Friday, July 26, 2013

SOP Friday: HIPAA Part One - Training


HIPAA - The Health Insurance Portability and Accountability Act - has been largely ignored by small businesses since it was passed in the mid 1990's. The Privacy Rule of HIPAA was published in 2000 and modified several times since then. Major revisions were implemented this year and final enforce is effective September 23, 2013.

Under this rule, doctors, insurance companies, and other healthcare providers are "Covered Entities."

You come into the picture because you are a "Business Associate" under the Privacy Rule. A Business Associate is someone who performs services for a Covered Entity and may have access to individually identifiable patient health information. A Business Associate may also be someone who works for or with another Business Associate and has access to individually identifiable patient health information.

For example:
- Doctor Doolittle is a Covered Entity
- You - his managed service provider - are a Business Associate of Dr. D
- The company you work with to provide offsite backup services is a Business Associate of you

You are most directly affected by the HITECH Act (Health Information Technology for Economic and Clinical Health Act) associated with HIPAA. HITECH governs the security and disclosure rules around the technical side of patient records. This includes where data can be stored, how it can be stored, and the consequences of a data breach.

You must have a Business Associate Agreement in place for each Covered Entity you do business with by September 23rd. You must have a Business Associate Agreement in place for each Business Associate you do business with by September 23rd.

You need to know this stuff.

To give you some hope of understanding all this, the US Dept. of Health and Human Services (HHS) has put together a web site called HIPAA Administrative Simplification Statute and Rules - here:

You can read the complete revised Privacy Rule at the Federal Registry: (138 pages).

Key action point for you: You must have your Business Associate Agreements in place by Sept. 23rd!

The Three Faces of HIPAA

When we look at implementing HIPAA policies with our clients, we see three key elements: Training, Compliance, and Documentation. We'll cover a bit on training in this article. Next week we'll talk about compliance, which involves both assessment and remediation. The week after that we'll talk about documentation. You are not HIPAA compliant until you have documented everything that makes you HIPAA compliant.

HIPAA Training

You need some HIPAA training. Whether you take a class, buy a book, or read the government web site, you need to come up to speed on this stuff - or stop servicing Covered Entities. We have a minor vertical in healthcare, so we are working on everyone's compliance rather than giving up the clients.

I took the 4Med training ( through Reflexion ( For a bit more information on this, I did a podcast with Scott Barlow back in December. See the SMB Community Podcast interview.

Training is really a two-step process. First you need to get trained. Second, you should offer a bit of training for your clients. You might do the training yourself or resell a program such as 4Med.

Doctors - especially small Doctor offices - have worked very hard to ignore HIPAA as much as they can. One of the major changes this year is that penalties are being handed down to smaller and smaller Covered Entities. So there are more and more stories in the news about small doctors offices being fined large amounts of money. That will help you sell this.

In addition to that, enforcement has expanded so that state attorneys general can now enforce HIPAA compliance. That means pretty much any public agency can now be petitioned to enforce HIPAA. As a result, you'll see more and more small cases being brought up.

If you want to start gathering some examples for your newsletter or marketing materials, here are a couple of resources. First, I have started a Pinterest board about HIPAA here: Second, you can set up a Google Alert ( for HIPAA violations or HIPAA news and get regular emails about new information.

HIPAA training for you is not expensive - especially when you consider that it opens up a new world of opportunities to make money. Once you know the rules around HIPAA breaches and enforcement, you can sell training, assessments, remediation, and documentation. After that you can sell a managed service for HIPAA compliance maintenance. And you can market yourself again I.T. providers who are not HIPAA compliant and not able to deliver compliance services.

The Good News / Bad News

The good news for you is that there's lots of opportunity here. It's the law. It's been coming for almost 20 years. It's being enforced. Doctors, insurance companies, and other Covered Entities need you to come up to speed on HIPAA so they can be legal.

The bad news is that some doctors will simply refuse to comply. And you should fire them.

I talked to a doc last month who said that he was not worried. As far as he knows, he's fine. This is while carrying a laptop from exam room to exam room filled with patient records. I asked him where his HIPAA documentation was. Of course he had none. I informed him that even if he were compliant, he's still in violation of the law if he doesn't have it documented. He shrugged it off. "They won't come after me."

We can't have people like that as clients. We only need a tiny $50,000 fine to feel the pinch. A $500,000 fine would put us out of business.

Comments welcome.

- - - - -
See Parts Two and Three here:
 - HIPAA Part Two - Compliance
 - HIPAA Part Three - Documentation

About this Series

SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete "table of contents" for SOP Friday at

- - - - -

Next week's topic: HIPAA Part Two - Compliance


Register Today!
SMB Preday 2013

How to Create a Hugely Profitable Cloud Solution for Small Clients 

A 4-Hour Hands-On Event! 

October 9, 2013
1-5 PM
Las Vegas, NV

All-New Workshop Format 

This year’s pre-day event will be a four-hour hands-on event … in which you will build your own cloud service offering and take that live experience back to your office, ready to offer to your clients! As a group, we’ll go over possible cloud offerings that you can resell. Then each attendee will work through exercises to sign up for reseller programs, create bundles, and design an overall strategy for making Lots of Money with cloud service offerings.

Super Early Bird Registration: TWO attendees for only $99

Plus all content will be provided to registrants whether you actually attend or not. Includes audio recording, slides, handouts, and workbook.

Find out more at


Friday, July 19, 2013

SOP Friday: BYOD - Bring Your Own Destruction

Last week we talked about Mobile Device Management (MDM). MDM comes about because of BYOD - Bring Your Own Device.

BYOD has a long history. We have been fighting mobile USB hard drives for twenty years. They're always huge compared to whatever storage is on the server and being backed up. We look around and find a 250 GB hard drive here and a 500 GB hard drive there. They get attached to the network, taken home, and moved about with no record whatsoever.

More importantly, we have laptops, smart phones, tablets, Kindles, iPads, and whatever they come up with next.

Devices get connected to the network. Data, security codes, client information, and all kinds of information gets moved between devices and the network. Devices are taken home, connected together, and who knows what.

BYOD Can Become "Bring Your Own Destruction"

It doesn't take much imagination to see data going where it doesn't belong, security holes big enough to drive a truck through, and important company data spread all over a series of devices with no controls whatsoever. This is very scary for us I.T. Pros, even if clients don't appear to give a shit.

Even if employees are not engaging in espionage, BYOD results in company data being distributed across a variety of devices not owned or controlled by the company. And, as a rule, these devices are easily lost or stolen. There's a huge market for scraping the data off lost and stolen devices.

Clients have always relied on us to just take care of things. They haven't had a bad experience (security breach, etc.). Therefore, they think we can keep doing whatever magic we do and protect them forever.

Clients honestly don't know how much danger they are in.

On top of all that, they are naturally resistant to passwords and complex security. So jumping through hoops to get devices connected is a tough sell.

Whether they like it or not - whether they want it or not - we need to push them to deploy a BYOD Policy for their employees. Just cell phones and iPads alone are enough to justify this action. Creating a policy forces them to bring the issues to the front of their mind.

Here's a sample policy you can start with. I have a few additional comments at the end.

- - - - -

BYOD ("Bring Your Own Device" User Policy

[ Company Name ] BYOD ("Bring Your Own Device" Policy

[ Company Name ] acknowledges that the use of Personal Electronic Devices (including but not limited to laptop comptuers, tablets, and cell phones) contributes to the effectiveness of our employees. This policy is established to govern the use of Personal Electronic Devices (PEDs) that access resources owned and managed by the company.

The company may from time to time publish lists of devices that may and devices that may not be used to access company resources. Please contact our I.T. Service Provider if you have questions about devices that may be used to access company resources.

Every PED that is used to access company resources must be approved before it is used to access company resources. Every PED must have our management agent installed before accessing company resources.

Please Note the Following Guidelines:

- Your account access will be locked whenever there are [_____] unsuccessful attempts to log into your account.

- The PED must employ a "screen saver" or time-out function that automatically locks the device within [_____] minutes or less of non-use.

- Your PED must require a password to operate or get past the lock-out screen.

- Your PED password must be changed at least once every [_____] days. Passwords must be compliant with company-wide password policies.

- No PED attached that accesses company resources may be operated in a manner that is illegal or in violation of any end user license agreements associated with any hardware or software on the PED.

- You are responsible for all costs associated with the operation of your PED, including but not limited to data service plans.

- Your PED will be "wiped" and all data erased if any of the following occurs:
 - - The PED is lost or stolen
 - - Our monitoring system determines that your device is associated with a data breach or security breach of any kind.

If your device allows for selective remote wiping of data, you may elect to have only the company-related data wiped.


[ Company Name ] pays a [ monthly / quarterly / annual ] stipend of [$_____] to the employee to compensate for the "company use" of a PED. This is the only compensation associated with this policy.

- - - - -

You might notice that this policy is designed to be partly enforcement-oriented and partly educational. Client need a bit of cold water in the face around security sometimes. They put a premium on ease of use. You need to make sure they understand the balance between "easy" and secure.

It's also the case that scaring clients a bit will help them to accept that a policy - and MDM - are a good idea.

Comments welcome.

- - - - -

About this Series

SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete "table of contents" for SOP Friday at

- - - - -

Next week's topic: HIPAA Part One - Training


Tuesday, July 16, 2013

Register Now for My Live Cloud Workshop

How to Create a Hugely Profitable Cloud Solution for Small Clients

A 4-Hour Hands-On Event!

All-New Workshop Format

The theme of SMB Nation Fall 2013 is LivExperience. This year’s pre-day event will build upon that theme. It will be a four-hour hands-on event … and with your hands you will build your own cloud service offering and take that live experience back to your office, ready to offer to your clients!

As a group, we’ll go over possible cloud offerings that you can resell. Then each attendee will work through exercises to sign up for reseller programs, create bundles, and design an overall strategy for making Lots of Money with cloud service offerings.

The cloud is redefining not only how solutions are being delivered but also who is going to deliver them. If you aren’t prepared to offer them to your clients, someone else will … soon. Don’t get left behind. Get out in front of the tidal wave and ride it to a profitable safe harbor with YOUR cloud solutions.

Your Registration includes a recording of the entire workshop
— at no additional cost!

Agenda: SMB Preday 2013

During this workshop we’ll walk you through everything you need to design and implement a great cloud service offering for small clients. This includes deciding what to offer, building bundles, choosing vendors, and implementing your solutions. Workshop attendees should come prepared to discuss their experiences – both positive and negative.

All attendees will receive workbooks and handouts so that we can walk through the exercises together – and you can change your business immediately. All attendees will also have electronic access to the forms so they can go through them again after the workshop.

If you’re ready to stop pondering and Take Action to build a hugely profitable cloud service solution, register now!

Find Out More and Register Now – Only $99

October 9th, 2013
Las Vegas, NV

Attend Live or Virtually . . . Your Choice

Now Available:

Seminar on MP3 Download
-- 4 Hours --
This event was recorded live in Las Vegas October 2013.

We cover possible cloud offerings that you can resell. This products includes the entire workshop in audio MP3 format, plus the slide decks, and dozens of handouts. You will walk through exercises to sign up for reseller programs, create bundles, and design an overall strategy for making Lots of Money with cloud service offerings. 

Super Affordable Pricing: Only $199 - Now only $149.95

This seminar is intended for small computer consulting firms that want to learn how to develop profitable cloud service offerings for their smallest clients. 
Only $149.95 !


Sunday, July 14, 2013

Four Killer White Papers - One Great Price

My brother Manuel Palachuk is more than just another nerd - He is a great coach, a great process engineer, and a great Managed Service Provider. He was the president of my company (KPEnterprises) for several years and instrumental in designing and implementing many of our most successful programs and policies.

Manuel Palachuk
Manuel is also the co-author of The Network Migration Workbook - now in its Second Edition. After leaving us he went off to run another successful MSP business. Now he is a full-time coach. You can visit his web site at

Four White Papers

Now Manuel has release a series of white papers that you can get separately or as a bundle.

Three of the white papers address core elements of building a successful I.T. consulting business. The fourth covers a common task (email cleanup). In addition to providing great advice, the email cleanup white paper serves as a great of example of how to create an excellent process.

The white papers are:

- The Most Important Documents Every Company Must Have - $19.95
- Working and Tracking Time in Real-Time - $29.95
- The Core Competency Matrix - $29.95
- Cleaning Up Your Email - $9.95

Special Bundle: All four white papers for only $69.95

Here's a quick summary of each. For more information on each white paper, click on its link.

The Most Important Documents Every Company Must Have

This one is essentially a kit all by itself. This zip file contains a series of sample document templates and a white paper describing the best way to use each of them. Topics include:

- Proper and consistent branding of all company documents including and especially emails.

- Knowledge management systems kick start; specifically the core documents used in building all your quality processes, procedures, checklists, network maps, and presentations.

- Effective quality communications within the company and with everyone outside the company focusing primarily on one of the most important element; the properly and consistently formatted email template.

Features one 13-page white paper, plus 13 document templates - Word, Excel, PowerPoint, Visio, Publisher, and email templates!

Working and Tracking Time in Real-Time

Tackle the single toughest obstacle to super high profits in your service delivery system with this in depth paper written specifically with IT Services in mind. Every CRM, PSA, and ticketing system out here wants to supply you with great reports on your billability and your efficiency but not one of them can do it unless everyone is working and tracing time in real-time.

The profitability potential of the Managed Services model when time is tracked in real time is explored in some detail including examples. Time tracking methods are laid out including understanding the ideal time tracking increments for our industry and the ever important skill of rounding time entries to 5 and 15 minutes.

Discover the Golden Rules of Working and Tracking Time-in Real-time. Follow the Time Tracking Log example that covers the entire day of a technician who jumps from after-hours responses calls, to field service, then help desk, then back to field service and never misses a time entry.

The author could clearly fill an entire book with this subject and here you will find the distilled and most immediately useful content.

The Core Competency Matrix

To be successful you have to have the right people in your company and then you have to play to their strengths. Likewise you must staff the best talent possible for the core competencies that support what you sell to your clients. These two meet up in the Core Competency Matrix. Here you can set the expectations of every employee’s growth within their roles while ensuring three level deep mastery of the key technologies, tools, and, solutions you leverage for your solutions.

Use the time proven methods outlined in this whitepaper along with the Core Competency Matrix to map out your current coverage of key competencies and build a plan for propelling the company’s talent to the top along solid, well planned training paths.

There is something in the Matrix for everyone. Even a small one man shop needs to plan out how they will slowly but surely divvy up the roles that they alone currently cover, and this is the tool that will help. Laid out for easy use and with well written detailed instructions you will have every team mapped out for success in no time.

Cleaning Up Your Email
Revised 2013

A Comprehensive Guide to Clearing Out the Junk and Reducing the Size of Your Mailbox. A Series of Proven Processes for Users of Microsoft Exchange and Outlook.

We've all seen it (or done it). There are fifty users on the network, and four of them take up 13 GB of space in Exchange while the remaining forty-six take up less than 2 GB combined. There are three things you need to do to fix this situation. The first is education. You need to let the client know how expensive this lack of policies and procedures is for their company.

After that, you need to clean out the offending mailboxes. And, finally, you need to set up processes so that the bloat doesn't happen again.

This white paper was written specifically to address these issues with the clients of KPEnterprises. It has also proven to be a good marketing tool. We offer up the white paper to prospects as a way to demonstrate our seriousness and commitment to providing more than "tech support."

Technical professionals will also find great information here, including detail procedures for cleaning out email boxes and helping clients maintain them going forward.

- - - - -

Click Here to Buy the Special Bundle: All four white papers for only $69.95

Friday, July 12, 2013

SOP Friday: Mobile Device Management

MDM in the Small Business Space

We've all seen the massive explosion of mobile devices in the workplace. Laptops have been around forever, and cell phones have gotten smarter. Now we have mobile point of sale systems, tablets, and other devices. On top of that, we see more and more BYOD - Bring Your Own Device. That means companies are blurring the line between business-owned and employee-owned devices that are authorized in the workplace, and connected to the network.

In our own company, we've changed quite a bit. We used to buy and distribute cell phones to employees. These were fundamentally company-owned devices, but we fully acknowledged that employees used them for personal use. Some years back we switched this around. Now employees use their own phones and we pay a monthly stipend ($50). That's enough to upgrade any phone to a data and calling plan that more than compensates for their work use of the phone.

But in making that transition, we have explicitly moved to a policy that allows employees to access company resources with employee-owned devices. Add laptops and iPads to the mix and we're doing exactly what our clients are doing.

What exactly is MDM?

MDM - Mobile Device Management - is simply the extension of the RMM (Remote Monitoring and Management) that we already deliver to desktops. It allows us to extend network security and management to all those BYOD devices.

Specifically, MDM involves some or all of the following functions:

- Block devices
- Configure email, calendar, and contacts
- Configure Wi-Fi and VPN profiles
- Distribute and manage applications
- Enforce compliance with HIPAA, SOX, etc.
- Protect the client network and data
- Remote wipe devices

Most of these functions are delivered over-the-air (OTA)

How Do You Deliver MDM?

Mobile Device Management is deployed as part of your RMM offering. If you use Continuum, Level Platforms, LabTech, or almost any other RMM vendor, they have agents for MDM. Some support pretty much any device and some just the most common. The number and variety of mobile devices continues to expand all the time, so it's a difficult area to keep up with.

We have yet to see a huge, publicly visible attack on mobile devices. This gives everyone a sense of security. It's a bit like the arrogance around Apple machines and anti-virus. Some day there will be a virus that causes billions of dollars worth of damage because people simply refuse to believe that their Mac can be affected. Mobile devices are much the same.

But security is not the only selling point. In addition to protecting data, MDM can save your time and money with configuration of new devices. And, as with regular RMM, it can reduce support costs overall.

The easiest sale is simply the fact that laptops and cell phones (tablets, Kindles, iPads) get lost or stolen. Locking out a device and performing a remote wipe can bring the client a great deal of peace of mind.

Bottom Line: Now is a great time to start offering MDM and pushing it to your clients.

Next week we'll talk about BYOD more directly - and I'll provide a sample BYOD/MDM policy that you can use as a "starter" document for building your own.

Comments welcome.

- - - - -

About this Series

SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete "table of contents" for SOP Friday at

- - - - -

Next week's topic: BYOD - Bring Your Own Destruction


Now Available: 

Seminar on MP3 Download 

This is an audio program with the PowerPoint slides in pdf format. 

Includes one MP3 audio file, one PowerPoint slide deckand one client-facing advertising example. All delivered in one zip file. 

This seminar is intended for small computer consulting firms that want to learn how to develop profitable cloud service offerings for their smallest clients. 

Save 20% - Now Only $39.95 !

Friday, July 05, 2013

SOP Friday: Sales Scripts

There are many, many ways to approach sales. Different approaches work with different prospects, different products, and at different times. It's hard to say which approach is the best for a given circumstance. But it's easy so say which is the worst: A totally random, off the top of your head, impromptu rambling.

Some time ago I wrote a blog post on "The Worst Sales Call Ever." One of the messages in that post is that any sales call is better than no sales call. Having said that, the more systemic your approach, the more successful you will be.

If you have a process, you can measure the results and fine-tune the process. If everything is random then improvement is also random. It will come and it will go, but you will have no effect on it one way or the other.

Note: Sales is different from Marketing. They are obviously related. Marketing pushes prospects closer and closer to the sale. Sales take place when you ask people to give you their money. So the sales script is not part of marketing. It is a standardized process for asking people to give you their money.

As a Standard Operating Procedure, it's a good idea to create a sample sales script that you can tweak and tune for each new campaign. Use it for servers this quarter and BDRs next quarter.

Writing A Sales Script

The first step in writing a sales script is to figure out the classic Five W's: Who, What, Why, When, and Where. Start by creating a form with five questions and write a bit about each.

Who are you selling to? Existing clients, new prospects, big companies, small companies, lawyers, accountants, etc.

What are you selling? Is this campaign for hosted services, BDRs, managed service contracts, or something else?

Why should the prospect buy? Remember: Focus on solving a problem, not listing features. Clients don't care about megahertz and gigabits.

When do you need the sale? Is this offer good til the end of the month? 90 days? This adds an element of scarcity, which is an important piece of the sales process.

Where - in this context - is about the context of the sales script. Will it be by phone, in a formal presentation, or in a face to face meeting?

Once you know the Five W's, you can start to write the script. Now that you have put down in words what you're selling, who you're selling it to, etc. it will be a lot easier.

Keep It Simple

Take a look at the flow chart. Most calls go more or less like this. Of course you need to fill in the details. But just look at the flow and write down what you'll say at each point. Essentially, you'll need three mini-scripts, only one of which is the sales pitch.

First, you need a script for when you hit voicemail, which you use most. :-)

Second, you need a script for when a human answers. Your goal is to get them to not hang up - and then pass you to someone who can give you money. Or maybe you get passed to the decision maker's voicemail.

Third, you need a script for the decision maker. This, at last, is your pitch!

The simpler you make the script, the easier it is to deliver without being nervous. Plus, the simpler it is, the more likely you are to get through it without being interrupted with a "No Thanks."

Practice Makes Perfect

Now, you make your first call. As you find yourself leaving one voicemail after another, be sure to take notes and update your script as needed. When you hear yourself speaking the words, you might want to tweak and fine-tune.

And when you finally get to talk to the gatekeeper, you'll fine-tune that script.

And the same goes for the decision maker. This is the most important script. So you'll want to fine tune it a lot. Take particular note of things you say that lead to a "yes" - whether it's yes to a sale or yes to an appointment.

A Simple Script to Get You Started

Script One: Voice Mail

“Hi. This is Karl from America’s Tech Support. Phone number 916-928-0888. I’m calling today to see if you would like to have a conversation about your technology and how we can improve your business with Cloud Services. Please give me a call at 916-928-0888. Thank you for your time.”


"Hi! This is Karl Palachuk from America’s Tech Support. I’m hoping you can return my call at 916-928-0888. We’re offering a free 30-minute educational program called “5 Ways Cloud Computing Can Help Your Business Spend Less Every Month”. It’s about how cloud computing is helping companies like yours improve office efficiency and cut technology costs by as much as 30%. I’d love to give you some more information, so please give me a call when you can. Again, this is Karl from America’s Tech Support and you can reach me at 916-928-0888."

- - - - -

Script Two: Gatekeeper

“Hi. This is Karl with America’s Tech Support. I’m trying to reach Mr./Ms. __________ to offer a free educational presentation about how cloud computing is saving companies like yours as much as 30% on their annual technology budget. The presentation takes about 30 minutes, and I’ve got some openings next week. Do you think that’s something he/she would like to hear about?"

- - - - -

Script Three: The Decision Maker

"Hi! This is Karl with America’s Tech Support.

I’m calling today because we’ve put together an educational program for local businesses called “5 Ways Cloud Computing Can Help Your Business Spend Less Every Month”; it’s all about how the latest cloud computing technologies are helping companies cut their technology budgets by up to 30%. Are you familiar with cloud technology? Great! They’ve given me the job of getting these presentations scheduled for local businesses, and I’m calling to see when we might be able to come out and show you the program. It takes about 30 minutes. Of course we're selling something, but the program is full of great information for your business. Do you have 30 minutes available next week?"

IF No:
"OK. At the very least, can I send you some information about this by email? Would that be alright with you? Great! What’s your email address?"

If Yes:
"Great! Would you be available for an appointment next Tuesday at 10:00?"

If decision maker says they have an in-house IT person:
"Yes, of course, and I think it would be a great idea for your internal IT staff to be included in the presentation. I’ve got some openings next week; would you both be available Tuesday at 10:00?"

- - - - -

Comments welcome.

- - - - -

About this Series

SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete "table of contents" for SOP Friday at

- - - - -

Next week's topic: Mobile Device Management


Check Out the All New Book:

Cloud Services in A Month
by Karl W. Palachuk

396 pages - plus lots of juicy downloads

Paperback - Ebook

A great resource for managed service providers or anyone who wants make money selling and bundling cloud services.

Featuring all the details you need to create and sell YOUR custom Cloud Five-Pack (TM)

Learn More!