The nebulous beast known as HIPAA compliance — with no certifications and in some cases fuzzy rules open to interpretation — can be intimidating, but that’s precisely what makes it such a powerful opportunity. On stage delivering his keynote for the company’s recent Connect IT conference, Kaseya CEO Fred Voccola argued that “every single MSP in North America should have a HIPAA compliance practice and should be doing hundreds of thousands if not millions of dollars in HIPAA compliance management…the market’s that big.” [1]
The question, of course, is how to build such a practice, especially in light of the lack of clear guidelines from HIPAA’s enforcement agency, the HHS Office for Civil Rights. If you want to build out a HIPAA practice, you have to know both the letter of the law, and the rulings that have come out of this office that guide how the law is to be interpreted.
Keys to Offering HIPAA Compliance as a Service
There are some fundamental principles to offering HIPAA compliance as a service, one of which is to work with a technology stack that solves critical HIPAA compliance issues. Software should be SOC 2 compliant, which reflects a degree of security not just in the software itself, but in the way that the business is run. Staff in SOC 2-compliant companies are specifically trained in the handling of sensitive information, and in security protocols. As an IT service provider, it is critical that your compliance offering is not undermined by security weaknesses at your technology vendors.
Another principle of compliance is that technology alone cannot solve compliance issues. An IT service provider offering HIPAA compliance as a service will need to work with clients to ensure that they are following basic best practices. While you can handle things like backup and recovery, health care staff still have passwords, and password management is the number one point of failure for HIPAA compliance, costing covered entities millions in fines each year. Not all password managers are created equal. Look for one that not only is SOC 2, but also has strong security around team-based passwords. If your health care clients are sharing passwords with each other by writing them down on paper, or by sending them in email, that is likely going to result in a fine, either for its own sake or because a password ended up on the dark web.
Documentation is one of the best ways to showcase compliance, especially when you document your procedures for handling protected personal health information. If a violation occurs, the documented procedure can help to mitigate the damage because it shows that you, the IT service provider have tried to manage employee behavior effectively.
If you can create procedural documentation, and market that to health care clients, you have a scalable, standardized way of building out a HIPAA compliance business. If you can give your health care clients the ability to manage their passwords securely, allowing them to create strong passwords and access those passwords without even seeing them, that is a potentially powerful piece of the HIPAA compliance puzzle.
A comprehensive HIPAA compliance service business goes far beyond documentation and passwords, of course. But if you have those baseline things, and build into them backup and recovery services, threat monitoring, and other key IT services, you will have a stronger and differentiated compliance service offering.
To find out more about how IT Glue can be a critical part of your documentation and password solution, please check out our demo. 
[1] https://www.channelpronetwork.com/news/kaseya-introduces-turnkey-resources-launching-security-compliance-and-backup-practices
