Estimated Reading Time: 3 Minutes
As a Managed Service Provider (MSP), ensuring your client’s compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) is paramount. These US regulations apply to any company handling US citizens’ data, requiring them to implement HIPAA compliant backup solutions for the protection of sensitive information.
Here’s a comprehensive guide to help MSPs navigate the complexities of HIPAA compliance, particularly regarding HIPAA compliant email archiving solutions for Microsoft 365 and Google Workspace.
Understanding HIPAA and its Relevance to MSPs
HIPAA mandates that organizations handling Protected Health Information (PHI) or Electronic Protected Health Information (ePHI) of US citizens comply with strict standards to safeguard this data. These organizations are categorized as Covered Entities or Business Associates.
Covered Entities are defined in the HIPAA rules as health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which the Health and Human Services (HHS) has adopted standards.
Business Associates are entities that perform activities involving the use or disclosure of PHI on behalf of a Covered Entity. This includes functions like data analysis, claims processing, or administrative services.
As an MSP, you may act as a Business Associate, managing healthcare data protection services that involve PHI. Therefore, your solutions must be HIPAA compliant.
HIPAA and Email Archiving for Microsoft 365 and Google Workspace
MSPs offering email archiving solutions to healthcare providers must ensure these solutions comply with HIPAA regulations. Dropsuite provides a HIPAA-compliant email archiving service for Microsoft 365 and Google Workspace that safeguards PHI in accordance with both the Security Rule and Privacy Rule.
HIPAA Security Rule
The HIPAA Security Rule applies to any entity that transmits Protected Health Information electronically (e-PHI). To comply, Dropsuite implements the following measures:
- Reasonable Safeguards: Data archived with Dropsuite is protected to prevent unauthorized use or disclosure.
- Role-Based Access Control: Access to data is tightly controlled.
- Individual Access: Individuals can only access their own data.
- Administrative Access: Administrators have data recovery and eDiscovery access.
- Multi Factor Authentication: Ensures that only authorized users can log in.
- Audit Logs: Track and record all access and changes, crucial for HIPAA compliant data recovery.
HIPAA Privacy Rule
Technical Safeguards
- End-to-End Security: Dropsuite’s solution uses TLS 1.2 for data transmission and AES256 for data at rest, ensuring HIPAA compliant cloud storage on AWS infrastructure.
- User Access Control: The default in Dropsuite is “No Privilege,” with access granted based on work requirements and approved through a documented process. This is a must have for HIPAA compliant SaaS backup solutions.
- Audit Logs: Dropsuite tracks all activities in the production environment, with logs retained for seven years, ensuring best practices for HIPAA compliant backups.
Physical Safeguards
- Data Center Security: Dropsuite data is stored with AWS, which is HIPAA compliant and SAS 700II certified.
- Workspace Access: All physical access to Dropsuite’s offices and workspace is secured with biometric devices and all visitors are required to be escorted at all times.
- Data Disposal: Upon ending the subscription to Dropsuite’s email archiving solution, data will be permanently deleted after 30 days and not retrievable by any means.
Administrative Safeguards
- Vulnerability Testing: Dropsuite engages independent external entities to conduct regular internal and external tests, with results shared across the team.
- Personnel Management: Annual training for all Dropsuite employees, biennial HIPAA certification for those with elevated access, and confidentiality agreements for all staff.
- HIPAA Security and Privacy Officers: Dropsuite has appointed several HIPAA Security and Privacy officers and all our officers have completed HIPAA certification.
HIPAA Breach Notification Rule
In case of a breach, MSPs must notify U.S. Department of Health and Human Services (HHS) and possibly the media if more than 500 patients are affected. Dropsuite has a Breach Notification Plan in place so MSPs can manage and report breaches effectively and ensure HIPAA compliance.
HIPAA Enforcement Rule
Compliance with the Enforcement Rule involves maintaining proper documentation and facilitating investigations. Dropsuite supports MSP HIPAA compliance with features like customizable retention periods, eDiscovery, and legal hold capabilities.
Conclusion
For MSPs, ensuring HIPAA compliance involves a comprehensive approach to data security, privacy, and administrative practices. By implementing robust safeguards and staying updated on regulatory requirements, MSPs can provide HIPAA compliant backup for healthcare organizations and expand their business.
If you are looking to expand your expertise in HIPAA compliance and become the trusted compliance expert your clients need, make sure to explore our Mitigating Risks: A Guide to Cloud Compliance for Managed Service Providers FREE whitepaper.