You don’t know what you don’t know. That’s one of the scariest elements of business. You know your business and do a great job at it, but how do you prep for what you don’t know? And, even scarier, can you prove in court that you do a great job and are prepped for the unknown?
Mike Semel, president of Semel Consulting, addressed one of those big unknowns for managed services and managed print providers in presenting on “New HIPAA Changes and How They Affect Your MPS Business” during the CompTIA Managed Print Services Community Meeting at ChannelCon.
How will the new HIPAA changes affect your MPS business? Most healthcare providers have to comply with the HIPAA security rule, implemented in 2005 and updated by “the HITECH Act of 2009.” But as of this year, companies that support these healthcare providers and others that come in contact with protected health information are business associates and must now comply with HIPAA. For the IT channel, this includes cloud providers, shredding companies, printers, data centers, copy vendors, IT servicing companies, etc. As a business associate, you must implement full compliance programs, conduct a HIPAA risk analysis, train your workforce, and perform and document HIPAA-compliant tasks.
Compliance can be achieved, but how do you build the chain of evidence to show that you were compliant and did the right things? Semel told attendees, “Your worst day will not be a data breach, but the day that you can’t provide documentation that you really did do the right things to comply with HIPAA.”
For example, the Alaskan state health department was fined $1.7 million for losing a backup drive. The fine wasn’t just for the loss, but because the department couldn’t show that it had a policy in place to handle data to prevent a breach. Similarly a Massachusetts hospital was fined $1.5 million for losing a laptop and not having a data breach policy and procedures in place. Now HIPAA can fine not just the healthcare provider, but the IT services provider too. Are you prepared?