As many VARs and MSPs that sell IT solutions and services to healthcare clients are aware, the upcoming enforcement of HIPAA Privacy and Security rules (also known as the Omnibus Rule) can feel pretty daunting. One of the clarifications of the rule is that IT solutions and services providers are considered "Business Associates," and they are required to sign Business Associate Agreements with their healthcare clients. The agreements acknowledges the resellers' roles in keeping their clients' PHI (personal healthcare information) safe as well as their shared liability
in the event of a breach.
In a recent post, I discussed how many VARs and MSPs don't realize that their cloud provider is also considered to be a Business Associate and should be signing Business Associate Agreements with resellers using cloud services for their healthcare clients. If you sell to healthcare clients and haven't yet signed an agreement with your provider, be sure to inquire about the agreement form. Be prepared, however, for the possibility that your cloud provider may believe it qualifies for an exception because it's merely acting as a conduit for the data, similar to the way the Post Office handles documents that may contain sensitive information. Several HIPAA-focused law firms, including BakerHostetler
, have made it very clear that cloud providers do not fit in the same exception category as mail carriers. (Check out HIPAA, Business Associates and the Cloud
for a specific example)
Neal Bradbury, Co-founder and VP of Channel Development at cloud-based backup and disaster recovery provider Intronis
says that in addition to working with cloud providers that are willing to share in your liability, there are two additional steps you can take to reduce your liability risks, including:Lead with backup and security
. "Today’s technology-driven healthcare industry faces pressing data availability challenges and strict regulatory requirements on data security and integrity, which makes data backup and security two good places to start," he says.Focus on recovery time when selling backup
. "No matter what type of backup system a prospect uses, the big question comes down to this: If the business server crashed or something or someone took your company offline, how long would it take to get up and running?" asks Bradbury. "This is where the conversation gets real."
For more insights into reducing your stress when selling IT solutions and services to healthcare companies, check out Bradbury's latest article: HIPAA Omnibus, Data Backups, and Your Shared Liability as a ‘Business Associate.’