SolarWinds MSP is becoming N-able

Read more

HIPAA Compliance Checklist and Requirements

As a managed services provider (MSP), complying with a range of legal regulations can be a major part of your responsibilities. This is more than a way to provide great value to your customers—staying compliant can also protect you from penalties. This is especially true if you work with customers within the healthcare sector who are covered by the Health Insurance Portability and Accountability Act (HIPAA). The stakes are high for your customers, but MSPs that deal with digital patient data are subject to the same regulations and potential fines, so understanding HIPAA is to your benefit.

HIPAA is federal legislation, dating back to 1996, that led the Department of Health and Human Services (HHS) to develop privacy and security regulations around health information. Basically, HIPAA sets the standard for how to protect sensitive patient data, also known as protected health information (PHI). All “covered entities” must make tangible efforts to protect this data—and ignorance of the law is no excuse.

Today, patient data is in many cases stored digitally, and known as electronic protected health information (ePHI). That sensitive data can include electronic health records (EHR), test results, pharmacy scripts, and more. Although using electronic data can be more mobile and potentially efficient, this also opens the gate for more security risks. That means understanding HIPAA is crucial for any IT professionals dealing with ePHI.

What is required for HIPAA compliance?

Essentially, HIPAA requires that patient data stay protected. But that doesn’t happen by chance. If you’re wondering how to become HIPAA compliant, know that you need a thorough understanding of the legislation, plus the resources to carry out the assessment, implementation, monitoring, and reporting that make up a robust HIPAA strategy.

HIPAA is composed of the Privacy Rule and the Security Rule. The Privacy Rule establishes federal standards for protecting PHI. The Security Rule applies more specifically to ePHI, establishing the types of technical and non-technical safeguards that organizations must have in place. When you actually read the HIPAA guidelines, they can seem vague—you’ll find more categories and questions than specific action plans. But that vagueness is intentional, as every covered entity may have a slightly different way of protecting patient data, depending on their situation.

Who must comply with HIPAA?

Compliance is required for a few different types of organizations, including health plans, most healthcare providers (like doctors, clinics, hospitals, pharmacies, and nursing homes) and healthcare clearinghouses. HIPAA also applies to associates of these entities, that is, third parties like administration or claims processing that require the use of personal health information. HIPAA also applies to the transmission and management of ePHI;  Health Information Organizations (HIOs) are considered associates.

Healthcare businesses are valuable MSP customers and have many IT needs. But it’s important to understand that when MSPs work with covered entities they may become business associates and, if so, are just as responsible for HIPAA compliance as the customer. There isn’t an official certification for HIPAA, so it’s up to you to educate yourself and your customers on compliance. While large businesses tend to be very familiar with HIPAA, some of your smaller healthcare customers might assume they won’t be audited and may be lax about compliance.

But being lax can put patient data as well as the business itself at risk—and you may need to take extra steps to help your customers understand the importance of compliance. HIPAA violations can be expensive easily totaling hundreds of thousands or millions of dollars—enough, in some cases, to shut down operations. You don’t want penalties for noncompliance to put your customer, or you, out of business.

What are three major things addressed in the HIPAA law?

Within the HIPAA Security Rule guidelines, there are three major categories that address security measures for ePHI, these tend to be very relevant for IT professionals. The following HIPAA compliance checklist goes through those three categories. MSPs should be sure to understand and address each of the standards within:

1) Administrative

These are the policies and procedures that an organization should have in place to help protect against an ePHI breach. With the right administrative safeguards in place, the other requirements—physical and technical—can be implemented consistently and correctly. It’s crucial to have well-defined administrative actions to help manage, develop, implement, and maintain an overall security strategy. When it comes to administrative standards, there’s a long list that the organization should consider:

  • Security Management Process: This standard is about risk management and analysis. Organizations should review their current procedures for preventing and correcting violations and have a plan in place that follows these basic policies and procedures.
  • Assigned Security Responsibility: A security official should be designated to create and implement policies designed to protect ePHI.
  • Workforce Security: This section is about how to help ensure employees have the right levels of access to ePHI in order to do their jobs. That includes determining appropriate employee authorizations, and deactivating access upon employee termination.
  • Information Access Management: This standard emphasizes that access to ePHI should be restricted, to limit employees having unnecessary or inappropriate access to health information.
  • Security Awareness and Training: These standards apply both to IT admins and other employees. There should be proper access controls in place, like effective password policies, and employees should be aware of common threats or mistakes around data security.
  • Security Incident Procedures: Organizations should consider what kinds of security incidents might occur and have policies in place to clarify how such incidents should be handled and reported. Security incidents include attempted or successful unauthorized activities, like data access, modification, or other interference.
  • Contingency Plan: In case of a catastrophic data loss, or a disaster like power outage, flood, or fire, the organization shouldn’t be caught short. There should already be a plan in place around backups and recovery, with clarity around acceptable RTO (recovery time objective) and RPO (recovery point objective).
  • Evaluation: It’s not enough just to have these policies in place. Organizations must also ensure that they have ongoing monitoring around these policies so they can adjust to changes in operations or environment.
  • Business Associate Contracts: This standard relates to organizations with agreements or contracts with vendors who create, maintain, or transmit ePHI on their behalf. Essentially, there must be a contract in place that meets HIPAA standards. Obviously, if a MSP is transferring ePHI, MSPs should be aware of this requirement.

2) Technical

Technical safeguards are the policies and procedures that guide the use of technology, especially access controls, for ePHI. For organizations covered by HIPAA, it’s imperative that they use appropriate IT security measures designed to protect data, whether at rest, in transit, or in use. Those standards may well vary depending on the organization—smaller healthcare organizations might not need as many robust tools as a larger entity with more complicated operations. HHS requires entities to balance risks, costs, complexity, and general capabilities when choosing and implementing the most appropriate measures.

  • Access Control: This standard requires that protections are in place to allow access to ePHI for authorized users or software. Users should be assigned unique identifiers, and control procedures should be implemented through appropriate hardware or software. IT should also monitor access for new or terminated accounts.
  • Audit Controls: To help demonstrate compliance, IT should implement hardware, software, and relevant procedures that can record and examine activity around ePHI. The resulting audit data trail can help the organization prove they are generally compliant with HIPAA regulations.
  • Integrity: To help prevent ePHI from being altered or destroyed improperly, MSPs should have a clear understanding of who is authorized to access the data, and in what ways unauthorized actors could modify the data. Essentially, that could call for threat protection, log management, and other appropriate measures.
  • Person or Entity Authentication: This standard calls specifically for measures that help ensure the user seeking to access ePHI is in fact the correct user;  following best practices for access-control measures is helpful to meet this requirement.
  • Transmission Security: It’s also crucial to protect data as it’s being transmitted. MSPs will have to identify potential vulnerabilities based on how the data is typically used and determine sufficient safeguards designed to protect in-transit data. In many cases, some form of encryption is a feasible and smart choice.

3) Physical safeguards 

Physical safeguards have less to do with hardware and software, and more to do with the environment around IT equipment. Since MSPs may be required to be compliant as well, they should be sure to understand their responsibilities, both for their own physical equipment and potentially for their customer’s equipment.

  • Facility Access Controls: This standard calls for organizations to limit access to facilities in which ePHI is housed. This applies to data centers, equipment locations, IT offices, and the location of workstations—though of course, the specifics will look different for different entities, especially when partnered with an MSP. This could mean anything from locks on doors to security cameras and ID badges. And yes, covered entities are allowed to use cloud computing, as long as proper protections are in place.
  • Workstation Use and Security: When it comes to HIPAA compliance, organizations are tasked with ensuring that workstations and devices, and their physical surroundings, are assessed for any risks. That may include assigning unique roles for certain workstations, depending on potential security violations. Workstations may need physical safeguards, like locked doors or guards, and employees may need to be trained on access procedures.
  • Device and Media Controls: Devices have only become more mobile and widespread, making it crucial that organizations consider this standard carefully. This applies to hardware and electronic media containing ePHI, and its movement into, out of, and within a facility. That could relate to disposing of equipment, removing ePHI from devices, keeping track of all relevant devices, and ensuring appropriate data backups before physically moving storage files.

What does it mean to be in compliance with HIPAA?

Being HIPAA compliant ultimately requires protecting patient data. That requires balancing expense with risk, depending on the size and scope of the business. Remember that if a breach occurs and you are found to have overlooked or disregarded one of the above measures, especially if that disregard was willful, you could be subject to greater penalties. It’s to your advantage to make a good faith effort to comply with the regulation.

HIPAA compliance is also crucial when the worst happens. If a breach does occur, and you are processing ePHI, you will have to comply with the notice requirements, which may include notifying your client within 60 days of a data breach discovery.

Be aware that pleading ignorance of HIPAA regulations is not considered a justifiable defense. The Office for Civil Rights of the Department of Health and Human Services may still issue fines if they find you to be noncompliant, whether or not the violation was willful. In addition, you may be subject to criminal charges and a civil action lawsuit in the case of a breach.

In this context, it’s to your benefit to keep good records. Use monitoring and management software with robust event logs and reporting functions to help you recognize if data is at risk. In fact, choosing the right software can be a cost-effective way to address many of the security tasks around compliance, like access control, encryption, and threat detection. There are many HIPAA-covered businesses out there that need good MSPs, and you could add real value to your practice by learning more about HIPAA compliance requirements.

Learn about other compliance considerations from our blog and help ensure your business is following industry standards.

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site