By CHRIS CAFFERA
The Managed Service Provider (MSP) you choose to help run your business will determine your business success level. Ultimately, your MSP’s vulnerabilities are your vulnerabilities, which is why HIPAA emphasizes the importance of business associate compliance. Business associate MSPs must be compliant with HIPAA standards. So how do you ensure that you are choosing HIPAA compliant MSPs?
What is a Business Associate?
A business associate is any entity that creates, receives, transmits, or stores protected health information (PHI) on behalf of a healthcare organization. Some examples of business associates include electronic medical record platforms, email service providers, cloud storage services, online appointment schedulers, teleconferencing tools, electronic payment software, & Managed Service Providers. When choosing which business associates are appropriate for your practice, you are obligated to vet them to ensure that they are HIPAA compliant.
What Makes an MSP HIPAA Compliant?
Many of the requirements that healthcare organizations need to meet also apply to business associates. HIPAA compliant MSPs must ensure the confidentiality, integrity, and availability of PHI. To do so, they must implement safeguards to prevent unauthorized access or disclosure of PHI.
HIPAA compliant MSPs implement the following:
Access Management
A key component of HIPAA compliance is controlling who has access to PHI. In today’s environment, most PHI is stored in an electronic format, making access management the best way to do so. Access management incorporates several components, including user authentication, access controls, and audit logs. To implement user authentication, unique login credentials must be given to each user of a platform or software.
HIPAA points to the need for unique login credentials in their minimum necessary standard, which requires PHI access to be limited to only the information needed to complete a specific task. Under this standard, employees must be given access to only the PHI they need to perform their job functions through unique login credentials, known as access controls. PHI access must also be tracked to ensure the minimum necessary standard is adhered to. To accomplish this, organizations must keep audit logs. Audit logs enable administrators to track which employees access what data and how long they access it. Tracking PHI access also establishes regular access patterns for each employee to detect inappropriate or unauthorized access quickly.
Data Security
As hacking incidents continue to plague the healthcare sector, data security is of utmost importance. End-to-end encryption (E2EE) is the best way to prevent hacking incidents. E2EE prevents unauthorized access to data as it is transmitted through receipt.
Although not explicitly mandated by HIPAA, the Security Rule states that “The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.”
Data Backup
Businesses working with PHI must also implement data backup procedures. Establishing and implementing procedures to create and maintain retrievable, exact copies of electronic protected health information (ePHI) is essential to implementing an effective data backup plan. In the case of a breach or natural disaster, data backup facilitates business continuity and the quality of patient care.
HIPAA Business Associate Agreement
Regardless of how secure an MSP is, they are not a HIPAA compliant MSP if they do not sign business associate agreements (BAAs). MSPs that will not enter into a BAA with their healthcare clients cannot be used for business associate services.
A BAA is a legal agreement between a healthcare provider and their business associate MSP that requires each singing party to be HIPAA compliant and agree to maintain its compliance. A business associate agreement is essential to compliance as they ensure that each party implements measures to safeguard PHI.
Closing Thoughts
As an MSP who has earned our HIPAA compliancy shield, we understand the importance of not only being a compliant business partner, but also ensuring that your policies, procedures, and training stand up to the test should an audit occur. Contact us if you need assistance in this regard.
Chris Caffera is sales chief at SeamlessCS. SeamlessCS strives to create a better work environment that enhances small businesses and helps them to thrive. We get to know our customers on a deeper, more personal level, to better understand how we can best help your business/organization enhance with technology support and services. You aren’t just another number with our company. For more information visit us at www.SeamlessCS.com.
Email Chris at ccaffera@seamlesscs.com