Today we’re publishing another contributed article from a real MSP. This one is written by one of the MSP Voice podcast guests Anton Kioroglo, a Charlotte-based MSP owner. If you haven’t watched the episode with Anton, watch it right here.
Author: Anton Kioroglo, CSO, Security First IT
Anton Kioroglo is the Chief Security Officer, and co-owner of Security First IT, LLC. Security First IT is a Charlotte-based IT management and security firm that specializes in solving the cyber security and IT needs that small and medium-sized businesses experience throughout the country.
I still remember my first HIPAA customer; it was a small medical practice with 8 computers. The network equipment was housed on a shelf inside the staff restroom, just above the toilet. Several of the ceiling tiles were missing in that bathroom or “network closet” as they liked to call it, and a big box fan sat on the floor pushing air toward the door. On the wall opposite the toilet, where the door was hung, was another shelf which contained the audio equipment. A $3,000 surround sound amp sat on that shelf playing the local pop radio station through the ceiling mounted speakers in the hallways.
I remember asking one of the staff if anyone used that restroom. “No, no one’s used that one for years,” she told me. “Well, except to clean some of the equipment in the sink, or flush something down the toilet, but otherwise no.” A bit confused by her answer, I asked: “so it goes unused except when it’s being used?”
Answers like this are common in IT. People don’t have unadulterated answers prepared for us, they have generalities. They have to form answers as they search for information in their memories, pulling together bits and pieces, stammering to make them cohesive.
After doing my first walkthrough of that customer’s office and taking far too many notes about the placement and positioning of every piece of equipment, I headed back to my home office. I was determined to win this customer over, and I was going to win them by doing a thorough HIPAA analysis and impressing them with my HIPAA knowledge.
There was just one hurdle I had to overcome, I hadn’t heard of HIPAA until the day prior when that customer called me and asked if we “work with HIPAA.“ “Of course we do HIPAA,” I said, and the appointment was set for me to come into their office the following day.
I spent the next 4 hours reading everything I could find on this thing called HIPAA and getting excited. I was going to become a HIPAA expert you see because HIPAA meant being able to charge a premium for IT services. And the best part? It didn’t really require me to do much.
Oh, how naive I was. I spent countless hours reading material on HIPAA, I even read the HIPAA rule itself a couple times (my kid’s least favorite bedtime story). At the end of it all, after months of studying HIPAA, I decided I wasn’t any closer to understanding it. That’s when I began taking HIPAA training classes, reading books and watching training videos. Almost a year into my quest to become a HIPAA expert, with countless hours devoted to understanding the HIPAA rule, I decided that I’d had an epiphany. A glorious moment of realization that should change my life forever. I decided to abandon my pursuit of HIPAA excellence and outsource it to a company that could handle HIPAA for me.
What followed was several grueling months of researching companies that worked with MSP’s and helped small business owners like myself and my customers handle HIPAA once and for all. All I wanted to do was point the customer to this company and say, here, pay them and they’ll tell us exactly what to do and when. Then we’ll both be covered because we’ll be “doing HIPAA right.” Alas, my dreams were shattered yet again. When I began speaking with these “HIPAA experts” I quickly discovered that I knew considerably more than the people I spoke to. Most of the companies I spoke with, and I spoke with a lot, couldn’t so much as tell me where I could read the entire HIPAA rule, a perquisite for being able to call yourself a “HIPAA expert”, I figured. Almost everyone I interviewed referred to it as HIPAA law, and several told me I’d go to jail if I didn’t hurry up and get them in here. Some of them couldn’t answer the most basic questions, one of them misspelled HIPAA in a sales brochure they emailed me. Another company told me that as long as I was encrypting the hard drives and all data in transit I was doing 90% of what HIPAA required so they’ll handle the rest.
I’m certain there are great companies out there that could have helped me, I just couldn’t find them. Of the dozen or so I interviewed, only two showed true HIPAA prowess and both of them only worked with large hospitals. No one, it seemed, wanted to do all the work required with HIPAA compliance and then charge the kind of prices a small business wanted to pay.
That was many years ago, fast forward to today. I’ve doubled down on HIPAA. A vast majority of our clients are HIPAA Covered Entities, we spend tens of thousands of dollars on training our staff on HIPAA compliance every year. I regularly attend HIPAA training classes, webinars, online classes, read books and articles on HIPAA compliance and listen to podcasts on HIPAA (HelpMeWithHIPAA.com). My personal favorite HIPAA related pastime, verbal jousting with HIPAA attorneys and auditors that I’ve befriended. Though they regularly school me in my “HIPAA fu,” I am grateful to be able to learn from it.
HIPAA you see, is not a rule which forces a Covered Entity (CE) or Business Associate (BA) to follow a checklist. HIPAA is a guideline, best practices, if you will, designed to protect patient information. HIPAA applies to everything, from how to dispose of trash, to which way a piece of paper should be facing when you lay it down on a desk. The part of HIPAA that impacts an MSP is only a small percentage of the actual HIPAA rule and its addendums and amendments.
The big question, the reason you’ve sat through this story – how do I know when I should be focusing on HIPAA? Of course, the answer isn’t clear cut, but if you’ve gotten this far I suspect you already knew that. Yes, it’s true, you can command a premium for having to deal with all the rules and regulations that come with supporting a CE or BA. But if you’re doing it right, and tracking your metrics, you’ll also see your profits dwindling with each report you have to generate to comply with reporting requirements. Not to mention the threat assessments you must conduct and document, not only for your customers but for your business as well.
Over the course of a few months we’ll be discussing in more depth what HIPAA compliance looks like for an MSP, at the end of which, hopefully, you’ll walk away with a good understanding of what it takes to comply with HIPAA regulations, why companies that have to work with HIPAA guidelines command a premium, and whether or not you want your business to be a part of it all.
For now, I’ll leave you with this.
If you have a HIPAA Covered Entity or Business Associate that you’re currently supporting or looking to support, pause for a minute and take HIPAA seriously. HIPAA carries many painful consequences when not done correctly. Don’t risk your business and your livelihood by taking HIPAA lightly. If you need a place to start, start with a course on HIPAA. There are several good HIPAA training courses available. Personally, I am partial to a course that I am now part owner in, a HIPAA training program for MSPs (more on that in the upcoming posts) HIPAAforMSPs.com which empowers MSP owners and their staff to understand HIPAA and how to properly implement it in their business.