MSP HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996 created industry standards for the use and disclosure of protected health information (PHI). PHI is any individually identifying health information including patient names, IP addresses, device identifiers or serial numbers, and biometric identifiers, to name a few. The HIPAA law applies to any entity that works in healthcare in any capacity, including managed service providers (MSPs) with healthcare clients. MSP HIPAA compliance requires the implementation of administrative, technical, and physical safeguards.
What is MSP HIPAA Compliance?
Under the HIPAA regulation, MSPs are considered business associates (BAs). A business associate is a vendor that services covered entity (CE) clients. Before you are permitted to work with healthcare clients, you must be HIPAA compliant as well. To be HIPAA compliant, you are required to implement administrative, technical, and physical safeguards.
- Administrative: are written policies and procedures that must be customized to apply to an organization’s business processes. All employees must be trained on an organization’s policies and procedures and HIPAA requirements.
- Physical: refers to the security of an organization’s physical site with measures such as installing video cameras, alarms, and keypad locks that allow organizations to issue unique access codes for each employee.
- Technical: are cybersecurity measures that are put in place to protect PHI on electronic devices such as encryption or firewalls. All devices containing PHI should have protections to ensure that the integrity of PHI is maintained.
To assess your safeguards to ensure that they are adequately protecting PHI you must conduct five annual self-audits.
- Security Risk Assessment: ensures that you have adequate physical, technical, and administrative safeguards in place.
- HITECH Subtitle D Audit: ensures that an organization has proper documentation and protocols in relation to Breach Notification.
- Security Standards Audit: ensures that an organization’s security policies are in line with HIPAA requirements.
- Asset and Device Audit: an itemized inventory of devices that contain ePHI. The device and asset list includes which employee(s) use the device and what security measures are in place securing the device.
- Physical Site Audit: each physical location must be assessed to determine if there are measures protecting PHI, such as locks or alarm systems.
Conducting self-audits allows you to determine if there are any gaps in your security practices so that you can create remediation plans to close the gaps.
Business Associate Agreements
Before a covered entity clients is permitted to share PHI with you, there must be a signed business associate agreement (BAA). A BAA is a legal document that states that both parties agree to be HIPAA compliant, and each party is responsible for their own compliance. This is particularly important in the event of a data breach. Without a signed BAA both parties would be held responsible if the other experienced a breach, however, the BAA limits the liability for both parties as only the entity that experienced the breach would be held responsible.