Failing to comply with HIPAA is getting more and more expensive. Becker's Hospital Review published a list of the most expensive HIPAA fines of 2016, which includes the following:
- University of Mississippi Medical Center, $2.75 million, after the theft of a laptop resulted in a data breach involving as many as 10,000 patients
- Feinstein Institute for Medical Research, $3.9 million, following the theft of an unencrypted laptop containing 13,000 patient records
- Advocate Health Care, $5.55 million, after two stolen laptops and a network infiltration resulted in the exposure of 4 million patients' personal data
Using cloud services offers many benefits to health systems, hospitals, and clinics. Managed services can be especially helpful for hospitals with insufficiently staffed IT teams or IT teams that have certain skills gaps. The Centers for Medicare & Medicaid (CMS), however, hold not only health care organizations but also their business partners accountable for protecting patient data. Before you advertise yourself as a HIPAA-compliant managed services provider, you need to know the services you're reselling are also HIPAA compliant.
For IT Resellers: Is Your FAX Services Provider HIPAA Compliant?
Managed services cover a range of tasks and infrastructure that supports health care operations, from managed internet fax to IaaS. The cloud services provider for whom you'd like to resell may advertise themselves as HIPAA compliant. You're still held responsible, as a business associate of the health care organization, for how well they're executing HIPAA guidelines.
Before you become a reseller, ask your potential managed services business partner the following questions:
- When was their last HIPAA compliance audit? What were the results, and what progress have they made toward fixing compliance issues?
- Do you encrypt data in use, at rest and in transit? How do you manage your encryption keys?
- What's your identity management process for employees who may have access to personal health information?
- How do you enforce the physical security of servers in your data center?
- How quickly does your SLA require you to notify resellers of a breach so they can notify their own customers?
- Can you report in real time on your application, compute and network systems status?
- What are your responsibilities in our SLA for data protection, and what do you consider the reseller's responsibility?
If you read your SLA closely, you may discover that your partner, like most, agrees to protect its own equipment and applications from data breaches, but it holds you responsible for protecting your own data and applications.
Even Conscientious Organizations Can't Prevent Human Error
Data doesn't always stay in cloud storage once it's saved there. It's often downloaded by staff and medical personnel who use unencrypted devices, like their own smartphones or tablets. It's also downloaded, used and then stored, without authorization, in commercial storage services like Google Drive or Dropbox. Even if a managed fax provider takes care to protect patient data that enters its servers, and even if it encrypts patient data as it passes in transit to its destination, the provider can't keep a nurse from faxing patient information to the wrong recipient.
You can offset potential human error by thinking of ways to prevent human workarounds. For instance, when doctors need to access patient information remotely, a nexogy IP phone system makes it possible to make and receive work-related calls on their personal devices. It also makes it easy to pull up patient records remotely on laptop or tablet screens – all while using a HIPAA-compliant managed service instead of creating a Dropbox or Google Drive workaround. As a reseller, you add value when you anticipate workarounds that could lead to HIPAA penalties and offer service bundles to prevent those problems.
Ultimately, you are responsible for the protection of patient data. And if your current managed services partner isn't forthcoming about the steps they take to protect personal health information, it's time to find a new partner. Find out how to become a white label reseller with nexogy.