efolder webinar, 10 hipaa faqs from msps and vars

10 HIPAA FAQs from MSPs and VARs

Carlo TapiaMarketing Coordinator, eFolder678-888-0700 [email protected]

Mike SemelPresident, Chief Compliance Officer,Semel Consulting888-997-3635 x 101

[email protected]

© 2014 eFolder, Inc. All Right Reserved.2

Agenda

• Introductions

• What is HIPAA?

• What must MSPs and VARs do to comply?

• When was the HIPAA deadline?

• What is the cost of HIPAA?

• 10 HIPAA FAQs from MSPs and VARs


eFolder Expert: Mike Semel

4

Semel Consulting

© 2014 eFolder, Inc. All Rights Reserved.

• Founded in September, 2012

• 30-year VAR/MSP

• 10 years’ experience with HIPAA, conducting assessments and remediation

• Former Hospital CIO

• Specialization in health care, financial, and education verticals

5

What is HIPAA?

• Health Insurance Portability and Accountability Act (1996)

• Reduces health care fraud and abuse

• Mandates industry-wide standards for health care information

• Requires the protection and confidential handling of protected health information

© 2014 eFolder, Inc. All Right Reserved.

6

The Cost of HIPAA

Massachusetts provider settles HIPAA case - lost laptop


$1.5MAlaska DHSS settles HIPAA security case - lost hard drive $1.7M

$150KResolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts - lost flash drive

HHS.gov/ocr/privacy/hipaa/enforcement/examples/index.html

7

When was the HIPAA Deadline?


8

What must MSPs and VARs do to comply?

Comply with HIPAA’s Administrative, Technical, and Physical Safeguards


9

Question 1

What information is protected by HIPAA?

• Any combination of a patient’s name (or other identifier) with information about their medical diagnoses or treatment

• Can be written, verbal or electronic

• On any device or in the Cloud


10

Why do we have to comply with HIPAA as aBusiness Associate?

• Your health care clients and business that support health care clients give you access to electronic Protected Health Information (ePHI), or the systems that store it


Question 2

11

If a client refuses to sign a Business Associate Agreement with us can we still do business with them?

• Yes; you do not have a risk if your client refuses to comply with HIPAA

• You have to comply with HIPAA with or without asigned contract


Question 3

12

Do we have a responsibility to report if our client is doing something intentionally or deliberately out of compliance?

• No; HIPAA does not require you to report your client for non-compliance

• HIPAA does require your client to ensure that you are compliant, is supposed to give you a chance to remediate compliance issues, and cancel their contract and report you if you don’t comply


Question 4

13

Do we have to sign Business Associate Agreements with our vendors?

• Any vendor that stores ePHI is a Business Associate and must comply with HIPAA

• Cloud services, online backup providers, and data centers must sign Business Associate (BA) Agreements

• You or your vendor may originate the contract


Question 5

14

How can we verify our my backup and cloud vendors are really HIPAA compliant?

• Any data you send to a non-compliant vendor is a HIPAA data breach

• Some vendors think that signing BA Agreements is enough

• Validate that the vendor is complying beyond signing agreements

• If you aren’t convinced of your vendors’ level of compliance, switch vendors!


Question 6

15

Do our clients really need Domain networks instead of Workgroup networks?

• Yes; HIPAA requires Individual User Identification, Audit Logs, and Information System Activity Review, all of which require a Domain instead of a Workgroup

• Audit Logs must be retained for 6 years


Question 7

16

If a laptop computer is encrypted and then lost, is it reportable?

• No; encrypting any device provides a ‘Safe Harbor’ and the loss is not reportable


Question 8


Are cloud vendors and backup providers exempt from HIPAA because the data is encrypted and they don’t have encryption keys?

• No; while encryption provides ‘Safe Harbor’ in case of a data breach, it is not an exemption for an organization that maintains encrypted data

Question 9

18

What do we have to do to become HIPAA-compliant?

• Learn HIPAA!

• Implement HIPAA-specific policies and procedures

• Do a HIPAA Risk Analysis

• Train your workforce

• Perform and document ongoing HIPAA-compliant services

• Select HIPAA-compliant partners, like eFolder


Question 10

19

eFolder and HIPAA


• eFolder will sign Business Associate Agreements

• eFolder has completed a proper HIPAA Risk Analysis conducted by experienced professionals

• eFolder has written HIPAA-specific policies and procedures

• eFolder has trained its workforce to comply with HIPAA

• eFolder has retained HIPAA professionals to maintain compliance over time

• eFolder will provide you with a letter attesting to our HIPAA compliance to take to your clients

20

• eFolder Partners, contact your account manager for Business Associate Agreement (BAA)

• All registrants will receive a HIPAA Compliance Playbook– Video training course to educate partners– Microsoft PowerPoint to train employees– Example HIPAA compliance checklist– Example Business Associate Agreement (BAA)– More!

eFolder and HIPAA


21

HIPAA Rapid Compliance VARs/MSPsVirtual Workshop

• 6-hours of webinar training

• Customized policies and checklists & a lot more

• 1-on-1 consulting

• No travel costs, lost workdays, lawyer lectures

• Webinars will be recorded for review or sharing with other employees

HIPAA Compliance Workshop


22


Registration• http://bit.ly/NCRTrC• Workshop limited to 35 participants

Cost• $1,299• $999 for eFolder partners

Dates• Monday, March 10, 8 a.m.- 10 a.m. PT• Thursday, March 13 8 a.m. - 10 a.m. PT• Monday, March 17 8 a.m. - 10 a.m. PT


http://bit.ly/NCRTrC


Q&A

www.efolder.net

+1 800-352-0248



efolder webinar, 10 hipaa faqs from msps and vars

Technology