Why HIPAA audits raise the stakes for MSPs as well as providers
The Health and Human Services’ Office for Civil Rights (OCR) recently launched Phase 2 of its HIPAA audit program, applying new scrutiny to a much broader array of HIPAA-covered entities and their business associates, which include any managed services provider or solution provider working with that healthcare organization.
As data breaches exposing the protected health information (PHI) that HIPAA is intended to protect have continued to occur, the OCR is looking to these wider-reaching audits as a new means of more effective enforcement.
Under Phase 2, OCR is corresponding via email with HIPAA-covered entities and business associates, making mandatory requests of information to determine the clients and organizations that each entity is working with; failure to respond to these requests only invites more scrutiny. Using this information, OCR will conduct desk audits online, comprehensively investigating data security practices at a cross-section of entities to study their compliance (or lack thereof) with HIPAA privacy and security rules.
Historically, smaller healthcare facilities and providers had been far less likely to receive attention from HIPAA enforcement (although it did happen on occasion, such as when respected non-profit Hospice of North Idaho had to reach a $50,000 HIPAA breach settlement after the theft of a single unencrypted laptop).
But now, with OCR’s new regimen, this across-the-board auditing will more commonly affect HIPAA-covered entities all down the food chain. This means that entities of all different sizes—many of which, to be honest, ignored the possibility of audits before—would be wise to get their data security houses in order before those impending audits arrive.
MSPs that deliver data security solutions for HIPAA-covered entities large and small are no less vulnerable to OCR’s audits and enforcement actions. This is because HIPAA requirements include an oxymoronic wrinkle, stating that any business associates (such as an MSP) of a HIPAA-covered entity must themselves be HIPAA compliant, and that the entity is required to ensure that is the case. In reality, because the entities often don’t fully understand HIPAA and are hiring MSPs for their expertise, an MSP following best practices will take care of this requirement on the client’s behalf as well, by indeed implementing robust data security internally.
What Phase 2 does change for MSPs is that it raises the stakes. Because any particular healthcare organization is now as likely as every other to undergo an audit that will apply scrutiny to its business associates as well, MSPs now face greater risk as a de facto guilt-by-association. It means that a solution provider must have trust the entity it serves that it will uphold proper data security practices, follow advice, and not implicate the provider in a breach.
Enforcement actions based on this scenario have precedence and are potentially devastating. Take, for example, the $650,000 HIPAA settlement reached by the Catholic Health Care Services of the Archdiocese of Philadelphia, which was acting as a technology services provider for six nursing home facilities when one of its mobile devices was stolen, breaching the PHI of 412 individuals.
Implementing HIPAA-compliant data security practices in an organization should begin with encrypting any device that may hold PHI, but it depends greatly on employee training as well. At medical facilities where many individuals are able to access data in order to work most effectively, it’s essential that those employees understand basic data safety best practices—being smart keeping login credentials secured, never leaving logged in sessions unattended, and so forth.
Management at an organization must make such employee training a priority in addition to making sure the right solutions are in place. MSPs can observe the attitudes of these leaders when gauging the risk in acting as their business associate.
For HIPAA-covered entities of all sizes, staying on the good side of OCR auditors means embracing the importance of proper data security at all levels, from organizational practices to selecting business associates to the behaviors of individual employees. At the same time, MSPs must take HIPAA compliance even more seriously now, and should select clients that will do the same.
Now that the stakes have changed, customers that are unwilling or unable to adhere to HIPAA data security rules threaten not just their own businesses, but yours, too.