HIPAA Fines Are Showing More Teeth

And MSPs have a growing business opportunity because of it.

HIPAA Compliance

Arguably the bellwether of modern IT compliance, HIPAA – the Health Insurance Portability and Accountability Act – was enacted in 1996 to protect patients’ sensitive health information. For healthcare delivery organizations, compliance with HIPAA has long been important to safeguarding patient data and avoiding the threat of legal and financial penalties. But what’s critical to understand right now is that enforcement of those penalties is on the rise. Instead of wildly expensive fines that would just put practices immediately out of business, HIPAA enforcement (executed via the HHS’ Office for Civil Rights) is now pricing fines to the size of violators’ companies – and demanding that they pay.

Because of the more realistic fines and the expectation that penalties will be paid, more small and mid-size healthcare delivery organizations are scrambling to MSPs to ensure HIPAA compatibility. MSPs eager to gain and retain these new clients (and keep existing ones in the industry) must understand the law’s current requirements. They must also demonstrate a clear path to securing healthcare clients against both attackers and regulatory actions. The MSPs that approach their roles as HIPAA compliance experts with the most clarity will best serve their clients and their own business interests.

To align clients with HIPAA compliance, an MSP must first become HIPAA compliant

Just as flight attendants tell you to secure your own oxygen mask before helping others, an MSP is in no position to assist clients with HIPAA compliance if they don’t first secure their own business. In fact, HIPAA requires this, as I’ll explain.

MSPs who understand HIPAA should begin by getting intimately familiar with Business Associate Agreements (BAAs). HIPAA applies to “covered entities,” including healthcare providers, health plans, and healthcare clearinghouses. Because MSPs have the ability, in most instances, to access HIPAA-covered entities’ protected health information (PHI), MSPs must comply with HIPAA regulations – which means signing BAAs with clients and adhering to HIPAA’s Security Rule and Privacy Rule. Those rules set specific requirements for safeguarding PHI.

The Security Rule outlines three types of safeguards that covered entities and MSPs must implement to protect electronic PHI (ePHI), including:

  1. Administrative safeguards (such as risk assessments and workforce training)
  2. Physical safeguards (such as access controls and facility security)
  3. Technical safeguards (such as encryption and security software)

The Privacy Rule outlines the permissible uses and disclosures of PHI. This rule requires that covered entities and MSPs obtain written authorization from patients before disclosing their PHI, except in cases where the disclosure is for treatment, payment, or healthcare operations.

Be a HIPAA- and HICP-recommended MSP

HIPAA is supported by the 405(d) program, a collaboration between the federal government and the healthcare industry designed to promote effective cybersecurity protections and practices. While the program’s Health Industry Cybersecurity Practices (HICP) debuted in 2005, these recommended guidelines received a significant revision released in April 2023.

From an MSP perspective, the updated 405(d) HICP guidelines now instruct healthcare providers on selecting security MSP partners. You heard that right. Whereas HIPAA was initially written with a DIY approach regarding how it instructs covered entities to achieve security, modern guidance acknowledges the severe complexity and difficulty of meeting wide-ranging threats without assistance (especially for SMB healthcare providers). In particular, the updated HICP prescribes specific mitigating best practices for covered entities and their MSPs to implement – from employee security training to connected device security, data protection and loss prevention via encryption, and identity and access management.

As an MSP geared to deliver on clients’ HIPAA compliance needs, you’ll want to tailor your tooling, programs, and strategies to match the profile of the capable security partner HICP instructs covered entities to seek out. For example, cloud-based BeachheadSecure from Beachhead Solutions can enforce encryption and remote data access control on our clients’ entire device fleets and automatically revoke data access to any device that meets pre-set risk criteria or signs of compromise. HIPAA-focused MSPs should similarly offer employee security training programs managed as a service to instruct, test, and certify employees on HIPAA and security compliance, as well as best practices such as properly handling PHI and avoiding security threats like phishing emails.

Effective protection for endpoints, networks, email, and other IT assets is also crucial. An MSP that presents a comprehensive and well-designed HIPAA security program to customers will win business by demonstrating a complete compliance package and offering complete peace of mind (and can cite the 405(d) HICP guidelines in their sales pitches).

Conduct regular risk assessments and prepare an incident response plan

MSPs providing HIPAA security must be prepared for anything. Regular risk assessments that reveal a client’s specific dangers are essential to HIPAA compliance. To complete this process, carefully identify potential threats and vulnerabilities, and assess their likelihood and impact. Then introduce mitigation measures to address those risks and document each part of the process. Repeated assessments should continually narrow and harden any recognized risk vectors.

Another essential HIPAA requirement for MSPs to pay close attention to is having a thorough incident response plan. This plan aims to minimize the impact of any security incident by outlining specific steps for a rapid and effective investigation and response. HIPAA also requires timely reporting of any data breach incident to the covered entity and other affected individuals, which the plan should also prepare for. Effective incident response planning is essential to mitigating threats and preventing future incidents.

Make HIPAA security and compliance your practice’s differentiator

Most SMB-sized healthcare providers are hard-pressed to achieve fully HIPAA-compliant security on their own, and that’s a much bigger concern now with a change in the Office for Civil Rights’ penalty strategy. MSPs have a critical role to play in supporting those organizations. By expertly understanding HIPAA’s requirements and delivering comprehensive HIPAA-aligned security capabilities, an MSP practice can ensure the safety of sensitive healthcare data, protect clients from costly and damaging regulatory fines, and earn more business.