The Health Insurance Portability and Accountability Act (HIPAA) is a federal law familiar to almost everyone in the U.S. workforce. This rule is aimed at protecting sensitive health information from being disclosed without the patient’s consent.
According to the U.S. Department of Health and Human Services (HHS), HIPAA sets standards for how and with whom protected health information (PHI) can be shared.
When it comes to HIPAA compliance, managed service providers (MSP) must have an understanding of the compliance capabilities of services being provided and the compliance obligations of the clients being provided those services.
HIPAA IT compliance: What MSPs should know
HIPAA is a privacy rule that applies to many healthcare providers and health plans, such as hospitals, clinics, physicians, and other healthcare practitioners. Further, it applies to business associates, which are a non-member of a covered entity’s workforce using individually identifiable health information to perform functions for a covered entity, including claims processing, data analysis, utilization review, and billing.
When an MSP provides a service to a HIPAA entity, it does so as a business associate, which HIPAA applies to, if the service involves the creation, receipt, storage, or transmission of PHI. As a business associate, MSPs must comply with the applicable standards and implementation specifications of the Security Rule and the Breach Notification Rule.
Why should MSPs become HIPAA compliant?
First and foremost, MSPs should become HIPAA compliant so that they can provide the strongest support possible for their clients. It is critical to delivering the best solutions and services to clients that adhere to HIPAA compliance.
One of the ways that MSPs assist healthcare organizations with HIPAA compliance is in email encryption as it is a primary communication tool in the healthcare industry and sensitive patient information shared through email must be adequately protected.
MSPs also assist healthcare organizations in implementing and maintaining strict HIPAA security measures, including:
- Access controls: A critical part of HIPAA compliance, MSPs can help ensure that only authorized users have access to PHI, including when the data is in transit.
- Encryption of data at rest and in transit: To protect PHI when it’s stored and transmitted, MSPs utilize encryption protocols and keys to protect PHI.
- Intrusion detection systems: Healthcare organizations are frequent targets for cyber intrusions and MSPs can help implement more protections to prevent data theft and build resiliency for data storage and transit systems.
Another consideration to become HIPAA compliant is that MSPs can conduct risk assessments to identify vulnerabilities and areas of noncompliance. MSPs help organizations stay ahead of potential threats and remain HIPAA compliant through the continuous monitoring and maintaining of security measures.
Additionally, healthcare organizations that use cloud solutions to store and manage patient data introduce additional security requirements for MSPs to consider when dealing with HIPAA compliance. Cloud-based platforms can be accessed from anywhere with internet connection, whereas on-prem access is limited to the physical location of the servers with remote access that can be implemented. This makes cloud platforms a wider attack vector for threat actors and makes cloud security paramount for maintaining HIPAA compliance.
While cloud offers convenience and cost savings, it can come at the cost of patient privacy, if proper security measures are not taken. HIPAA requires that entities have access to their data so cloud providers are required to allow healthcare clients to extract their data at the end of service. It is critical that data is encrypted in the cloud and data access.
HIPAA compliance challenges for MSPs
Becoming HIPAA compliant does not come at the snap of the fingers and can present numerous challenges. Among the common challenges for MSPs and HIPAA compliance include:
- Integrating MSP services with clients’ legacy systems
- Resolving expertise gaps between providers and users
- Establishing levels of client control
- Securing clients’ networks, systems, and devices to ensure MSP security stacks work effectively
Beyond the common challenges, there are also more complex HIPAA compliance challenges that MSPs must be privy to, including:
- Ensuring the MSP complies with applicable standards of the Security Rule
- Making sure the services provided by the MSP are configured to support HIPAA compliance
- Ensuring MSP support services have the HIPAA expertise required to answer clients’ questions
AI concerns for HIPAA compliance
There are significant concerns for AI usage related to HIPAA compliance, including data security. AI requires a substantial amount of data, including sensitive health information, in this case. Another concern is how AI tools learn and adapt over time, making it challenging to maintain ongoing compliance. As AI tools adapt over time and become more autonomous, it can be difficult to discern who should be held accountable for non-compliance: the AI tool, the developer, or the healthcare provider.
The emergence of AI in various industries has raised questions about how different rules and regulations apply to the technology. AI developers and vendors should consider that HIPAA only provides a federal floor of privacy and security standards.
According to the National Institute of Health’s (NIH) National Center for Biotechnology Information, developers and vendors of large language models (LLMs), such as ChatGPT, Google Bard, and Microsoft’s Bing, can be subject to HIPAA when they process PHI on behalf of the HIPAA covered entities. When they process PHI, they become business associates or subcontractors of a business associate under HIPAA.
There are limitations for the rule covering AI. According to the NIH, “if the platform at issue was developed by a covered entity or business associate, the limitation of HIPAA’s scope of regulation implies that if the data subject decided to transfer the PHI to any other spaces, such as a personal health device, that data is no longer protected under HIPAA.”
It is important for AI developers and vendors to review the Government Accountability Office (GAO) report, Artificial Intelligence in Healthcare, which discusses the benefits and challenges of AI technologies for medical diagnoses and provides some pointers for future federal legislation. Developers play a critical role in ensuring the HIPAA compliance of tools in healthcare and must consider the AI application’s interaction with sensitive health data and take steps to ensure information is handled in a HIPAA-compliant manner from conception to deployment of an AI tool.
Bottom Line: HIPAA compliance is a must for many MSPs
MSPs are considered business associates of their healthcare clients if they create, receive, store, or transmit PHI, so they must comply with HIPAA rules where applicable. MSPs should take care to protect PHI, such as email encryption and HIPAA compliant cloud solutions.
To further help their healthcare clients remain HIPAA compliant, MSPs should utilize a system of tracking and reporting incidents and investigations, while skilling workers to recognize and report breaches.
Uncover more about how MSPs can best serve healthcare providers and improve their organizations.