assessment, compliance coaching, employee training, audit support, and will even verify compliance to help organizations in the event of a HIPAA audit. Such providers simplify compliance on your behalf, helping to demonstrate that your contracts with current and future IT providers meet HIPAA regulatory standards.
By understanding the HIPAA requirements that your small healthcare business has a direct responsibility to meet, you can make sure that your IT providers will handle the rest when it comes to establishing fully compliant practices, allowing you the peace of mind to focus on serving patients and growing your business.
Cam Roberson is the director of the reseller channel for Beachhead Solutions, a company offering a PC and mobile device encryption service platform for MSPs.