Do your healthcare clients need to prepare for a HIPAA audit? As an MSP, you’re responsible for ensuring your clients’ IT environments are ready for an audit at a moment’s notice. HIPAA requirements cover a broad range of behaviors and standards, some outside the purview of IT. In this blog, we’ll talk specifically about HIPAA compliance.
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act), also known as Public Law 104-191, has two main purposes: to provide continuous health insurance coverage for workers who lose or change their job, and to reduce the administrative burdens and cost of healthcare by standardizing the electronic transmission of administrative and financial transactions. Other goals include combating abuse, fraud and waste in health insurance and healthcare delivery and improving access to long-term care services and health insurance.
The HIPAA Privacy Rule addresses the use and disclosure of individuals’ health information called “Protected Health Information (PHI)”. These types of organizations are called “covered entities”. The Privacy Rule HIPAA requirements outline for covered entities individuals’ privacy rights to understand and control how their health information is used. HHS and the Office for Civil Rights (OCR) have the responsibility for implementing and enforcing the HIPAA Privacy Rule with respect to compliance activities and civil money penalties. The HIPAA Privacy Rule is to assure that an individual’s health information is properly protected while allowing the individual’s necessary health information that is needed to provide and promote quality health care, is protected. The HIPAA Privacy Rule permits important uses of information, while protecting the privacy of people who seek healthcare.
How HIPAA Affects MSPs and Their Clients
First and foremost, virtually any MSP working with a client for HIPAA purposes must create a HIPAA Business Associate Agreement (BAA). By filling out a BAA, an MSP takes responsibility for the security of any of their client’s ePHI that they may come into contact with.
With a BAA established, an MSP can then get to work. Secure authentication through IAM is key to achieving many of the requirements laid out by HIPAA. An MSP must create IT infrastructure that ensures anyone who can access ePHI is authorized to do so. This level of privilege-based access control relies on a strong identity provider that’s capable of propagating client identities to virtually any resource that may come into contact with ePHI. That includes systems, file servers, email services, and other applications.
Healthcare is the top target industry for bad actors, and compromised passwords are the top source of identity breaches. Stringent password policies, such as length, complexity, and rotation play a pivotal role in preventing security threats, and subsequently play a major role in achieving HIPAA compliance.
A great place to start is by creating a blacklist of commonly breached passwords (e.g. ‘123456’ or ‘password’) and forbidding client users from choosing them in the first place. Other key practices include training clients to avoid sharing their credentials for any reason to avoid phishing or other social engineering attacks.
Finding a Solution to Help Medical Services Professional (MSP) prepare their clients for HIPAA
When it comes to Compliancy for HIPAA, there are clearly a lot of procedures MSPs need to enforce to help prepare their clients. Unfortunately, without the proper tooling, many of these steps are difficult, if not impossible, to roll out.