Published on February 26, 2014
10 HIPAA FAQs from MSPs and VARs Carlo Tapia Marketing Coordinator, eFolder 678-888-0700 x167 firstname.lastname@example.org Mike Semel President, Chief Compliance Officer, Semel Consulting 888-997-3635 x 101 email@example.com
Agenda • Introductions • What is HIPAA? • What must MSPs and VARs do to comply? • When was the HIPAA deadline? • What is the cost of HIPAA? • 10 HIPAA FAQs from MSPs and VARs 2 © 2014 eFolder, Inc. All Right Reserved.
eFolder Expert: Mike Semel 3 © 2014 eFolder, Inc. All Right Reserved.
Semel Consulting • Founded in September, 2012 • 30-year VAR/MSP • 10 years’ experience with HIPAA, conducting assessments and remediation • Former Hospital CIO • Specialization in health care, financial, and education verticals 4 © 2014 eFolder, Inc. All Rights Reserved.
What is HIPAA? • Health Insurance Portability and Accountability Act (1996) • Reduces health care fraud and abuse • Mandates industry-wide standards for health care information • Requires the protection and confidential handling of protected health information 5 © 2014 eFolder, Inc. All Right Reserved.
The Cost of HIPAA Resolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts - lost flash drive $1.5M Alaska DHSS settles HIPAA security case lost hard drive HHS.gov/ocr/privacy/hipaa/enforcement/examples/index.html 6 © 2014 eFolder, Inc. All Right Reserved. $150K Massachusetts provider settles HIPAA case - lost laptop $1.7M
When was the HIPAA Deadline? 7 © 2014 eFolder, Inc. All Rights Reserved.
What must MSPs and VARs do to comply? Comply with HIPAA’s Administrative, Technical, and Physical Safeguards 8 © 2014 eFolder, Inc. All Right Reserved.
Question 1 What information is protected by HIPAA? • Any combination of a patient’s name (or other identifier) with information about their medical diagnoses or treatment • Can be written, verbal or electronic • On any device or in the Cloud 9 © 2014 eFolder, Inc. All Right Reserved.
Question 2 Why do we have to comply with HIPAA as a Business Associate? • Your health care clients and business that support health care clients give you access to electronic Protected Health Information (ePHI), or the systems that store it 10 © 2014 eFolder, Inc. All Right Reserved.
Question 3 If a client refuses to sign a Business Associate Agreement with us can we still do business with them? • Yes; you do not have a risk if your client refuses to comply with HIPAA • You have to comply with HIPAA with or without a signed contract 11 © 2014 eFolder, Inc. All Right Reserved.
Question 4 Do we have a responsibility to report if our client is doing something intentionally or deliberately out of compliance? • No; HIPAA does not require you to report your client for non-compliance • HIPAA does require your client to ensure that you are compliant, is supposed to give you a chance to remediate compliance issues, and cancel their contract and report you if you don’t comply 12 © 2014 eFolder, Inc. All Right Reserved.
Question 5 Do we have to sign Business Associate Agreements with our vendors? • Any vendor that stores ePHI is a Business Associate and must comply with HIPAA • Cloud services, online backup providers, and data centers must sign Business Associate (BA) Agreements • You or your vendor may originate the contract 13 © 2014 eFolder, Inc. All Right Reserved.
Question 6 How can we verify our my backup and cloud vendors are really HIPAA compliant? • Any data you send to a non-compliant vendor is a HIPAA data breach • Some vendors think that signing BA Agreements is enough • Validate that the vendor is complying beyond signing agreements • If you aren’t convinced of your vendors’ level of compliance, switch vendors! 14 © 2014 eFolder, Inc. All Right Reserved.
Question 7 Do our clients really need Domain networks instead of Workgroup networks? • Yes; HIPAA requires Individual User Identification, Audit Logs, and Information System Activity Review, all of which require a Domain instead of a Workgroup • Audit Logs must be retained for 6 years 15 © 2014 eFolder, Inc. All Right Reserved.
Question 8 If a laptop computer is encrypted and then lost, is it reportable? • No; encrypting any device provides a ‘Safe Harbor’ and the loss is not reportable 16 © 2014 eFolder, Inc. All Right Reserved.
Question 9 Are cloud vendors and backup providers exempt from HIPAA because the data is encrypted and they don’t have encryption keys? • No; while encryption provides ‘Safe Harbor’ in case of a data breach, it is not an exemption for an organization that maintains encrypted data 17 © 2012 eFolder, Inc. All Right Reserved.
Question 10 What do we have to do to become HIPAA-compliant? • Learn HIPAA! • Implement HIPAA-specific policies and procedures • Do a HIPAA Risk Analysis • Train your workforce • Perform and document ongoing HIPAA-compliant services • Select HIPAA-compliant partners, like eFolder 18 © 2014 eFolder, Inc. All Right Reserved.
eFolder and HIPAA • eFolder will sign Business Associate Agreements • eFolder has completed a proper HIPAA Risk Analysis conducted by experienced professionals • eFolder has written HIPAA-specific policies and procedures • eFolder has trained its workforce to comply with HIPAA • eFolder has retained HIPAA professionals to maintain compliance over time • eFolder will provide you with a letter attesting to our HIPAA compliance to take to your clients 19 © 2014 eFolder, Inc. All Rights Reserved.
eFolder and HIPAA • eFolder Partners, contact your account manager for Business Associate Agreement (BAA) • All registrants will receive a HIPAA Compliance Playbook – Video training course to educate partners – Microsoft PowerPoint to train employees – Example HIPAA compliance checklist – Example Business Associate Agreement (BAA) – More! 20 © 2014 eFolder, Inc. All Right Reserved.
HIPAA Compliance Workshop HIPAA Rapid Compliance VARs/MSPs Virtual Workshop • 6-hours of webinar training • Customized policies and checklists & a lot more • 1-on-1 consulting • No travel costs, lost workdays, lawyer lectures • Webinars will be recorded for review or sharing with other employees 21 © 2014 eFolder, Inc. All Right Reserved.
HIPAA Compliance Workshop Registration • http://bit.ly/NCRTrC • Workshop limited to 35 participants Cost • $1,299 • $999 for eFolder partners Dates • Monday, March 10, 8 a.m.- 10 a.m. PT • Thursday, March 13 8 a.m. - 10 a.m. PT • Monday, March 17 8 a.m. - 10 a.m. PT 22 © 2014 eFolder, Inc. All Right Reserved.
Q&A www.efolder.net +1 800-352-0248 HIPAA Compliance Workshop http://bit.ly/NCRTrC
Tags Business Continuity, Cloud File Sync, Data Protection, File Collaboration and Sharing, Mobility and BYOD, SaaS Data Management
Mike also answered ten frequently asked questions by MSPs and VARs. Download a recording of the webinar ... 10 HIPAA FAQs from MSPs and VARs. ... eFolder ...
Join HIPAA compliance expert Mike Semel as he answers the most pressing compliance questions from MSPs and VARs. Semel explores common ...
eFolder Partner Chat Webinar — Selling to ... eFolder Webinar_10 HIPAA FAQs from MSPs and VARs ... eFolder Partner Chat Webinar - HIPAA ...
VARs and MSPs flocked to the recent VARTrends event in Milton Keynes to find the best way to ... eFolder Webinar, 10 HIPAA FAQs from MSPs and VARs. 1,100 ...
Home > 3 FAQs Datto Gets From MSPs on BDR. ... I missed the webinar. ... Published on May. 10, 2016 in MSP ...
eFolder and Veeam have teamed up to enable ... Veeam Partner on Cloud Backup of Virtualized Environments. ... 10 Fastest Growing MSPs. FAQ: ...
... and TMCNet on Oct. 31 for a webinar on selling managed services while complying with HIPAA. ... webinar on selling managed ... Webinar: Why MSPs don't ...