Do your healthcare clients need to prepare for a HIPAA audit? As an MSP, you’re responsible for ensuring your clients’ IT environments are ready for an audit at a moment’s notice. HIPAA requirements cover a broad range of behaviors and standards, some outside the purview of IT. In this blog, we’ll talk specifically about HIPAA identity and access management (IAM).

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a United States government compliance requirement for all organizations in the healthcare industry. Specifically, HIPAA covers the use, storage, and handling of electronic personal health information (ePHI). ePHI consists of any files or other data that contain the identification information of patients, ranging from names and addresses to biometric identifiers and demographics.

Per the HIPAA Technical Safeguards §164.312, an organization must have proper IAM frameworks and procedures in place in order to achieve HIPAA compliance. There are several different methods for accessing ePHI, such as through an applications like a file storage service or or over email communications. As such, a HIPAA-compliant organization must make sure that only the right people have access to ePHI environments — and that each person is, in fact, who they say they are.

IAM falls under one of the core offerings an MSP provides to clients, so MSPs play a key role in their clients’ ability to achieve HIPAA compliance.

How HIPAA Affects MSPs and Their Clients

First and foremost, virtually any MSP working with a client for HIPAA purposes must create a HIPAA Business Associate Agreement (BAA). By filling out a BAA, an MSP takes responsibility for the security of any of their client’s ePHI that they may come into contact with.

With a BAA established, an MSP can then get to work. Secure authentication through IAM is key to achieving many of the requirements laid out by HIPAA. An MSP must create IT infrastructure that ensures anyone who can access ePHI is authorized to do so. This level of privilege-based access control relies on a strong identity provider that’s capable of propagating client identities to virtually any resource that (Read more…)