Q: I just landed a new SMB customer, and they’re my first medical client. How can I make sure I’m doing all the right things to help keep my customer HIPAA compliant, as least as far as their data is concerned? I’m afraid I’ll miss something important!
Ask Intronis is a weekly advice column answering common questions from MSPs and IT service providers. It covers topics ranging from pricing and selling to marketing and communications—and everything in between. Submit your questions by emailing AskIntronis@intronis.com.
First of all, congratulations on your new business! Moving into a new vertical, especially a highly regulated one, can make some MSPs nervous. But the reality is‒it’s a big opportunity for you to leverage HIPAA compliance to grow your business.
As you may know, the Health Insurance Portability and Accountability Act (HIPAA) requires health care businesses to be compliant on very specific regulations. These rules include implementing a data encryption plan, data backup plan, disaster recovery plan, physical safeguards, technical safeguards, audit controls, and more. But don’t get overwhelmed! We’re here to help give you the tools you need to educate yourself and your SMB customers on HIPAA from beginning to end.
What MSPs need to know about HIPAA compliance
As an IT services provider who now has access to the sensitive medical records of your SMB’s health care business, you are considered a “business associate” so you’ll need to draft and sign a Business Associates Agreement with your reseller to show that your services are authorized.
Then, make sure that you fully understand HIPAA regulations and the serious consequences of noncompliance. Study up and become an expert on all things HIPAA-related so you can leverage yourself and your services business as the well-versed, go-to resource for health care SMBs.
Healthcare businesses are more likely to sign on with an MSP who can not only certify that their services are compliant but also be a resource for all regulatory questions. Thanks to HIPPA, the health care market is fertile ground for selling IT services, and focusing your sales efforts around your HIPAA expertise can help your business grow.
How to help your SMB customer be compliant
1. Interview their staff and assess their business.
With the new customer you recently signed on, start by assessing their business. Understand their specific needs and requirements. You can do this by interviewing their IT staff (if they have one) or a nurse or doctor in the practice. Ask them what systems are currently in place. What technical infrastructure do they rely on, if any? Are they still using hand-written forms and fax machines?
2. Implement HIPAA compliant systems.
Encourage your customer to switch to EMR (Electronic Medical Records) and CPOE (Computerized Physician/Priority Order Entry) systems. The New England Journal of Medicine estimates that only 17 percent of physician offices have a basic EMR system, so odds are your customer still needs to switch. Explain the benefits these systems offer to the business. Discuss how they make it easier for businesses to adhere to HIPAA compliance, reduce the risk of prescribing errors, lower the cost of operations, and provide more secure protection of sensitive data.
After you’ve integrated these systems, standardize the security and compliance processes for the entire company. Document these processes to make sure all employees know what’s required by HIPAA’s rulebook.
3. Develop a contingency plan.
HIPAA requires that businesses have a data backup and disaster recovery plan in place so they’re prepared for natural disasters, data breaches, user errors, and other threats. If your customer doesn’t already have one, help them create a complete disaster recovery plan. Even if they have something in place, you should evaluate it to make sure it’s adequate.
If you follow these three steps with your new customer, you’ll be well on your way to being HIPAA compliant. If you’re looking to learn more, visit our HIPAA Compliance Resources Center.