When it comes to Health Information Technology (HIT), privacy and security are the two most important areas to which you need to direct your attention. Your focus should mainly be around serving patients and avoiding data breaches.
Consider these statistics, for starters:
- The U.S. Department of Health and Human Services reports that data breaches across the industry cost an average of several million dollars per year.
- A leading provider of IT security audits found that from merely 2009 to 2014 alone, the Health Insurance Portability and Accountability Act (HIPAA) data breaches soared over 100%.
- In just last year, there was a breach of almost 9 million health records.
Taking every precaution to protect patients’ rights is critical as data breaches and cybercrime quickly grows more advanced. There are even reports that the annual economic impact of medical identity theft is in the billions of dollars – with patients filing over an average of 1000 HIPAA complaints per month.
So you can see how important making sure you have a managed services provider with HIPAA IT compliance can be for your company. Let’s take a closer look at how an MSP can help you become – and remain – HIPAA compliant, how to evaluate a vendor, and the steps HIPAA compliant MSPs should take while working with a new client.
How a Managed Services Provider Can Support Your HIPAA IT Compliance
It’s important to note that business associates who violate HIPAA privacy and security stipulations could find themselves facing $1.5 million in fines, annually, according to the HIPAA Final Omnibus Rule. Ensuring your MSP is HIPAA-compliant helps guarantee that electronic health information is secure.
Some HIPAA IT Compliance Facts You’ll Want to Know
The majority of healthcare organizations out there today – an impressive 83% – are using cloud-based apps and are projected to invest more than $10 billion in cloud computing by the year 2020. As you can imagine, the need to have expert, dedicated HIPAA compliant IT providers can only increase.
Companies that offer true, fully managed services will undergo annual data security and privacy audits. Customers’ HIPAA infrastructure should be reviewed by dedicated, experienced HIPAA compliance specialists, so they feel confident that they have a team on their side.
Because the cloud is so scalable without adding overhead, it looks more and more favorable in the eyes of the decision-makers of healthcare providers. Thus, more and more of them are moving their data to the cloud. Attempting to meet all HIPAA regulatory compliance requirements in a cloud environment, however, can be complicated and present challenges.
For this reason, many hospitals are starting to team up with MSPs to make sure they’re fully in-line with the strict data security compliance demands within this newer cloud-driven infrastructure. For those who are apprehensive, a service level agreement (SLA) can address common HIPAA concerns such as:
- Data backup and recovery
- System availability and reliability
- How ePHI (Electronic Protected Health Information) will be returned to a hospital or practice if the service is terminated
- Encryption of data, both in transit and at rest, as well as access controls, audit trails, and data storage locations
- Precisely how the provider of these cloud services will use, retain, and disclose ePHI
A Word to the Wise Regarding HIPAA IT Compliance
Getting these agreements in place will also cover the Breach Notification Rule. The rule requires a cloud services provider to report security incidents to the business. If you don’t set up these documents with your provider, your business runs the risk of not complying with all the rules in the cloud. Also, data loss from a security breach can be extremely costly – anywhere between $100 and $1.5 million, per violation.
Cloud services providers, the MSPs, can help fill in any gaps left by HIPAA when it comes to newer technologies. HIPAA rules don’t always keep up with how quickly things are changing, but they’re not getting any less strict, which rightfully makes companies nervous. How will they know if they’re missing something, on their own?
By making sure they have a compliant and secure platform that covers all the bases, including ones HIPAA hasn’t even considered yet. Leading MSPs should be going out of their way to ensure the latest security measures to remain ahead in the growing cloud space. These measures include regular audits and clearly defining processes for their clients that fit into HIPAA’s framework.
Next, we’ll take a more in-depth look into how you can find the right MSP specializing in HIPAA IT compliance for your company.
How to Ensure an MSP Is Going to Achieve HIPAA IT Compliance for Your Office
HIPAA regulations state that access to confidential patient health information must be monitored by the “covered entity” or “business associate,” meaning the ability to create, edit, view or delete any piece of data. The system that holds the data needs to have logs noting who had access to information, how the information was accessed, and what time it was accessed.
A company providing services to a Covered Entity that will impact confidential information is a Business Associate. A company providing services to another company working with sensitive patient health information has to make sure that its services comply with the physical, network, and process security regulations of HIPAA. This would be the Covered Entity.
Business Associates in the World of HIPAA IT Compliance Should Do the Following
For purposes of HIPAA, based on the definition mentioned above, virtually all IT service providers are considered Business Associates. They need to:
- Ensure confidentiality, availability, and integrity of electronic Patient Health Information that’s transmitted, maintained, created, or received
- Identify potential, reasonably anticipated security or integrity threats on the information
- Protect against those threats – including impermissible uses or disclosures – and ensure any employees, contractors, or agents of the Covered Entity also are complying with HIPAA measures.
Let’s talk more about security measures. These can be broken down into three main types:
- Technical Security
Ensure that only authorized, pre-screened individuals have access to the PHI (protected health information). Again, all PHI access, or access to the systems that hold the PHI, need to be logged. Modifications made during access must also be recorded and tracked. Adequate security to prevent unauthorized changes or destruction of records is also necessary.
These kinds of security measures are put in place to identify potential risks to the PHI then implement training and procedures to alleviate any risks. Official security personnel should be appointed by management and tasked with ensuring compliance.
The individual should randomly assess the effectiveness of the HIPAA compliant policies and procedures that were developed.
The facility in which information is stored might be a server location, doctor’s office, etc., and there must be limited access to the area. Limitation ensures that only authorized personnel can enter, limiting the potential for vulnerabilities. Physical access to terminals, servers, and computers should also be restricted.
Further measures might be to safeguard access to the machines themselves, such as only giving a password to authorized personnel or making it so that the machines cannot be removed from a facility.
Business Associates should also sign a Business Associate Agreement (BAA) stating that they agree to continually comply with HIPAA guidelines in all dealings with Covered Entities – and make sure they're sticking to the contract.
While MSPs have been around for years, the services they provide and how they provide them differ – depending on the vendor you choose.
More Essentials to Look for in an MSP to Know Your Business will Meet HIPAA IT Compliance
Your chosen MSP should be hiring and training its staff to meet all legal requirements, especially when it comes to HIPAA IT compliance. It’s a good start to choose an MSP that makes sure their staff is thoroughly vetted, including things like drug testing and background checks.
They should be able to manage and report on the performance of various applications. These reports can include network, computing, and database performance, along with proactive measures. Before you sign with an MSP, it’s critical you ask for an SLA as we mentioned earlier in the article. One big thing you’ll look for in the outline is guaranteed response times.
Since so many healthcare providers run 24/7, selecting an MSP with high uptimes is necessary. Since this is the healthcare space, your vendor should also be transparent about their security measures. They should offer critical services such as encryption – including both at rest and in transit – identity-based security, the physical security of servers, and more. Be sure that the MSP knows how to handle natural disasters or major data or power outages, too.
MSPs in the healthcare industry should be very familiar with compliance audits. They must be keeping documentation on hand that outlines what their checks will entail, making sure they’re consistent and that you can know what’s going on.
Now that you know some of the most crucial things to look for in an MSP read on to learn more about what should be happening when you bring them on to ensure competent HIPAA IT Compliance.
Steps Your MSP Should Take When You Begin Working with Them to Ensure HIPAA IT Compliance
Utilizing an expert MSP for sophisticated IT solutions can help you optimize your core processes and take advantage of innovations. Like many industries, the healthcare field is continually evolving, so you’ll always want to get your hands on the best and latest technologies for your practice.
Every day, more healthcare providers are turning to MSPs to lower costs, increase productivity, and keep risk to a minimum. To know it’s a good match, here are five rules your MSP should be following when providing technology services to businesses like yours. Keeping these in mind, you’ll be able to tell whether your provider is acting both in your best interest and according to compliance standards.
1. Your MSP Will be Sharing the Risks
As we learned, MSPs are recognized in HIPAA IT compliance as Business Associates of healthcare clients and MSP’s healthcare clients are known as Covered Entities. As such, they’re responsible for complying with HIPAA, and as a Business Associate, are also responsible for their healthcare clients’ data security.
2. Make Risk Assessment a Priority
It’s essential that when working with a new client, an MSP completes a risk assessment based on HIPAA IT compliance regulations and best practices. This assessment should reveal any issues to address before implementing new IT solutions.
To get a better idea, The Office of National Coordinator for Health Information Technology (ONC) has a security risk assessment tool you can utilize. Their tool can help you determine how to conduct a thorough risk assessment. Ideally, an MSP will start with a basic security risk assessment since it’s useful in demonstrating to the client why they’ll need outsourced help to achieve sufficient HIPAA IT compliance.
3. Everything Should Be Encrypted
Encryption is one of the most important parts of HIPAA IT compliance. From various stages of PHI, itself, to transmissions between machines and confidential communications between healthcare professionals, there is a lot of data to consider. If it’s not all sufficiently encrypted, you can run into significant problems. And these can be damagingly costly as mentioned above.
Privacy in HIPAA is described in the second stage of Medicare and Medicaid EHR Incentive Programs, the Meaningful Use Programs, as a key element of continuous improvement. As you may have guessed, the two components are encryption and data privacy.
4. This is High-Risk Material at Hand
As discussed, MSPs share the risk with healthcare professionals when it comes to protecting data. Our aim is not to cause alarm here, but to make sure you understand just how high the risk can be. In the past, failure to comply with HIPAA has bankrupted Covered Entities and their Business Associates.
Here’s an example to put things into perspective: The University of Texas MD Anderson Cancer Center was once fined more than $4 million in HIPAA IT compliance fines for failure to integrate sufficient encryption policies into their researchers’ workflows.
This is why you’ll want to be certain that your MSP holds themselves accountable with a clear strategic plan – that they share with you.
HIPAA violation penalties are fined in tiers, with the lowest being for unintentional violations, and still costing institutions staggering amounts of money. Studies found that on average, a business in the healthcare space can be penalized for a whopping 10 violations because of failure to comply with even just a basic requirement – it’s easy to slip up. They typically did not enlist help from an outside source like we are recommending you do. Make sure you’re covered.
5. Document Processes
Documenting protective measures and other steps are crucial. This way you and your MSP will know you’re remaining in compliance with HIPAA regulations.
It’s also important to provide documentation to your staff and stakeholders. In the event of a HIPAA IT compliance audit, these documents can act as “Evidence of Compliance.” Evidence of Compliance shows all steps that were taken to identify security risks and proactively mitigate the risks according to HIPAA rules.
What’s the Next Step in Ensuring HIPAA IT Compliance for Your Hospital or Practice? A Proper Audit.
We learned that a great MSP should help its healthcare clients conduct regular audits and risk assessments, among other things. You now have an understanding of the risks and penalties involved in a breach of HIPAA IT compliance. And you know that, whether intentional or unintentional, the consequences can be utterly devastating to any healthcare company.
You have enough going on at work. You’re probably running around trying to get through all your regular responsibilities in an orderly fashion without added stress. It doesn’t matter if you run a small practice or if you head an office at a large hospital, HIPAA violations and security breaches are not something you want to have to deal with – ever.
You can. But not on your own: with the help of an efficient MSP who will act as a trusted advisor, security detail, and pave the way to safe and productive days at your particular healthcare institution. Be sure to choose one that will customize their approach to your specific needs, since no two facilities are the same.
Schedule a FREE consultation or audit with LIVE Consulting to see how we do all this and more. We’ll talk about what we can do for your business and decide together whether we’re the perfect fit. Add a layer to the protection of your business and your patients, starting today – don’t wait to find out whether you can afford the penalties. You, your colleagues, stakeholders, and staff deserve the peace of mind.