According to the American Medical Association, your company may be fined up to $1.5 million per year for HIPAA non-compliance. The first step of HIPAA compliance is making sure all of the companies who have access to your systems are, themselves, compliant. If you have a managed service provider keeping your systems up to date and secure, they must have enough access to your systems in order to perform their job. In general, that level of access places your MSP into the HIPAA Business Associate category. What is a HIPAA BA? A HIPAA Business Associate is any company who has the potential to interact with or view protected health information. Even a simple helpdesk call that results in a remote control session can violate HIPAA requirements if there is any patient data on the end-user’s screen. Be sure your MSP can handle the additional scrutiny of HIPAA and HITECH.
If you’re utilizing an on-line backup solution like Carbonite or Mozy, you’ll need to be able to explain why they haven’t signed a HIPAA BA agreement with you, if they haven’t. Look to your email hosting provider as well for HIPAA compliance. Are you utilizing a secure email portal? Do you have a method of transferring files in a compliant manner? There are good solutions for all of these situations that a good partner can help you identify.
If you have any questions about navigating the pitfalls of HIPAA and HITECH IT compliance, let us know! Read about our healthcare-focused Atris Carepack here.