MSPmentor Blog

HIPAA Omnibus, Data Backups, and Your Shared Liability as a ‘Business Associate’

Whether you’ve been selling IT solutions and services to healthcare practices for a long time or are considering healthcare as a new market, the rules of the game are about to change. Before you sign on the dotted line, here are three guidelines that will help minimize your risk.

If you are an IT service provider with clients in the healthcare vertical, your status as a “Business Associate” is a requirement you need to understand, and quickly. Whether you describe yourself as an MSP, VAR or CSP, the upcoming sweeping changes to the HIPAA Privacy and Security Rules are important to you and your healthcare SMB clients.

On September 23, 2013, the Omnibus Rule goes into effect and will require IT solutions and services providers to sign Business Associate Agreements with their healthcare clients. These agreements acknowledge resellers’ roles in keeping their clients’ PHI (personal healthcare information) safe as well as their shared liability in the event of a breach.

Whether you’ve been selling IT solutions and services to healthcare practices for a long time or are considering healthcare as a new market, the rules of the game are about to change. Before you sign on the dotted line, here are three guidelines that will help minimize your risk:

1. Don’t go it alone:  Select a partner that shares in your liability. As a reseller, you depend on all your vendor partners. But, when it comes to copying your customers’ PHI to your cloud provider’s data center, your dependence on your cloud provider also includes shared liability. Even though some cloud providers may try to convince you they fall into the same “conduit exception” category as mail carriers, a recent article from the BakerHostetler law firm titled, “HIPAA, Business Associates and the Cloud” makes it clear that cloud providers do not meet the exception requirements, and they therefore must sign HIPAA Business Associate Agreements describing how they will protect PHI before storing it in their data centers.

Before choosing a data backup and recovery vendor, or any vendor for that matter, make sure their products and services are appropriate for healthcare. If you can check that box, then be sure to review their Business Associate Agreement to find out exactly what their role is in protecting your customers’ data. The agreement should spell out several “What if?” scenarios, ranging from data breaches to the provider going out of business. Take the time to read the agreement. Ask questions. Push back if you need to and consider alternative options if it looks like the agreement places too much responsibility on your company and not enough on the IT vendor.

2. Know the concerns and lead with backup and security. Today’s technology-driven healthcare industry faces pressing data availability challenges and strict regulatory requirements on data security and integrity. Despite pressure on medical organizations to safeguard critical data, some 19 million patients, hospitals and practices have been affected by major information loss and data breaches in the last two years. Of all the business processes and challenges you could discuss with a new prospect, data backup and security are two good places to start. Here are some suggested questions to ask a prospect:

  • How are you currently backing up your data? The answers given to this first question will give you an immediate sense of how close or far the prospect is to meeting HIPAA/HITECH requirements. For example, perhaps they’re using tape media to back up their data. Even if they’re encrypting the data, there’s a good chance their backups are being performed manually, which almost always leads to backup inconsistency.
  • What is your disaster recovery plan? Some prospects may already be using on-site NAS (network attached storage) devices to back up their data. If that’s the case, ask about their disaster recovery plan. Are they automatically backing up their data to an off-site/cloud data center?
  • How is your off-site data protected? For healthcare customers, there are two critical components to keep in mind with regard to off-site data protection: data encryption and data center security. The data should be encrypted at a high level such as 256-key AES, which is used by the government to protect top secret documents. The data center should be SSAE (Statement on Standards for Attestation Engagements) 16 compliant.

3. Remember — recovery time is the key. No matter what type of backup system a prospect uses,  the big question comes down to this: If the business server crashed or something or someone took your company offline, how long would it take to get up and running? This is where the conversation gets real.

In some cases, youmay need to walk the prospect or customer through a few steps to get them to understand that restoring data is rarely a push of a button (unless of course you’re using our QuickSpin product). But for most, there’s time, resources, and investments to be made to get the business back online.  Some will be surprised to learn that even though their data may be safely stored on a tape or in the cloud, it could take several days for them to recover from a server failure after adding up all the time necessary to order a new appliance, convert the data, load drivers, an operating system, and other files onto the new appliance.

The topic of recoverability isn’t just useful for helping clients understand the business cost of downtime. It’s also useful in helping them understand the negative effects on customer service and compliance.

Forays into Health IT aren’t for everyone. The need for specialized industry insight and knowledge of specific regulations and purpose-built technologies offers a great divide. But, the broad market opportunity and demonstrated need for partner help makes healthcare IT a promising opportunity. VARs and MSPs with solid backup and data recovery solutions that fit the bill for healthcare organizations are well positioned to take advantage of this lucrative market and build a firm foundation for a healthcare IT practice that will grow and thrive.

Interested in learning more about healthcare IT? See the Intronis e-book, “Backup & Recovery in Health Care IT” for the in-depth information you need on everything from analysis of the healthcare market to suggestions on how to sell IT in the healthcare vertical.

Neal Bradbury is the Co-founder and VP of Channel Development at Intronis, a cloud-based backup and disaster recovery provider that works closely with VARs and MSPs.

Discuss this Blog Entry 1

Scott Whitsitt (not verified)
on Aug 29, 2013

Good overview, but the ending regarding SSAE16 could be misleading to some readers. The SSAE16 (or SOC1) report is designed to provide financial auditors assurance about financial reporting related control procedures. Another alternative, and one that might be better, would be the SOC2 report as it covers a potentially broader set of criteria (Security, Availability, Processing, Privacy, and Confidentiality). The SOC2 reports all have the same criteria, whereas the controls in a SOC1 report are custom to each report. So, asking about an SSAE 16 report without understanding what it covers could pose a risk if you don't fully understand what was covered.

Post new comment
or to use your MSPmentor ID
Upcoming Webcasts
Guest Bloggers



Sponsored Introduction Continue on to (or wait seconds) ×