In the fifteenth episode of Talking VoIP with Datagate, Mark Loveys is joined by Paul Redding of Compliancy Group.
This exciting session is HIPAA compliance 101 for MSPs.
Watch the full episode below:
About Our Guest:
Paul Redding, VP Partner Engagement & Cybersecurity
As the former CEO of an MSP, Paul has an extensive background in cybersecurity. Throughout the years, Paul has advised multiple healthcare organizations on the security measures they needed to have in place to protect their information and be in compliance with HIPAA. As the VP of Partner Engagement and Cybersecurity with Compliancy Group, Paul works with technology service provider partners, advising them on how HIPAA compliance can benefit their business. He takes his knowledge to the trade show stage, educating MSPs on the importance of compliance, and how they can simplify compliance for their clients.
About Compliancy Group
By working with Compliancy Group, we not only help you become compliant but also manage your clients’ compliance for you. Using our Coaches and audits, your clients will be required to implement advanced security to close their open gaps. This leaves you with a third party pushing the need for things like secure messaging, encryption, business continuities in the form of backup and disaster recovery, and system monitoring/auditing. Find out how you can grow your business and stand out from competitors by partnering with Compliancy Group.
Get In Touch With Compliancy Group
About Talking VoIP With Datagate
Talking VoIP With Datagate is a podcast series for MSPs and Telecom Providers who offer VoIP services to their clients. Join us as we discuss interesting topics including new innovations, regulations, and billing in the VoIP/UCaaS space.
Episode 15 Transcription: HIPAA Compliance 101 For MSPs
What is HIPAA?
Mark Loveys 0:24
For people that are not familiar with the subject. What is HIPAA? And what does it mean to be HIPAA compliant?
Paul Redding 0:35
Well, first of all, it’s H-I-P-A-A, I can’t tell you how many times I’ve seen MSPs and other service providers, put H-I-P-P-A is the Health Insurance Portability and Accountability Act.
So it’s actually it was founded back in like 1996. It was built around the concept of insurance payments for him for the healthcare industry as a whole.
What it really is, Mark, is a 700-page law written by lawyers to be audited and interpreted by other lawyers. And it’s applied to absolutely everybody that touches anything in the healthcare space.
How do you & Compliancy Group help MSPs become HIPAA compliant?
Mark Loveys 1:09
And so in terms of MSPs that have HIPAA certifications, how do you and Compliancy Group help MSPs become HIPAA compliant?
Paul Redding 1:22
It’s funny, you just said that, you stepped on a landmine there.
There is no certification for HIPAA, believe it or not.
Even what we give, if you see the seal behind me here, the HIPAA seal of compliance from us, that’s third party validation of your processes.
That’s third party validation of your good faith effort. But it’s not a government issued certification for HIPAA, there’s no such thing.
HIPAA compliance itself is a good faith effort at implementing the seven fundamental elements of a compliance program, as outlined by Health and Human Services.
In a nutshell, what that means, [is] it’s a combination of cybersecurity controls, policies and procedures, and risk management.
In terms of telecom & MSPs, what does HIPAA compliance mean for them? Why would they work with Compliancy Group for that?
Mark Loveys 2:02
And so in terms of telecom and MSPs, what does that mean for them? And why would they work with Compliancy Group for that?
Paul Redding 2:13
Well, something that a lot of service providers don’t realize, and this goes for managed service providers, it goes for telecom providers, but really any, you know, the term now “TSP”, right, like technology service providers as a whole.
If you can conceivably interact with, view, store, or transmit what is called “ePHI”. That’s electronic protected health information.
If you are at all involved in the movement of this stuff, where you can see or touch it, then you’re what’s called a business associate. And believe it or not, you have the same requirements and responsibilities that the healthcare organization that built that data has.
Where that kind of reflects in the MSP/TSP kind of world is, let’s take, for example, your ticketing system.
One time, I used to own an MSP for a very long time. And a gentleman that works for me came in and goes, “What do I do with this?”.
And he shows me a screenshot where we had a doctor who had an Outlook pop up, right?
So every time outlook froze his pop up, it crashes a couple of minutes later, so the doctor gets smart, it pops up, he’s like, “Ooh, got it”, takes a screenshot, shoots into my help desk, there in the preview pane is a full medical record for one of his clients.
Suddenly, my tech has seen it, restoring it in my version of ConnectWise at the time, right? Like it’s in my ticketing system. Conceivably, the screenshot was even captured by my RMM.
Suddenly, we’ve got you know, what we call ePHI bleed into my organization. So when we talk about it, the reason I call that out is a lot of times people think, right, right, backups, I backup your data, it goes to Datto, Datto signs the BA. We’re good, right? If you’re involved in that process, you have to do this stuff yourself. That’s why people work with us. Right?
As a billing system provider, what does HIPAA compliance mean in terms of invoicing?
Mark Loveys 3:54
I guess from Datagate’s point of view as a billing system provider, what does that mean in terms of an invoice? To be compliant with HIPAA regulations, what should it or should not do?
Paul Redding 4:12
Well, one of the things we try to do is, you know, we can build out your compliance program, we can put you into the right workflows, we can help you design your risk assessments, all this stuff.
But we do have to help you realize you cannot control your customers. It’s impossible.
I couldn’t stop that doctor from sending me that email any more than I can start a doctor for starting a ticket with “I’ve lost, you know, Mark Loveys’ medical records”.
Well, the fact that you named him in the ticket, puts that into my system, and now conceivably, most of the MSPs out there, what do you do?
You tie your tickets to your invoicing system, the invoice then moves over to your ticket types.
So one of the things we teach you to do is – look at ticket number in reference is fine.
But be very careful if you’re working with medical provider’s that, you know, hey, look, guys, you can’t give me medical records in the form of a ticket name.
But again, to your point, can it happen? Sure. Can it bleed into your system? Sure.
That’s why folks like you work with us. Right?
Better safe than sorry. Why let somebody else’s mistake make this your problem?
Why would a HIPAA compliance software company attend MSP events?
Mark Loveys 5:20
Absolutely, absolutely. So Paul, we often see each other at tech conferences and MSP events and things. Could you explain the connection, I guess, with HIPAA and technology, and you know, what sort of opportunity you’re offering to the MSP audiences?
Paul Redding 5:41
Like I said, Mark, I was an MSP for a long time, I was actually one of the earliest resellers of Compliancy group, one of the first if not the first.
The reason, call it the marriage between Compliancy Group and the tech community as a whole happened is because in our function of providing a compliance framework for your medical group, for your organization as a whole, we require all the cybersecurity controls.
We require things like access management, endpoint protection, backup disaster recovery, secure communications.
If you think about the things I’m listing off, and you take a managed service providers, you know, tech stack that they sell, check, check, check, check.
You guys sell it, you have the solutions, you have the products out there, for these people that we’re telling them to do these things.
But we’re third party validation, it is inappropriate, from our view, philosophically, to grade your test, and then go do the work to fix it, right? You’re supposed to implement those controls, and we should evaluate them from a completely neutral perspective.
So that’s, that’s really where that relationship began is, we tell a doctor, you’ve got to have backups. We tell a doctor, you have to have these password guidelines. Multi-factor authentication has got to be turned on in your cloud services.
But they don’t know how to do that stuff.
So first, you know, Compliancy Group kind of found us as a community, and said, “Hey, we’re gonna work with you to try to align your security stack and services, with the controls that we’re telling all these medical professionals they have to have”.
Now, I’ll throw what’s actually happened over the last several years. That seal of compliance and the partnership that a lot of these MSPs and TSPs have with Compliancy Group has differentiated them in the market.
So you see it growing, and you see it more rapidly adopted, because it makes you stand out, there are 15 managed service providers here in Memphis that I can think of right now that would love to have health care business, I only know of you know, a couple that have actually done this themselves and can say when they walk in the door, “Hey, Doc, I’m just like you, I’m in healthcare too, this thing right here means I do what you do”
Would you get involved in helping MSPs set up firewalls?
Mark Loveys 7:47
Right? Yeah, that’s, that’s very powerful. And so from what you’re saying you would get involved in helping MSPs set up firewalls is that?
Paul Redding 7:55
Oh, no. Oh, God, no, no.
And that actually, that actually, again, kind of goes back to the neat part of this relationship.
You may not even need a firewall.
Do you need a firewall? Or do you need a SaaS-y solution?
Right, are you the world has changed? And so back to when you asked me in the very beginning, what is HIPAA? And I said, it’s a 700 page law written by lawyers, okay?
That law is also applied to everyone in the healthcare space from a single user chiropractor, up to like LA County, you know, 9 hospitals, 1200 clinics.
The security controls are written in this vague way into this law, to allow you to look at your own risk profile, implement what is effective and needed in your environment, and therefore check off these boxes.
So no,what we do is we provide the guidelines, the guidance, we give the controls, we help determine examples of the things that can be done. But at the end of the day, we look at our security partners as the security experts in the room. And we look to you know them to tell us what you know, Dr. Smith needs in order to protect his environment.
Which one is more critical: compliance or security?
Mark Loveys 9:02
Right. So which one is more critical compliance or security?
Paul Redding 9:08
That is a funny question Mark.
You would think by asking it that this is about to get really controversial, right? Like I’m about to step on a lot of toes of a lot of mutual friends of ours, right?
Go after the Threatlockers of the world. Oh, no, but you can actually it’s funny when you ask that question.
The reality is, that’s like asking me what’s more important, my foundation or my house?
Mark, the foundation of compliance is security. You cannot achieve compliance without security, it is impossible.
And the controls that are in place must be effective for your organization, must be well thought out, and they can be different than the controls of the organization next year.
But a foundation is not the doors and the windows and the walls of my home. It’s what my home is built on.
So in order for your client, say your technology service provider out there.
Let’s stop with that question and ask what they actually were looking for when they hired you.
They wanted safety, they don’t understand compliance, they don’t understand security, they don’t understand the difference between them. And they don’t understand where they come together.
All they know is if they hire this tech nerd over here, and this compliance nerd over here, they’re supposed to be able to go to bed tonight, and nothing bad is gonna happen to them.
What they don’t realize is if all they do is hire the tech nerd then they can be wildly secure, and wildly out of compliance.
And if all they do is hire us, then they can be completely paperwork compliant, have all the soft side policies and procedures, everything they need to have, and none of the security controls in place.
You’ve got to have both. It is truly – the only way to compliance is through security.
Who does HIPAA apply to?
Mark Loveys 10:48
Right? I see. And so, so who does HIPAA apply to? Who is the target?
Paul Redding 10:54
So I’ll give you a sense of scope and size.
And this number right here that I’m about throw out is literally pre-pandemic, it’s actually increased as certain other industries have stumbled.
As of I think the end of 2019, healthcare as a whole was 26% of the US economy.
So it is one of the single if not the single largest sector of the US economy.
Now, out of that segment, about 5 million of those organizations, rather, are considered small businesses.
Now, I mean, like that’s, that’s federal small business, which means under 500 users, right?
But there’s 5 million of them.
Now what’s interesting about this is Mark, I did not just tell you, there’s 5 million doctors, you have to understand the true answer to your question to get the scope of this.
There’s only about 800,000 Small Business “covered entities”. That means when I say HIPAA, who you immediately think of covered entities are dentists, doctors, psychiatrists, clearing houses, the actual insurance providers, okay, about 800,000.
But for every one of them, there are three or four vendors that are servicing them.
There’s 4 million of what we call “business associates”. And that’s everybody from the managed service provider, the backup company.
But go bigger and go broader, think about Managed Print, think about attorneys that handle medical records through you know, personal injury and insurance law, think about the accountant that gets that bill and gets that invoice that you’re working at and reconciles for that doctor and sees those medical records and pulls them in.
A business associate is any non-covered entity, non-medical provider that can conceivably interact with the data those covered entities hold.
So it’s a huge swath of the US economy literally, it’s like 5 million, just small businesses.
The reason I call it the SMB – MSPs, technology service providers that are going to be watching this and interacting with folks like you and me on a daily basis, live and die out of this community. And these folks, they need their help.
And it’s a great vertical to be in if you understand how to approach it.
How does an MSP get started with HIPAA compliance?
Mark Loveys 12:56
Wow, that is huge. Very relevant to the audience. And so what should an MSP do? Where do they start?
Paul Redding 13:09
Well, you know, one of my best friends out there is a gentleman named Matt Lee with Pax8.
So I’m actually going to start with something that Matt is beating this drum every single day.
It all starts with defensibility. It all begins internally with you.
One of the things that I see, Matt, every security professional I know in the environment right now sees is that the community as a whole has been a little reluctant to implement the same controls for us, as we do for the clients downstream.
This whole thing really should begin with you getting HIPAA compliant, you making sure you do and there’s five audits you have to do as an MSP, you’d have to do of course, your IT risk assessment, but I’ll ask everybody out there, you’re working in the medical space?
How did you do on your HITECH Subtitle B privacy audit this year? And you’re done a HITECH Subtitle B privacy audit?
And if not, do you realize you’ve got until the end of this calendar year, or you have been negligent and you have failed to be in compliance with this law?
Okay, those kinds of things, those kinds of lessons need to be looked at internally, you need to do your own risk assessments, make sure you have your policies and procedures.
For the love of God, make sure your employees have HIPAA training, not just cybersecurity training, not just the videos that talk about anti-phishing, but something that talks about my privacy as the client or the patient rather, of your client.
Those things start at home.
After that, take that and use it as a springboard to work in the medical community. Be able to talk about what you’ve done for compliance. Get your head around the business case, maybe what after the first and most foremost thing, don’t work with us, work with somebody else. I don’t care what you do, but get yourself compliant internally or it’s not worth the risk of working with these medical professionals.
It really should be, you know, table stakes if you’re going to be in healthcare to be HIPAA compliant yourself.