Cam Roberson (pictured) is director of the reseller channel at Beachhead Solutions, a provider of cloud-managed mobile device security tools based in San Jose, Calif.
Anyone responsible for understanding the nuances of the Health Insurance Portability and Accountability Act (HIPAA) knows that following the law often means grappling with a lot of complexity.
But sometimes, an aspect of the 20-year-old law governing, in part, the protection of health-related information will prove to be so layered in its practical implications that it almost functions as a brainteaser.
Here’s an example: Businesses that come to their managed service providers for their HIPAA compliance needs often fully rely on their expertise since those businesses possess little knowledge of the law themselves. Because HIPAA features strict enforcement penalties with no leniency for ignoring its myriad details, this reliance is inescapable.
However, HIPAA also explicitly requires any HIPAA-covered entity to ensure that its business associates – which includes MSPs – are also HIPAA-compliant. Those that have access to patient health data, even if they didn't actually access it, fall into that group. It’s almost inconceivable today that an MSP would not be considered a business associate to its HIPAA client. Effectively, this makes businesses responsible for overseeing the HIPAA practices of the HIPAA experts they hire. So, you can probably see why businesses would find this a challenge: These businesses don’t know HIPAA well enough to adequately assess if an MSP is doing everything right.
To make this less murky, MSPs should proactively guarantee that they will fulfill this requirement of the law, delineating their own HIPAA-compliant policies and procedures to their clients in a business associate agreement (BAA).
HIPAA already requires much of the framework of these business relationships. The regulations say that any “business associate” – meaning any person or business with access to personal health information (PHI) that falls under the care of a HIPAA-covered entity – must operate under the agreement. It must also legally bind the business associate to the covered entity’s data security requirements. These agreements apply to any third-party business providing medical claims processing, billing and collection, data analysis, quality assurance, practice management, accounting, consulting or legal services to the covered organization.
The BAA’s general purpose is to establish the legal boundaries for each party’s allowed usage of PHI, and the measures they must have in place to keep it safe. That security seeks to prevent and discourage data breaches, and, according to HIPAA, these BAAs must obligate a business associate to report any such breach or unauthorized use of that information. This must also legally bind any subcontractor of the business associate. And while we’re at it, HIPAA requires that upon the termination of the BAA, all PHI held by the business associate must be returned or destroyed.
But the unfortunate truth is that many IT solution providers in this situation don’t enter into BAAs with their HIPAA-covered clients, and they’re taking big – and unnecessary – risks. Also, many don’t often turn the mirror toward themselves to make certain that their own internal activities are as HIPAA-compliant as those of the clients they serve.