Blog Post
August 13, 2024 | From the experts
HIPAA & what it means for MSPs
By Matt Lewis
With contributions from Katie Yahnke.
For MSPs that support healthcare organizations, HIPAA compliance can be slightly intimidating.
First, HIPAA is no doubt complex—having been introduced nearly 30 years ago and undergone several transformations in the decades since. Plus, MSPs are considered business associates for covered entities, meaning HIPAA applies just as much to the MSP as it does to the healthcare clients they serve.
In this blog, we’ll recap the history of HIPAA, how it has evolved, and who it applies to. We’ll also walk through some requirements and safeguards, the challenges HIPAA can pose to implementers, and how to overcome those challenges by partnering with the right cybersecurity vendor.
But let’s start at the beginning.
The evolution of HIPAA
In the mid-1990s, legislators wanted to improve the portability and transferability of insurance, reduce waste and fraud, and improve the security of patient health information, or PHI.
Enter: HIPAA.
What is PHI?
PHI refers to any medical record that can be traced to a person through one of 18 specific identifiers, such as name, address, Social Security Number, phone number, and even biometrics like a fingerprint or a full-face photo.
You might also recognize the acronym ePHI, which is just the electronic version of PHI.
Dive deeper into HIPAA safeguards
In this on-demand webinar, our compliance expert runs through HIPAA and how the right cybersecurity solution simplifies compliance.
The technology landscape has changed significantly since 1996, requiring the evolution of HIPAA. Back then, computers likely ran Windows 95, data transfer might have involved floppy disks or a 56K modem, and the cloud didn’t exist.
As such, HIPAA has undergone a number of changes:
- The Privacy and Security Rule, implemented in 2003, introduced specific safeguards for compliance.
- The Enforcement Final Rule of 2006 gave the Office of Civil Rights a stronger enforcement tool, introducing a tiered structure with stiffer penalties for non-compliance.
- The High-Tech Act of 2009 introduced breach notifications, requiring covered entities or business associates to inform affected individuals, HHS, and in some cases, the media.
- Then in 2013, the Omnibus Final Rule was introduced, giving patients greater power to request their PHI from providers. The most significant impact was on business associates who became liable for HIPAA breaches. This change required business associates, including MSPs, to enhance their compliance measures.
Who does HIPAA apply to?
The legislation identifies two major groups that must comply: covered entities and business associates.
Covered entities
A covered entity is someone who produces, uses, or transmits PHI during their operations.
A covered entity could be anything from a single-doctor health clinic to a major hospital, as well as insurance companies or healthcare clearing houses that store and transmit patient health information.
Business associates
Business associates are contractors or subcontractors for covered entities, like law firms, accounting firms, or managed service providers that handle IT for covered entities.
Breaking down the HIPAA safeguards
The HIPAA safeguards are divided into three major categories: administrative, physical, and technical. While physical and technical safeguards may seem most important, a significant portion of HIPAA focuses on administrative controls.
Administrative safeguards
Administrative controls are about ensuring the correct policies and procedures are in place, that they are regularly updated, and that you have business associate agreements with all your partners.
Administrative controls also include conducting regular risk reviews of IT systems and assessing the risks to PHI.
Physical safeguards
Physical controls involve maintaining a clean desk policy to ensure that PHI documents aren't left lying around. Experts recommend putting cable locks on machines to prevent theft and ensuring that servers are stored securely, not in public areas like waiting rooms.
It's also important to have cameras and badge access systems so that only authorized individuals can enter sensitive areas.
Technical safeguards
Technical controls include access and integrity safeguards to ensure that only those who need ePHI or PHI for their duties have access.
Access rights should align with job responsibilities and be denied by default to those who don't need them. It's crucial to both limit access to sensitive records and ensure they can't be modified without permission.
Other technical safeguards include:
- Audit: focuses on monitoring systems to detect security incidents and verify the effectiveness of access controls.
- Authentication: ensures that no one accesses ePHI without proving their identity, which means avoiding shared user IDs and implementing multi-factor authentication.
- Transmission security: ensures that patient health records are not sent across networks in an unencrypted format.
- Backups: though technically administrative, backups have a significant technical component. The goal is to ensure patient health records are not destroyed, so even if an incident occurs, there's a copy accessible to both patients and clinicians.
Why is implementing HIPAA so challenging?
Now, let's discuss some challenges with HIPAA implementation.
The first challenge is the flexible requirements. Although the 2003 additions to the privacy and safeguard rules made the requirements less generic, they are designed to apply to all covered entities of different sizes and technologies. This leads to subjectivity, leaving implementers questioning their compliance with technical safeguards.
The second challenge is a lack of resources, especially for small and medium-sized covered entities or business associates. Administrative controls take up considerable time while dealing with physical and technical safeguards can require significant skills and/or investment.
The third revolves around monitoring. IT systems have become more complex and extensive than ever. As such, monitoring these systems 24/7 to detect security events and ensure control effectiveness is a significant challenge for those without a round-the-clock SOC (and, frankly, those with a SOC).
The fourth challenge is potential audits. Audits now have significant consequences, including fines and potential jail time for intentional violations. Most covered entities may never face an audit, but when conducted, they are thorough and can take weeks to complete. Audits are usually triggered by patient complaints about mishandled or breached health records or breach notifications that covered entities are required to submit.
How to simplify HIPAA implementation
If HIPAA compliance is non-negotiable, you must choose your cybersecurity vendor carefully. Not only do you need the right technology and processes to achieve various HIPAA requirements, but the vendor should also boast compliance expertise and experience.
Field Effect MDR helps overcome the challenges above in a variety of ways. One of which is its holistic approach to cybersecurity.
Meet Field Effect MDR
Watch our demo video series which explores the Field Effect MDR portal, features such as active response, cybersecurity coverage, and more.
Field Effect MDR combines an endpoint agent that runs on most devices, a network appliance that conducts deep-packet inspection of all internet traffic, and cloud monitoring for business-critical services such as Microsoft 365, Azure, and Google Workspace.
All these components, plus the always-included DNS firewall, work together seamlessly to create the comprehensive coverage that HIPAA demands.
This holistic approach is especially important in healthcare settings where many devices—think printers, security cameras, patient health monitors, and some diagnostic equipment—can’t run endpoint security software.
Network monitoring in this case is particularly valuable because it can identify suspicious activity on seemingly non-securable devices like these.
To learn more about HIPAA, plus how Field Effect MDR also helps with incident prevention, data sovereignty, log retention, and navigating audits, stream our HIPAA 101 webinar here.