MSPs and HIPAA: Is your Documentation in Order?
If your MSP business works with clients in the US healthcare sector, the chances are you’re fully subject to HIPAA (The Health Insurance Portability and Accountability Act) as a “business associate.”
If this means nothing to you, it’s crucial that you do some immediate research as to your status under HIPAA. The legislation was updated earlier this year, and one of the most significant changes was an amendment to the definition of “business associate.” Essentially, if your business is in any way involved in the storage and transmission of patient medical records, you are probably subject to the requirements of HIPAA.
There are now very few companies that fall into the “conduit exception” category, so the chances are that if your MSP goes anywhere near this kind of data, even if you simply remote into the computers of clients who deal with medical information, you are subject to the HIPAA rules – and there are plenty of them.
In this article, we concentrate on documentation. If your business is subject to HIPAA as a business associate, there are several written policies you should have in place as of now. Here is a list of the key documents you should be ready to produce on request:
1. An Anti-malware policy
If you work with the healthcare sector, it’s not enough to have effective malware protection in place for your business. You must also have a written policy detailing the measures in place, and your procedures for dealing with security breaches.
2. A Business Continuity Plan
All HIPAA business associates must have a fully documented plan in place for business continuity / disaster recovery.
3. Access Control
You must have documented access control procedures, which includes details of how you deal with members of staff who leave your business (i.e. in terms of disabling accounts and changing passwords).
If you are subject to HIPAA, a lax attitude to password policies simply isn’t an option. You must also have a workstation policy that covers issues such as preventing staff from writing passwords down or disclosing them to other people.
4. Asset Disposal
If you are subject to HIPAA, you must have a clearly documented means of cleansing data from redundant equipment and disposing of it securely. This applies to media as well as hardware.
5. Security Training
It’s essential that all of your staff are trained on the HIPAA regulations and on their own personal roles and responsibilities. You must keep a record of this training to prove it has taken place.
6. Business Associate Agreements
You should have formal contracts in place with all of your healthcare clients that are worded to take your HIPAA obligations into account.
The above is by no means an exhaustive list. Complying with HIPAA is complex and initially time-consuming, and an issue on which it is often wise to take professional advice. Don’t consider taking a laid-back attitude to this legislation – an unexpected audit could be just around the corner.
Looking for More HIPAA Information?
Be sure to listen to our FREE November webinar!