The healthcare market represents a huge opportunity for MSPs, and analysts predict this trend will continue to expand for years to come. According to the latest research from Research and Markets1 , the North American HIT (healthcare information technology) market is estimated to reach $104.3 billion by 2020, growing at a compound annual growth rate (CAGR) of 13.5 percent. Several factors are contributing to this uptick in HIT spending, and it can be overwhelming for MSPs that are new to the market to know where to focus their efforts. This blog explores two new proposed HIPAA additions and why they matter to MSPs.
Ever since September 23rd, 2013, Managed Service Providers (MSPs) have taken a special interest in the HIPAA Privacy Rule and the HIPAA Security Rule since these rules now apply to an MSP’s business if they have clients (Covered Entities) that have ePHI (electronic protected health information). Previously, these rules only applied to Covered Entities and not the Business Associate.
In case you’ve forgotten all the nuances of HIPAA and wonder what constitutes a Business Associate, here is a refresher for you. According to hhs.gov, examples of a Business Associate include:
If you fall under one of the following examples, you are considered a Business Associate which means that you must follow HIPAA guidelines just like the Covered Entity. Specifically, the guidelines define a Covered Entity as one of the following:
Now that we’ve clarified those two terms, it sounds like the HITECH Act may be adding more monetary compensation for victims whose information is in involved in a breach. Deven McGraw, Deputy Director, Health Information Privacy HHS Office for Civil Rights, gave a talk at the Healthcare Information and Management Systems Society (HIMSS) 2017 conference in Orlando back in February. During her presentation, she mentioned that by the end of 2017 at least two more provisions will be made for the HITECH Act.
The first one may not sound like a big deal, but it’s the first time that I’m aware of that compensation is being offered to someone who did not sue for it. Is this a bad idea? Tough to say. What we do know is that the smaller Covered Entities will end up either complying with HIPAA or be forced to sell to the larger Covered Entities companies for fear of an expensive HIPAA violation.
Will this rule change the healthcare industry single handedly? I doubt it. Are the HIPAA laws that have been passed over the past 20 years improving the way ePHI is handled? Without a doubt. Only time will tell what effect this change will have in regards to HIPAA, Covered Entities, and Business Associates, but it is something that MSPs operating in this area should keep a close eye on, especially when it comes to security breaches.
Jeff Hardee is US ServiceDesk Sales Engineer at SolarWinds MSP.
1 North American Healthcare IT Market: Forecast to 2020, www.researchandmarkets.com
To get more information on HIPAA: SolarWinds MSP HIPAA Cloud Computing solutions.