HIPAA Rules and MSPs – An overview

Ben Taylor

Do you run an MSP business that does any work with clients in the US medical field? Do you know much about HIPAA (the Health Insurance Portability and Accountability Act)? If not, it’s time to learn – or risk some anxiety-inducing financial penalties.

HIPAABear in mind first that working with clients in the medical field doesn't have to mean that you have a major healthcare customer. If any of your clients work with medical records, you need to be aware of this legislation. Do you happen to have a client who is, for example, a private psychologist? Do you or your team ever remote into his / her PC? If so, this article is as relevant to you as it is to an MSP business owner who specialises in working with healthcare clients.

What's this all about?

Essentially, it’s all down to a clarification of HIPAA law on patient confidentially that was formally announced in January 2013. All medical institutions, professionals and business associates are expected to comply by 23rd September 2013, yes...that's today and penalties for non-compliance can be as high as $1.5 million!

But where does your MSP business come in? Well, it’s all about the term “business associate,” which the legislation decrees can include anyone who could potentially access an individual’s medical records.

“Potentially access,” sounds rather broad, but it’s actually quite simple. If you provide remote support to anyone whose PC contains or has access to this information, you could potentially access it. The same applies if, for example, you provide an online backup service for such a customer.

What do you need to do?

The logical question to ask next, therefore, is what your MSP business needs to do to comply – and the answer could be bad news if you run a business based on informal contracts and minimal paperwork.

Essentially, if you work with any healthcare-related customers, you must follow the same compliance actions as those customers have to themselves.

A summary of the rules is available in a 23-page PDF accessible here:


Like many government documents, it contains plenty of legal jargon and a section on possible penalties that’s sure to persuade you to get working now on creating all of the required policies and procedures. You must sign a formal contract, known as a “business associate agreement” with every customer remotely related to the healthcare field.

Are you HIPAA ready?

However you feel about legislative compliance, and the bureaucratic paperwork it entails, it’s important to remember that the HIPAA rules are all about protecting patient confidentiality with an overall policy of “minimal disclosure.” These rules are there to protect you as much as everybody else (at least if you live in the US!) So, if the rules affect your MSP and you’ve not yet started your journey towards full compliance, now is the time to do so.

To help make the process of getting HIPAA ready as painless as possible GFI MAX has produced a 'HIPAA Readiness' pack, which includes a comprehensive white paper by HIPAA expert Fabian Oliva to provide background information on what HIPAA means for your MSP businesss, as well as a configuration and hardening guide to show you how to configure GFI MAX software so that you are compliant.

Are you HIPAA ready? Do you have any advice to share? Let us know with a comment below!