Partners: What you need to know about encryption and HIPAA
What MSPs should know about encryption and strong passwords as trusted advisors for healthcare providers
The Office for Civil Rights (OCR), part of the U.S. Department of Health and Human Services, recently announced a HIPAA enforcement action: a $650,000 settlement with a health care services unit (CHCS) of the Archdiocese of Philadelphia that was acting as a business associate to a covered entity. This occurred after the theft of an employee’s CHCS-issued mobile phone that was unencrypted and not password protected, and contained extensive information for about 400 patients.
After the loss was reported, the OCR investigation uncovered:
- Lack of encryption or passwords
- Lack of risk assessment or plan regarding potential loss of mobile devices containing PHI
There are a lot of lessons here beyond the obvious need to encrypt and password-protect patient info on mobile devices.
Risk assessments and risk planning are vital
The OCR cited the lack of risk assessment and risk management as one of the basic failings here. This is very much in line with previous HIPAA actions. Policies, training, and documented plans are as important as implementing specific technologies such as encryption.
Also, the OCR was very clear in the resolution agreement that CHCS was fully responsible, as a business associate, for following HIPAA security and privacy rules, just like a covered entity. This has important implications for MSPs supporting healthcare clients as business associates.
How MSPs can help their clients
First and foremost, make sure that if you support clients in healthcare, your business is taking the right steps to be compliant with HIPAA. What happened to CHCS could happen to you if you aren’t following the HIPAA process and your client’s PHI is exposed or lost.
Second, help your clients by supporting risk assessments as part of your professional services. Be their trusted advisor when it comes to HIPAA compliance and understanding what they need to do to adhere to regulations. Also, make sure the technology solutions you provide your clients meet the levels of security and privacy required under HIPAA.
Learn more about partnering with Intermedia for healthcare
Looking for a services vendor who takes HIPAA compliance seriously? Intermedia services provide the levels of security and privacy required to help businesses ensure compliance. And we’ll sign a BAA. Learn more about our solutions for healthcare organizations.
Not an Intermedia partner? You should be. Intermedia enables you to sell cloud services without changing how you do business. Our three partnership models are designed to adapt to different customer needs. You can choose on a customer-by-customer basis how you want to do business.
- Private Label — You retain full ownership of billing, branding, bundling and every other element of your customer relationship. We’ll provide white-labeled marketing material and expert sales assistance to help you close the deal. We bill you at wholesale rates and you bill your customer at a price you determine.
- Advisor — You leverage our brand, billing, and support, but we won’t actively market to your customers. We’ll provide behind-the-scenes sales assistance to help you close the deal and give you one-time and recurring commissions.
- Referral — We provide high levels of service to the customer in all aspects of the relationship. You pass us the lead, we close the deal and pay you a one-time commission.
Learn more about our award-winning partner program by visiting our website. Or call us at 888.299.2522 to speak with one of our experts.