Governance, Risk and Compliance

HIPAA March 1 Deadline: Business Associates, MSPs Beware

Another HIPAA deadline is fast approaching. Indeed, organizations have until March 1, 2017, to disclose any small HIPAA breaches from 2016 to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). A small breach involves fewer than 500 individuals.

Covered entities should report each small breach independently here.

What's at stake for business associates -- including VARs and MSPs - -that work with HIPAA-covered entities? Actually, it's mostly good news.

On the upside, most business associates (i.e., VARs and MSPs supporting health care organizations) will not be affected by this deadline because their reporting obligation is to the covered entity and not to OCR, according to Davis Wright Tremaine (DWT), a legal firm that serves health care and other vertical markets.

But just be careful: Those service providers could be affected if "the covered entity has delegated its breach reporting obligations to the business associate," DWT adds.

OCR has stepped up HIPAA audits over the past year or so, and issued special guidance for cloud services in October 2016.  Multiple organizations assist channel partners with HIPAA education and know-how. Key names to know include Compliancy Group and Semel Consulting, among others.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.