While managed service providers (MSPs) are certainly well-versed in the areas of cloud-based file sharing and data storage, it pays to be just as familiar with some of the areas of interest of your clients. As MSPs see more healthcare companies migrating their services to the cloud – whether due to a relaxation of restrictions or a decision to evolve – the need for familiarity in this potentially lucrative market is as important as ever.
When the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, data security and privacy on the internet were not exactly the big concerns of the day. Then again, the MSP business model we know and love today didn’t even exist.
Fast forward about 20 years – and through a couple of generations of computing platforms – and HIPAA compliance has become a hot topic as health care organizations, at long last, begin to crawl out from under mountains of paper and into the digital world.
The 2013 HIPAA Omnibus Rule is the modification to HIPAA that defines the rules governing data security for “covered entities” (healthcare providers, mostly) and their “business associates,” i.e. you, their MSP.
As the rule states, “These modifications [to the original HIPAA law] make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.” Here are the four most important things you need to know to comply with HIPAA regulations:
1. Business Associate Agreements
Law now requires that when you’re doing business with a “covered entity” (CE), you must execute agreements – called Business Associate Agreements (BAAs) – that define the permitted uses and disclosures of “protected health information” (PHI) by the business associate. Don’t start doing business with a healthcare client or other “covered entity” without a Business Associate Agreement in place. The same goes for subcontractors. You’ll want to make sure that anybody touching PHI is covered in the BAA.
2. Providing cloud storage makes you liable for HIPAA privacy
According to the HIPAA Omnibus rule, anything you store in the cloud – even on behalf of a client – that contains protected health information must be compliant with HIPAA privacy protections. This applies whether you ever view that data or not. If you retain, maintain, or transmit protected health information for a client, then you are bound by their business associate agreement.
3. Less access = lower liability risk
According to an FAQ published by the Center for Democracy and Technology, if you don’t have the capability to access your client’s data and adhere to HHS (Department of Health and Human Services) standards with respect to encryption, you should have little liability risk as a business associate. The FAQ also states that, “if the covered entity controls the decryption keys and the CSP has no ability to access the plain text of the data, it would not be reasonable to expect the CSP to comply with the provisions... that require a BA to ‘make available’ PHI for certain purposes.”
4. Breach thresholds have been lowered
Prior to the enactment of the Omnibus rule, a security breach only had to be reported to the HHS if it posed “significant risk of reputational, financial or other harm” to individuals. Now, all breaches of unsecured PHI – information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons – must be reported. However, if the BAA established between you and your healthcare client includes a multi-factor risk assessment that determines low probability of data compromise, the breach may not need to be reported. It’s probably worthwhile to check out your your legal obligations for notification.