Friday, July 26, 2013

SOP Friday: HIPAA Part One - Training


HIPAA - The Health Insurance Portability and Accountability Act - has been largely ignored by small businesses since it was passed in the mid 1990's. The Privacy Rule of HIPAA was published in 2000 and modified several times since then. Major revisions were implemented this year and final enforce is effective September 23, 2013.

Under this rule, doctors, insurance companies, and other healthcare providers are "Covered Entities."

You come into the picture because you are a "Business Associate" under the Privacy Rule. A Business Associate is someone who performs services for a Covered Entity and may have access to individually identifiable patient health information. A Business Associate may also be someone who works for or with another Business Associate and has access to individually identifiable patient health information.

For example:
- Doctor Doolittle is a Covered Entity
- You - his managed service provider - are a Business Associate of Dr. D
- The company you work with to provide offsite backup services is a Business Associate of you

You are most directly affected by the HITECH Act (Health Information Technology for Economic and Clinical Health Act) associated with HIPAA. HITECH governs the security and disclosure rules around the technical side of patient records. This includes where data can be stored, how it can be stored, and the consequences of a data breach.

You must have a Business Associate Agreement in place for each Covered Entity you do business with by September 23rd. You must have a Business Associate Agreement in place for each Business Associate you do business with by September 23rd.

You need to know this stuff.

To give you some hope of understanding all this, the US Dept. of Health and Human Services (HHS) has put together a web site called HIPAA Administrative Simplification Statute and Rules - here:

You can read the complete revised Privacy Rule at the Federal Registry: (138 pages).

Key action point for you: You must have your Business Associate Agreements in place by Sept. 23rd!

The Three Faces of HIPAA

When we look at implementing HIPAA policies with our clients, we see three key elements: Training, Compliance, and Documentation. We'll cover a bit on training in this article. Next week we'll talk about compliance, which involves both assessment and remediation. The week after that we'll talk about documentation. You are not HIPAA compliant until you have documented everything that makes you HIPAA compliant.

HIPAA Training

You need some HIPAA training. Whether you take a class, buy a book, or read the government web site, you need to come up to speed on this stuff - or stop servicing Covered Entities. We have a minor vertical in healthcare, so we are working on everyone's compliance rather than giving up the clients.

I took the 4Med training ( through Reflexion ( For a bit more information on this, I did a podcast with Scott Barlow back in December. See the SMB Community Podcast interview.

Training is really a two-step process. First you need to get trained. Second, you should offer a bit of training for your clients. You might do the training yourself or resell a program such as 4Med.

Doctors - especially small Doctor offices - have worked very hard to ignore HIPAA as much as they can. One of the major changes this year is that penalties are being handed down to smaller and smaller Covered Entities. So there are more and more stories in the news about small doctors offices being fined large amounts of money. That will help you sell this.

In addition to that, enforcement has expanded so that state attorneys general can now enforce HIPAA compliance. That means pretty much any public agency can now be petitioned to enforce HIPAA. As a result, you'll see more and more small cases being brought up.

If you want to start gathering some examples for your newsletter or marketing materials, here are a couple of resources. First, I have started a Pinterest board about HIPAA here: Second, you can set up a Google Alert ( for HIPAA violations or HIPAA news and get regular emails about new information.

HIPAA training for you is not expensive - especially when you consider that it opens up a new world of opportunities to make money. Once you know the rules around HIPAA breaches and enforcement, you can sell training, assessments, remediation, and documentation. After that you can sell a managed service for HIPAA compliance maintenance. And you can market yourself again I.T. providers who are not HIPAA compliant and not able to deliver compliance services.

The Good News / Bad News

The good news for you is that there's lots of opportunity here. It's the law. It's been coming for almost 20 years. It's being enforced. Doctors, insurance companies, and other Covered Entities need you to come up to speed on HIPAA so they can be legal.

The bad news is that some doctors will simply refuse to comply. And you should fire them.

I talked to a doc last month who said that he was not worried. As far as he knows, he's fine. This is while carrying a laptop from exam room to exam room filled with patient records. I asked him where his HIPAA documentation was. Of course he had none. I informed him that even if he were compliant, he's still in violation of the law if he doesn't have it documented. He shrugged it off. "They won't come after me."

We can't have people like that as clients. We only need a tiny $50,000 fine to feel the pinch. A $500,000 fine would put us out of business.

Comments welcome.

- - - - -
See Parts Two and Three here:
 - HIPAA Part Two - Compliance
 - HIPAA Part Three - Documentation

About this Series

SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete "table of contents" for SOP Friday at

- - - - -

Next week's topic: HIPAA Part Two - Compliance


Register Today!
SMB Preday 2013

How to Create a Hugely Profitable Cloud Solution for Small Clients 

A 4-Hour Hands-On Event! 

October 9, 2013
1-5 PM
Las Vegas, NV

All-New Workshop Format 

This year’s pre-day event will be a four-hour hands-on event … in which you will build your own cloud service offering and take that live experience back to your office, ready to offer to your clients! As a group, we’ll go over possible cloud offerings that you can resell. Then each attendee will work through exercises to sign up for reseller programs, create bundles, and design an overall strategy for making Lots of Money with cloud service offerings.

Super Early Bird Registration: TWO attendees for only $99

Plus all content will be provided to registrants whether you actually attend or not. Includes audio recording, slides, handouts, and workbook.

Find out more at



  1. huytran12:14 PM

    This is a great article. We are going through HIPAA training now for our company. Thanks!

  2. Anonymous7:31 AM

    Great blog Karl. What it all comes down to is money. THe government wants more of it. Local, state, Federal. They They will use these fines as revenue sources for government agencies and third party auditing non profit agencies. The fines won't be huge, lets say they are $5K per incident, multiplied by 10K medical offices, MSP, other BA companies
    that dropped the ball on 1 part of a compliance rule. That's $50 MILLION
    dollars in fines. But what if it's $10K and 50,000 fines? Well that's half a
    billion dollars. And that pays for a lot of government employee salaries and
    pensions. Welcome to the new HIPAA tax. They're from the government and they're here
    to help.

  3. I took the 4Med training and I am going to send my entire staff through it. I also looked at their HIPAA Documentation Bundle and their Risk Assessment. As an MSP, are those good products to bring myself compliant or is there a better (less costly) method? I might also note that I as setup to resell their services, so "eating my own dog food" might be a good idea. (by the way, I mentioned you referred my for what its worth) Thoughts?

  4. Thanks, Jason. I don't know if they have a referral program. I'll wait to see if a check shows up. :-)

    I am not sure about their bundle. I think it's geared for much larger clients than we have. Our largest HIPAA "eligible" client has about 30 employees. They were 70 five years ago, but they're government funded and ... well that's how things go.

    Anyway, the 30-user shop will be much more complicated that the office with 5 doctors and 5 administrative staff. We're looking at various online and book resources.

    I can't say we have the perfect combo for Small Biz yet.

  5. HIPAA Secure Now! has a Business Associate and Partner program that can help MSPs with HIPAA compliance and selling HIPAA Security Service.

    We also have a free whitepaper - How MSPs can profit from selling HIPAA security services

  6. Total, complete spam, Art!

    And perfectly on topic, so thank you for the info.

    Note: On Blogger, you can make those links into links by simply writing the code (< a href= etc.)


  7. 4Med also hosts a very streamlined reseller program for HIPAA reports, products and services in addition to their training reseller programs. The program is growing rapidly, has vetted experts on tap to deliver the highest quality content and is lucrative for the MSP Partner. To learn more about our program... please reach out to Genave Daniel at [email protected] or all (800) 671-1028 ext #35. Also join the for additional HIT programs and opportunities. And thank you Karl for the 4Med training plug.

  8. Thanks, Wendy.

    My PayPal address is . . .


Feedback Welcome

Please note, however, that spam will be deleted, as will abusive posts.

Disagreements welcome!