HIPAA Compliance Checklist for MSPs (2016 Updates)

HIPAA (Health Insurance Portability and Accountability Act) compliance is designed to protect patient privacy and set standards for how medical records can be shared and how they must be safeguarded. HIPAA compliance isn’t just for those directly within the healthcare industry, however -- in fact, nearly anyone dealing with electronic Protected Health Information (ePHI) including doctors, hospital technicians and yes, the healthcare Managed IT Services Providers (MSPs) who manage hospital computers and networks in the cloud are required to be HIPAA compliant.

What does that mean for YOU?

For MSPs, HIPAA compliance is a very serious matter, and should be treated with the gravity it deserves. In fact, if your MSP is chosen to be audited by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) and you are found to be noncompliant, you may be served penalties ranging from up to $50,000 per violation, and up to $1.5 million per year across all HIPAA violation categories. That type of penalty can severely hurt your MSP’s bottom line, so ensure that you’re always HIPAA compliant. And the best way to stay compliant is with our ultimate HIPAA Compliance Checklist.

Three Core Components of the HIPAA Security Rule

Recent rule changes to HIPAA compliance means that all Business Associates (BAs) are now subject to the requirements of the security rule, including risk analysis, implementation of security procedures, training and having a breach response plan in place. At its core, the HIPAA compliance security rule can be broken down into three distinct components:

1. Physical safeguards - This means actually and physically protecting your facility and servers - locking doors, using access badges to get into secure areas, and with surveillance cameras monitoring. Most compliance experts suggest that one of the best physical safeguards you can have is simply controlling access of the ePHI, based on job functions.

2. Technical safeguards - These safeguards govern the electronic access to the ePHI within the cloud networks that your MSP is managing. Some key components of this to include in your HIPAA compliance checklist include:

  • Access control - each user requires a unique ID and password
  • Multi-factor identification - all electronic logins require multiple pieces of data to sign in, such as an auto-generated PIN number
  • Encryption on everything - encryption scrambles your ePHI so that those records can only be accessed by people who hold the encryption key. This should include all data in motion, using a TLS-secured connection to access records in the cloud, and should ideally be end-to-end encryption.
  • A comprehensive backup and disaster recovery plan - Much of HIPAA compliance is centered around security and prevention, but there is a component that includes what to do when disaster strikes. Your BDR plan should consist of disaster declarations, a detailed disaster list, data backup and alternate site guides, and a ePHI recovery plan.

Learn more about the right backup and disaster recovery solutions for your MSP!

3. Administrative safeguards - This sounds like a lot of paperwork (cue the groans from your MSP technical staff) but this type of training, process-implementation and documentation is actually some of the most important aspects of getting HIPAA compliance right. Some recommended administrative safeguards to include in your HIPAA compliance checklist include:

  • Signing Business Associate Agreements (BAAs) with all your partners. The term Business Associates (BAs) has expanded in recent years to include anyone who transports, stores or processes ePHI, any subcontractors or subcontractors under a subcontractor, no matter how far downstream from the original entity, and all third-party data and document storage companies.
  • Listing out each business associate and set out rules for what data they have access to and what to do in case of accidental disclosure.
  • Making sure all your MSP employees understand data security, create strong passwords, and avoid inadvertently downloading malicious software or sending sensitive data in unsecured emails.
  • Creating a process for auditing data and controlling how that data is preserved, changed or destroyed
  • Creating systems to prevent leaks
  • Reviewing all changes at least once a year

Other Considerations for Your HIPAA Compliance Checklist

The three aforementioned safeguards - physical, technical and administrative - are a great start to ensuring that your MSP is fully HIPAA compliant, but there are always additional measures to take to really feel like you are no longer at risk of uncovering a breach during an audit.

Compliance experts suggest conducting a risk analysis in accordance with the National Institute of Standards and Technology (NIST) guidelines. The NIST produces Standard Reference Materials (SRM) that you can refer to when conducting your risk assessment.

MSPs should also maintain as many credentials as possible. While there is no official HIPAA compliance certification or seal of approval, the presence of other certifications (SSAE-16, SOX, PCI DSS) within your MSP or hosting provider will indicate that you have a high level of security and compliance expertise, and reassure your healthcare partners that you will never be in breach.

Service-level agreements (SLAs) are also an important part of staying HIPAA compliant between you and your partner. One great way to improve your SLAs is to have more precise terms, especially in offering guaranteed response times for routing changes, security threats and non-critical additions.

Finally, along with security rules, HIPAA compliance also entails several privacy rule obligations. This includes having an accounting of disclosures available, all PHI to be kept in a designated record set and the cooperation with all compliance investigations performed by the OCR.

HIPAA compliance is no laughing matter, and using this HIPAA compliance checklist to ensure your MSP and its partners remain fully compliant at all times is a great way toward staying out of the hot spotlight of OCR audits, avoid paying hefty fines and maintaining your reputation as an expert in security and compliance.

Check out Continuum's HIPAA Resource Page for more helpful tips.


Gareth Goh is content campaigns manager for Continuum. Read more Continuum blogs here.