How far do you go with Hipaa compliance?

[teche]

I'm just starting out on my own and have spoken with a few potential HIPAA compliant customers (neurologist, medical supply company, dentist) and the more I research HIPAA the more it scares the **** out of me! I mean, if I can get everything straight, there's money to made. I'm just at the point of paralysis by analysis!

As I read it, we are held to the same standards as the CE. Do you just sign a BAA and go with it? Or do you go (a lot) further? Ongoing training, security assessments, etc. My initial thinking was pretty simple. Sign a BAA and make sure the customer data is safe. Then I started reading some of the items I was agreeing to in the BAA (template from HHS). Are there different levels of requirements? Typical break/fix = BAA. Fully managed services and network security = full blown training, certification even?

I'm currently using GFI for monitoring and they will sign a BAA. Same with Office 365. Does that cover me? Do I need a separate BAA for repairs and network support?

Sorry for so many questions. My head is just spinning and I have no one else to bounce ideas off of! Any feedback is greatly appreciated.

 

[Pants]

I'd also like to know more info about HIPAA. Since any client storing Patient Health Information must be compliant, including non-medical service providers storing PHI. ...ie A lawyer's office storing medical info about their client must be compliant.

I'm sure it's easier to keep some systems complaint over other more sophisticated systems. I'll be supporting relatively simple networks/storage (generally 10 users or less), so what's a good check list one can use to make sure clients are 'compliant', or that I at LEAST don't inadvertently disable compliant measures currently in place?

 

[cmonova]

Need to check out his site here http://www.hipaaformsps.com

Guy knows his hipaaformsps stuff..

 

[frederick]

I'm just starting out on my own and have spoken with a few potential HIPAA compliant customers (neurologist, medical supply company, dentist) and the more I research HIPAA the more it scares the **** out of me! I mean, if I can get everything straight, there's money to made. I'm just at the point of paralysis by analysis!

Quit over thinking it. You are reading way to much in to it all. It's lawyer speak, not tech speak. So if you try to read it like a lawyer, you'll get scared cause you aren't a lawyer.

As I read it, we are held to the same standards as the CE. Do you just sign a BAA and go with it? Or do you go (a lot) further? Ongoing training, security assessments, etc. My initial thinking was pretty simple. Sign a BAA and make sure the customer data is safe. Then I started reading some of the items I was agreeing to in the BAA (template from HHS). Are there different levels of requirements? Typical break/fix = BAA. Fully managed services and network security = full blown training, certification even?

I treat my company/employees like a CE. You should too. Chances are you are going to have RDP access, or whatever (saved passwords, etc.), so you, your network, etc, will all have access. We make them provide the BAA/CE documentation for us. We provide the service agreement.

When we do a break-fix, or non-SLA, they must agree to our ToS. No way around it. In ours is a confidentiality agreement. Make sure you have your own company policies as well. I have a ton. Cause I've had clients in these areas ask for them before we even scheduled for anything. It's one of those they see what standard we hold up to. As for full blown training, we have CompTIA HIT certifications, and we've attended a few of those "HIPAA" training things. The HIT means more, because it covers what we do, and what we need to do for taking care of the customer. If you don't have it, I strongly recommend it, though it's not required.

Occasionally a client will request a background check, we have them all on record (done annually), but if they want one more current, we tell them to pay for it.

I'm currently using GFI for monitoring and they will sign a BAA. Same with Office 365. Does that cover me? Do I need a separate BAA for repairs and network support?

Ugh....with GFI, I don't think you need to sign a BAA or make them sign. I don't know. We haven't made GFI sign a BAA. As for office 365, stop. NO! Bad! They get office, not office 365. Trust me on this one. Talk about a head-ache unless you control where it gets saved to, like a local location. That's my personal opinion.

Do you need a separate BAA for repairs and network support??? DUDE, don't complicate this. 1 document. 1. No more. You through down a document to have them sign for one thing, and another for another thing...and another...and another...way too much reading. I'm pretty sure your lawyer and theirs will both slap you up the head.

Sorry for so many questions. My head is just spinning and I have no one else to bounce ideas off of! Any feedback is greatly appreciated.

It's all good. Take a few deep breathes. Scour this forum, there is a ton of HIPAA content all over the place. I've even posted up some good stuff on the subject.

 

[frederick]

I'm sure it's easier to keep some systems complaint over other more sophisticated systems. I'll be supporting relatively simple networks/storage (generally 10 users or less), so what's a good check list one can use to make sure clients are 'compliant', or that I at LEAST don't inadvertently disable compliant measures currently in place?

I have a HIPAA checklist somewhere on this forum. Search for it. It is current for the September 2013 Omnibus additions.

 

[frederick]

Need to check out his site here http://www.hipaaformsps.com

Guy knows his hipaaformsps stuff..

That he does. A lot of wealth of information can be found by simply contacting him. So +1.

 

[HawkinsPC]

I have a situation going on myself. Medical office computer containing records and they won't pick it up and pay diag fee. Per my TOS, I part out machines or dispose of them after 30 days of non-payment. I don't know if I'll be better holding onto it and hoping they'll eventually come pay or destroying the HDD.

 

[Tech in SC]

@teche - Like cmonova and Frederick mentioned, I also highly recommend looking at www.HIPAAforMSPs.com. It goes live next Monday. There will be information about HIPAA specifically relevant to people like you (MSPs) from an expert panel of member advisors. You will waste 100s of hours digging through online content only to end up more confused and frustrated... sounds like you're already there. There is also a ton of misinformation and outdated information floating around. It can be very difficult to figure out.

Truth is, HIPAA is very serious but it also does not have to be complicated. However, there is a lot more to it than most IT guys know. It can be very profitable if you set yourself about from the competition and know your stuff.

Healthcare providers are REQUIRED to use HIPAA compliant Business Associates... this includes IT providers (if the IT provider is a Business Associate). This has been pretty lax and overlooked by healthcare providers until recently. Now is the time to get into this niche before while the opportunities are ripe. Healthcare providers are more and more taking HIPAA serious and so should MSPs. Ignoring it could prove financially suicidal.

As Frederick mentioned, there are policies and procedures and continual training and educational components to it as well. HIPAA compliance is not a one time event, it is an ongoing process. The OCR calls it a "Culture of compliance". To make things even more complicated is the constant arguments, clarifications and interpretations of the regulations. Some of it is certainly gray but most of it, especially what MSPs have to deal with (Title II) is pretty clear.

For IT providers (MSPs), we have to not only learn how to get our own compliance nailed down... but we need to intimately know and understand what our clients (covered entities) responsibilities, needs and risks are so that we can provide specialized service and support to them. "I didn't know" is not going to save you from the severe consequences that could result.

To your original question... how far do you go with HIPAA compliance? You go all the way!!! and stay there. The alternative is to stay away from clients bound by HIPAA.

On a side note... learning these regulations will also spill over into other niches with compliance requirements, such as financial (FINRA) and others. Setting yourself up as a compliance expert in your market will pay huge dividends.

Invest in yourself and your future!

@HawkinsPC - Geez! there are so many problems with this situation. If you PM me I'll tell you how you can get the customer to come pay you by the end of the day . I would recommend documenting anything and everything you do regarding that PC. I wouldn't destroy it. I'd lock it away somewhere safe. There is so much liability in having that thing in your shop with protected health information on it. If it gets lost or stolen you may have a hell of a mess to deal with.

 

[teche]

Quit over thinking it. You are reading way to much in to it all. It's lawyer speak, not tech speak. So if you try to read it like a lawyer, you'll get scared cause you aren't a lawyer.



I treat my company/employees like a CE. You should too. Chances are you are going to have RDP access, or whatever (saved passwords, etc.), so you, your network, etc, will all have access. We make them provide the BAA/CE documentation for us. We provide the service agreement.

When we do a break-fix, or non-SLA, they must agree to our ToS. No way around it. In ours is a confidentiality agreement. Make sure you have your own company policies as well. I have a ton. Cause I've had clients in these areas ask for them before we even scheduled for anything. It's one of those they see what standard we hold up to. As for full blown training, we have CompTIA HIT certifications, and we've attended a few of those "HIPAA" training things. The HIT means more, because it covers what we do, and what we need to do for taking care of the customer. If you don't have it, I strongly recommend it, though it's not required.

Occasionally a client will request a background check, we have them all on record (done annually), but if they want one more current, we tell them to pay for it.

Ugh....with GFI, I don't think you need to sign a BAA or make them sign. I don't know. We haven't made GFI sign a BAA. As for office 365, stop. NO! Bad! They get office, not office 365. Trust me on this one. Talk about a head-ache unless you control where it gets saved to, like a local location. That's my personal opinion.

Do you need a separate BAA for repairs and network support??? DUDE, don't complicate this. 1 document. 1. No more. You through down a document to have them sign for one thing, and another for another thing...and another...and another...way too much reading. I'm pretty sure your lawyer and theirs will both slap you up the head.



It's all good. Take a few deep breathes. Scour this forum, there is a ton of HIPAA content all over the place. I've even posted up some good stuff on the subject.

Thanks for this. I needed it. Better than xanax. Haha. Interesting that you have them supply the BAA. Just assumed this was something I was required to draft up. Also the local office installs make sense. Do you recommend on-site exchange servers as well? The pull for me with o365 is definitely the hosted exchange.

Also, HIT certification has been added to my never ending list of certifications... Thanks I think...

@teche - Like cmonova and Frederick mentioned, I also highly recommend looking at www.HIPAAforMSPs.com. It goes live next Monday. There will be information about HIPAA specifically relevant to people like you (MSPs) from an expert panel of member advisors. You will waste 100s of hours digging through online content only to end up more confused and frustrated... sounds like you're already there. There is also a ton of misinformation and outdated information floating around. It can be very difficult to figure out.

Yes, I am definitely "there"! Lost WAY too many hours trying to figure this stuff out. Website looks like a great resource. Can't wait to check it out. Thanks!

 

[frederick]

Thanks for this. I needed it. Better than xanax. Haha. Interesting that you have them supply the BAA. Just assumed this was something I was required to draft up. Also the local office installs make sense. Do you recommend on-site exchange servers as well? The pull for me with o365 is definitely the hosted exchange.

Also, HIT certification has been added to my never ending list of certifications... Thanks I think...

I have a lawyer, great guy, but he is a commercial/business lawyer. He represents businesses, and knows businesses, etc. But in his office is a HIPAA/Healthcare specific (non-malpractice) expert lawyer lady, very sweet, very to the point about this stuff. While she could produce the agreement for us, her guidance was no, have them do it. It is like making them make sure they know what the rules of the game are. We know what the rules are, but do they??? You'd be surprised how many clinics, dentists and so on I've visited that don't know what HIPAA is even for other than protecting patient information. By making their lawyer draft it up, you are in a sense making sure they know whats what.

Local MS Office installs over O365 any day. Here is my thing about, cause I've seen non-regulated businesses do it. Users go home, they want to get some work done real quick, they open up their computer, and get to those O365 files because the owner let them have a key for their personal computer. Now those ePHI files are on a non-audited system. In my eyeballs, this is a data breach. With a local office install, I can control the access, I can control who accesses that file server with that information. If they want to store it elsewhere, I offer them the Datto NAS now that that is out. That way, it's still under lock and key and I control it. Remember, your butt is on the line as much as theirs is.

Do you need an onsite exchange server? No. Not even an onsite file server. I have a server over at one of the co-locations here, and I setup a VPN from their site (location) to a provision that is all theirs. No one else has access to that provision other than us (on an administrative level) and them. Some offices I've been to, they already got a virtual server for storage with people like RackSpace and the what not, and there is a VPN that goes right in to it. As long as you can set the email up with a CA, you should be good. GoDaddy has some good rates, and I've been reselling it like mad. I've had a client get audited and there was no issue with GoDaddy being used for the exchange so long as they were using it correctly and with a CA.

Email and Wireless, from what I've experienced, really go hand in hand. You can use it, but it'll always look bad if you use it. You can pass the audit, and not have to fix a thing, but they still look at your like your a special kind of special because it's still email and it's still wireless.

Staying on top of HIPAA is a full time job sometimes. The big thing to remember is treat yourself like a CE, because that'll help keep in you in check and looks better on ya. Getting in to business with any one under HIPAA is both stressful and rewarding. But you can really break in to the market with that needed knowledge and skill. For me, HIT is the start for any tech, not the end or the middle. The information you will get from it will be invaluable.

 

[Tech in SC]

Staying on top of HIPAA is a full time job sometimes. The big thing to remember is treat yourself like a CE, because that'll help keep in you in check and looks better on ya. Getting in to business with any one under HIPAA is both stressful and rewarding. But you can really break in to the market with that needed knowledge and skill. For me, HIT is the start for any tech, not the end or the middle. The information you will get from it will be invaluable.

Frederick is right... again... HIPAA is , , , and very profitable. No training, HIT or any other training is the end of the road. There is no end of the road when it comes to HIPAA compliance. This is one reason the resource www.HIPAAforMSPs.com was created. Its a great place to start your journey or continue it.

 

[Pants]

Here's my position. I'm not going to do HIT, at least for a long time. But I very well may end up providing IT support for business associates of health care providers, so I will occasionally have access to ePHI.

I may have access by remote support, or simply by sitting in front of the computer that I'm troubleshooting onsite, or that I have taken back to my office.

Surely I won't have to get security "audits" of my office done, just to provide this level of service, will I? What are some minimum safeguards that I should have in place to protect the ePHI? Would the following checklist serve as a basic reference for this purpose?

http://www.gfimax.com/downloads/GFIMAX-Backup-HIPPA-compliance.pdf

The above list is intended as a guideline for providing HIPAA compliance support as a managed service. I won't be providing HIPAA compliance support as a managed service, but SOME of the ideas in the guideline can be still be used for break/fix type work, I think.

 

[Tech in SC]

Yes... you will have to do a full HIPAA compliance rollout even if you just want to do what you've listed. Even if you just want to offer remote break/fix only... you still have to be fully HIPAA compliant. You have to be all in or all out on this stuff.

Actually, HIPAA Covered Entities are in violation if they do business with you and you're considered a Business Associate by definition. So from the services you're talking about providing... health care providers can not use you and still be in compliance themselves.

HIPAA is not a checklist of action items. Its a documented, procedural and attestable business culture.

A secure network does not make one HIPAA compliant but HIPAA compliance can't be accomplished with a secure network. It goes much deeper than IT. As an IT provider it is your responsibility to know, understand, attain and remain HIPAA compliant, if you want to support HIPAA Covered Entities.

HIPAA compliance is also not a one-time accomplishment. Its not like some class you take, get a certificate then you're good for 3 years. HIPAA is a compliance "lifestyle" that must permeate every level of your business. Further, it must be constantly reviewed, documented and tested.

HIPAA enforcement is going to increase this year and get even more prevalent. HHS has already issued several warnings to Covered Entities and Business Associates that random and increasing audits are coming... get ready. They are about to deploy a new program that allows for rapid audits so that they can hit more CEs and BAs moving forward.

I sincerely worry about IT providers who blow this whole HIPAA thing off. HHS is going to make an example out of an IT provider before long. I, for one, do not want any part of that.

On a side note... if you're doing work for healthcare, your insurance provider will not likely cover you under your standard business insurance plan. If that matters to you, its worth asking some questions of your insurance provider. We had to take out a separate $1M policy and that was just the basic coverage. Our regular insurance company wouldn't even touch us because we support healthcare.

@Pants... I do applaud you for asking questions, doing your research and trying to find the right answers. Good job!

 

[Tech in SC]

One more thing to watch out for...

Just because an IT company is using HIPAA compliant solutions, that does not make the IT company also HIPAA compliant. There's no riding the coattails of others on this.

 

[Pants]

Yes... you will have to do a full HIPAA compliance rollout even if you just want to do what you've listed. Even if you just want to offer remote break/fix only... you still have to be fully HIPAA compliant. You have to be all in or all out on this stuff.

Actually, HIPAA Covered Entities are in violation if they do business with you and you're considered a Business Associate by definition. So from the services you're talking about providing... health care providers can not use you and still be in compliance themselves.

HIPAA is not a checklist of action items. Its a documented, procedural and attestable business culture.

A secure network does not make one HIPAA compliant but HIPAA compliance can't be accomplished with a secure network. It goes much deeper than IT. As an IT provider it is your responsibility to know, understand, attain and remain HIPAA compliant, if you want to support HIPAA Covered Entities.

HIPAA compliance is also not a one-time accomplishment. Its not like some class you take, get a certificate then you're good for 3 years. HIPAA is a compliance "lifestyle" that must permeate every level of your business. Further, it must be constantly reviewed, documented and tested.

HIPAA enforcement is going to increase this year and get even more prevalent. HHS has already issued several warnings to Covered Entities and Business Associates that random and increasing audits are coming... get ready. They are about to deploy a new program that allows for rapid audits so that they can hit more CEs and BAs moving forward.

I sincerely worry about IT providers who blow this whole HIPAA thing off. HHS is going to make an example out of an IT provider before long. I, for one, do not want any part of that.

On a side note... if you're doing work for healthcare, your insurance provider will not likely cover you under your standard business insurance plan. If that matters to you, its worth asking some questions of your insurance provider. We had to take out a separate $1M policy and that was just the basic coverage. Our regular insurance company wouldn't even touch us because we support healthcare.

@Pants... I do applaud you for asking questions, doing your research and trying to find the right answers. Good job!

Thanks for taking the time to write this. Can't tell you how much trouble and searching around this saved.

I'm burned out on training right now so I think I'm going to put off supporting CE's business associates. I've been prepping for business IT support for over two years now, coming from residential, and I can't take any more, right now. I'm about a month away from a planned roll out of my services. I need to change gears and get out of the development phase of my business because it's starting to get to me....Starting to hear voices and seeing things... ha ha.

I'm sure there is plenty to do without getting into hipaa compliant stuff, although that may be a damper on the clients I can accept, right now. Down the road after breaking myself in, I'll probably get into supporting BAs, especially if I can't build a client base big enough.

 

[Tech in SC]

@Pants - Oh absolutely! Many other industries need the same high level service and support of healthcare but without the HIPAA.

Financial planners, investors and such are regulated by FINRA. They need encryption and such but they aren't as highly regulated as healthcare... yet.

I have some small accounting firms that pay as much as my smaller healthcare clients. There are still plenty of opportunities for income.

If you want to differentiate yourself from your competition then look for a niche and dive into what their specific needs are. You could specialize in accountants, service industries (like HVAC, plumbers, electricians) or just churches.

That's not to say you can't take other types of clients. Even though we specialize in healthcare, we will certainly take other clients (not too keen on having all my eggs in one basket).

Another option instead of specializing on a niche... specialize in a service. Be the expert in your area for backup & recovery or virtualization or web design. Then you can even offer yourself to "competitors" as an outsourcing or referral option.

Sorry for the rambling... there's just tons of opportunities. The problem is that most IT guys want to be just like everyone else in their area. Find something that makes you different and capitalize on it.

 

[frederick]

How we maintain HIPAA compliance

1) Every week, the managing members sit down, and discuss our networks, and our clients. We cover any and all connections. Our office manager tracks every single remote support session to any client that has to follow a government regulation. Discrepancies are pounded upon until it isn't a discrepancy anymore.
2) We have a HIPAA checklist, that once per month, some lucky tech gets to do. It's random, never the same person two times in a row. These are filed in our "We Hate Ourselves" book...I mean Company Policies and Information Security Book.
3) We have policies, detailing our network, how it is secured, break down of risks, etc.
4) We don't store client data in our locations/servers other than what we need to. This server uses full desk encryption, and the only way in is using the SSL/TLS. There is also a firewall that is very sensitive, and has tiny man syndrome about everything.

There is more. But let me put it to you like this, start with a HIPAA checklist for yourself. I feel great that I can tell a client "our network is locked down, 24/7, with security guards"

 

[Pants]

Financial planners, investors and such are regulated by FINRA. They need encryption and such but they aren't as highly regulated as healthcare... yet.

Ok, so if I come in contact with data that is FINRA-regulated what standards of security should I use, for the services I plan on providing?

I'd like to add that I don't have a large network setup. I work out of my home with 1 Internet connection, and a few computers with NO employees, but these computers are not setup to share data with each other for any office tasks. My Internet connection is via wi-fi to my router which protected by a pretty long wpa2 key.

 

[frederick]

I'd like to add that I don't have a large network setup. I work out of my home with 1 Internet connection, and a few computers with NO employees, but these computers are not setup to share data with each other for any office tasks. My Internet connection is via wi-fi to my router which protected by a pretty long wpa2 key.

You can still do everything per the regulations even with a small network.

 

[Markverhyden]

My observation on the HIPAA thing. It's not like some degree such as an MBA, an end point. As has been mentioned it's a never ending process. Years ago I worked for a company that sold pipeline coatings.

To be able to sell in many non-US markets the manufacturing plant had to be ISO 9002 certified. I remember meeting with plant management as I was the product manager for the product line. Same concept as HIPAA.

It's a loop process. You start the process. After achieving what is needed you start over again so to speak. Not the same process necessarily. Imagine getting an MBA. But you cannot keep it. You have to continue the process to maintain the designation. May not be the same tasks every time. But you cannot stop the activities if you want to maintain the designation.