When it comes to HIPAA compliance, the creation of the classification of Business Associate (BA) appears to be part of a move by the governing body to take a much more proactive stance on disclosure than with the classification of Covered Entity (CE), with its positioning of “If I don’t know about it, I don’t have to address it.” Things in security space are changing fast, hence the reactive versus proactive dilemma.
Reactive HIPAA compliance can become very costly if you decide to address things after you have been breached. This is like adding a security system to your house after a break-in and your items have already been stolen. Unfortunately, being reactive usually involves a security audit, and at this point, it is too late and you can expect fines. Plus, if the breach is large enough, public shaming on the Internet is likely to follow.
In terms of what constitutes a “large enough” breach, the magic number seems to be 500 electronic protected health information (ePHI) records. If the number of ePHI records exceeds this, it seems to be handled differently than if it is less than 500. Either way, you will need to fill out this form on the U.S. Department of Health and Human Services, Office for Civil Rights online.
Here is a sample of the breach form from the U.S. Department HHS, OCR’s website.
Why someone would think this is a viable option is beyond me, but then again, I just checked and www.juno.com is still a legitimate website. Go figure!
On the other hand, as a managed service provider (MSP), being proactive allows you to perform a proper Information Security Risk Assessment and check your customer’s Information Technology Contingency Plan. Also, audits of the customer’s Privacy, Security, and Breach Notification can be performed as well. If your customer does not have one, be sure to implement one at this point.
During this process, you will need to evaluate policies, standards, guidelines, and instructions to confirm they are appropriate and relevant. Typically, this is not necessarily only for HIPAA, but may cover multiple standards and compliance regimes. If you want to be proactive but do not know where to begin, check out the following link in regards to the HHS Security Risk Assessment Tool. This is a joint collaboration between the Office of the National Coordinator for Health Information Technology (ONC) and the Health and Human Services Office for Civil Rights (HHS OCR) to provide direction to the paranoid and directionless.
Ultimately, there are two roads you can go down, but in the long run, you should take the one that does not involve the threat of HHS OCR coming to your office to perform an audit or fines. At some point, you will be reactive, proactive, or out of business.
For more information on how to and what you need to do, check out these links:
Jeff Hardee is a US Service Desk Sales Engineer at SolarWinds MSP.
To get more information on HIPAA: SolarWinds® MSP HIPAA Cloud Computing solutions
© 2017 SolarWinds MSP UK Ltd. All rights reserved.