According to the 2013 Final Omnibus Rule, a MSP or Value Added Reseller (VAR) who have access to, create, store or maintain (host) electronic protected health information (ePHI), are regarded as a business associate (BA) under HIPAA.
Business Associates are responsible for ensuring the security and integrity of ePHI at all times and are legally liable for any data breach.
Just like the covered entity, the business associates are also responsible for implementing the same administrative, physical and technical safeguards for ensuring the security and privacy of the ePHI. All covered entities are also required to execute written business associate agreements with their BAs.
Here’s what all MSPs need to do to stay compliant with the HIPAA security rule:
- Understand your responsibility and liability as a Business Associate under HIPAA regulations.
- Develop and implement reasonable and appropriate administrative, physical and technical safeguards to ensure the security and integrity of ePHI under your care. This involves implementing appropriate technology, policies and procedures.
- Train employees regularly on ePHI security and HIPAA compliance. Institute a strict sanction policy for non-compliance.
- When working with subcontractors or independent consultants, ensure that they too maintain compliance with the security rule. Do your due diligence when hiring staff.
- Limit ePHI access among your staff to a minimum (only those personnel that need it as part of their job responsibilities should be given access to ePHI).
- Execute a business associate agreements with your healthcare clients.
I cannot over emphasize the importance of compliance training. Employees can unknowingly become the weakest link in the security chain. Security comes at the cost of convenience. Employees will always find easy ways to do things without realizing the security risks associated with their actions. Storing ePHI on unencrypted laptops/USB drives, storing unencrypted ePHI on file sharing services, or using unsecure email or messaging services are common mistakes. Regular security compliance training is the only way employees can be made aware of data breach scenarios and threats to ePHI security. It only takes one data breach to put your company in deep financial /legal trouble, ruin your reputation and adversely affect your business.