The Risk & Opportunity Presented by HIPAA for MSPs

Community Content

By Bob Vogel, B2 Marketing

Bob vogel hipaaYou’re going to hear me talk a lot about this topic over the next couple of months because

it is BIG, BIG, BIG.

If you don’t have any clients in the healthcare vertical – or don’t have any clients who, themselves, work with healthcare organizations – you can go back to sleep.

I’m talking about 700,000 hospitals, Emergency Medical Clinics, Dental Offices, Nursing Homes, Psychiatric Care Facilities, Diagnostic Labs, Corrections Facilities and Pharmaceutical Companies. These are the so-called “Covered Entities” that must comply with the Health Insurance Portability and Accountability Act (HIPAA).

I’m also talking about another 2+ million companies known in the law as “Business Associates” that are ALSO covered by HIPAA – that would be the lawyers, accountants, billing services and, yes, IT Service Providers!

Here’s a useful link that’s buried on the federal Health and Human Services web site that talks about this requirement, and also includes a sample contract that Business Associates (you) should have with Covered Entities. You might need a HIPAA expert or lawyer to interpret some of the provisions, but they’ll tell you that you need to do your own HIPAA Risk Analysis… and document it.

I’ve talked to a fair number of MSPs and IT Service providers who have some clients that are Covered Entities and other clients that are covered Business Associates. Most of the MSPs with Healthcare clients knew those clients were covered by the HIPAA privacy and security law, but only a few knew that their business associates were, and hardly any of them knew that they themselves are required BY LAW to do their own documented HIPAA Risk Analysis on their own business. And the truth is, very few MSPs are doing adequate HIPAA Assessments today for their clients.

If this is you, there’s a very real risk that you or your clients could get hit with a business-busting fine by the government. But this also presents a mega opportunity for you: First get your own house in order, and then go out to every Covered Entity in your town – and everyone who does business with them – educate them about the law, and then offer them a comprehensive HIPAA Assessment.

Don’t know anything about how to perform a HIPAA Assessment – for yourself or an existing client or prospect? Well, you’re in luck!

As I write this the folks at RapidFireTools are about to take the wraps off their latest module for Network Detective – a new HIPAA Compliance tool. It’s much more involved than any of their previous IT Assessment Modules. In addition to collecting a bunch of network data required for a valid HIPAA Risk Analysis, it also provides you with a set of worksheets and questionnaires that you complete through onsite observations and interviews with the client. The tool then takes all the data you collect through automation and observation and seamlessly combines it into a complete set of all the official documents required to be in compliance with the law -- it simply can’t be done any easier or faster.

For more information, visit