Think HIPAA doesn’t apply to you? Think again.
More than 50% of MSPs do business with a health care organization, and more than 87% do business with a vendor who does business with a health care organization. That’s almost all of you! According to the HIPAA Omnibus Rule, any organization handling health information or acting as a vendor with access to patient information must comply with HIPAA, even if they don’t specifically provide health care services. This includes you. As an MSP doing business with any of these entities, you’re also responsible for complying with HIPAA.
Therefore, understanding HIPAA isn’t just important; it’s an absolute requirement for MSPs. Luckily, this presents a massive opportunity for you to become a trusted advisor to your clients with HIPAA requirements while also increasing your profitability and growing your customer base.
We’re all in this together. As a physician, HIPAA helps me protect my patients, my practice, my reputation, and my wallet. For MSPs, it’s an opportunity to safeguard your customers, your business, and your reputation and to increase your revenue.
Here are the facts:
A HIPAA Business Associate Agreement (BAA) is required for any business associate to ensure adherence to HIPAA guidelines. This means every accounting firm, insurance company, data transmission provider, data storage company, billing and transcription service, etc. That’s in addition to any lab, pharmacy, dental practice, medical practice, physical therapy facility, and home health or nursing home facility. And as an MSP doing business with any of these entities, the same compliance guidelines apply to you.
You may be wondering how a busy surgeon such as myself knows so much about compliance. Well, I got in trouble for being noncompliant. I was in my office seeing patients one day when the ER doctor needed me for a trauma patient. The patient was scared and in pain. The ER doctor had a crowded ER, and I had 20 patients in my waiting room. There was no way I could leave, so I had the ER doctor text me an image of the patient’s CT scan, and we did a FaceTime exam (on our phones). We had a plan in 30 seconds, and everyone was happy. Two days later, the hospital’s compliance officer called to ask what I thought I was doing. She said I’d exposed everyone to a huge HIPAA violation and a $1.5 million fine. That’s when my compliance education really began because getting in trouble compelled me to create HIPAAChat, a software application for doctors to communicate in a quick, easy way, just as we do with friends and family, but in a compliant manner. My company was later acquired by a global critical communications company called Everbridge, and I was hired as their chief medical officer. Besides being a full-time practicing physician, I also help implement Everbridge’s critical communications software in over 1,000 hospitals and health systems. However, secure messaging is just one small part of HIPAA compliance.
So, why are compliance and cybersecurity in health care such epidemics lately? Our patients are partly to blame. Patients of all ages and backgrounds have become tech-savvy consumers. They want portals, apps, and access to their medical records online. This has skyrocketed the need for compliance, privacy, and security. It’s what prompted Amazon to release HIPAA-compliant Alexa skill sets and what resulted in Facebook’s $5 billion fine from the FTC. Breaches are everywhere recently, from BCBS Anthem’s $16 million fine and $115 million settlement to the Labcorp/Quest breach of 20 million patient records. But fines and breaches don’t just affect the big guys: 91% of all health care organizations reported a data breach in the past two years. Every one of these breaches affects the business associates and vendors with whom they work. It’s not a matter of “if” we’ll be breached; it’s a matter of “when.” In fact, 49% of breaches stem from the third-party vendor, as was the case with Labcorp/Quest’s collection agency. That’s where you come in: Compliance is an absolute requirement for MSPs, but it’s also a massive opportunity.
HIPAA guidelines such as network security, backup and recovery, data encryption, secure passwords, multifactor authentication, physical security, and annual risk assessments were designed to protect us and prevent a breach of our sensitive patient information. But why do hackers even care about our medical information in the first place? As it turns out, a medical record is worth ten times the price of a credit card on the black market. It contains comprehensive personal information for multiple selling opportunities on the dark web. And for what is it used? Obtaining medical care, filling prescription drugs, faking insurance claims, filing tax returns, and of course, creating new identities. That’s why we should all care about HIPAA.
A data breach is expensive for everyone involved. The average cost to an organization is roughly $8 million, plus lost productivity and customer trust. Damage to a reputation? Priceless. In fact, 72% of businesses shut down within 24 months following a breach. Brookside ENT & Hearing Center is one of those sad statistics: A ransomware attack encrypted all their practice data. The hackers demanded $6,500 for a decryption key, but the doctors refused to pay. As a result, all patient records, schedules, and payments were deleted. No backup, no recovery; the doctors retired rather than trying to rebuild.
Ransomware attacks are trending, and 71% target small- to medium-sized practices since those businesses are less likely to protect themselves. We’re low-hanging fruit for hackers, and we need your help. So here’s a story with a happy ending: When NEO Urology Associates got hacked in June of this year, their IT firm (yes, they had an IT firm) rescued their data within 48 hours, and their cybersecurity insurance (yes, they had cybersecurity insurance) paid the claim. The real cost of this protection? Priceless.
Sure, you may hear clueless excuses from your clients: “We can’t afford a service like this; my office is too small to get hacked; my EMR is compliant, so I must be too.” This article should now help you respond with surgical precision. You can’t afford not to have a service like this. Your office is a tasty snack for hackers, and there’s far more to compliance than just your EMR.
In the U.S., there are 230,000 physician practices, 100,000 dental offices, 63,000 physical therapy centers, 34,000 stand-alone pharmacies, 15,600 nursing homes, and 12,000 home health agencies. Now, multiply that number by 10 to include all their business associates and vendors. These are your customers; all of them need compliance, and all of them need you.
The prognosis is clear: Compliance presents an incredible opportunity — the opportunity for MSPs to protect their customers, their reputations, and their livelihoods. Best of all, we (your health care clientele) will gladly pay for your help.