Friday, August 30, 2013

SOP Friday: Outsourcing (Some) Of Your Monthly Maintenance

I've written a lot about Monthly Maintenance, including articles on . . .

SOP: Why We Do Monthly Maintenance

SOP: Monthly Maintenance Scheduling and On Site Visits

SOP: The Monthly Maintenance Checklist

SOP: Monthly Single Checklist

All of that is about how YOU manage monthly maintenance. In other words, it lists all the various chores and checks you need to do each month.

But there are three tiers of checklist activities: Automatic, manual and remote, and manual on site.

1) Monitored automatically. These items can be removed from monthly maintenance once it is clear that we'll never miss a critical alert.

In a modern managed service business, you will be using some kind of remote monitoring and management tool (RMM). So many items on the checklist are checked every minute of every day instead of once a month. This includes "stop sign" error messages, whether critical services are running, free disc space, and all the other things that can be monitored automatically.

2) Can be completed remotely. These items can be completed by you or by your outsourced helpdesk (such as Continuum, Dove Help Desk, or Level Platforms). It makes sense to outsource these tasks because remote is remote, as long as the monitoring is done correctly. So why would we do it ourselves?
- Check defragmentation level and, if over 1.25, schedule a forced defrag
- Check for yellow "Warning Signs" in the system logs. These often do not trigger an alert, but if you have 100/day then you probably have a problem.
- Perform internet speed tests

3) Need to go onsite. These items require a technician onsite. So we go.
- UPS tests
- Verify backup, label media (disc or tape) for offsite storage, and give them to the appropriate person
- Update the Network Documentation Binder Tech Notes with relevant information

The Bottom Line:

We have basically turned over 99% of our monthly maintenance to our RMM provider (Continuum in our case). Their agent handles the automated piece and their NOC handles the remote piece. The thing we just haven't been able to hand off completely has been complete maintenance of the backup systems. Some things have to be done in person and clients are amazingly unwilling to take this seriously.

So backups fall into the category of "We are taking care you because you refuse to take care of yourself." Counting the number tapes on the shelf cannot be handled by a remote technician. Maybe we'll install web cams for this. :-)

Consider this: If YOU can do it remotely, or a really good technician could do it remotely, then turn it over to your outsourced helpdesk. Let them do it remotely. And the better you are at managing them, the better they respond.

Comments welcome.

- - - - -

About this Series

SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete "table of contents" for SOP Friday at

- - - - -

Next week's topic: Setting Up an MSP Office

Register Today!
SMB Preday 2013

Fair Warning:
The Price Goes Up $50 on Sunday

How to Create a Hugely Profitable Cloud Solution for Small Clients 

A 4-Hour Hands-On Event! 

October 9, 2013
1-5 PM
Las Vegas, NV

All-New Workshop Format 

This year’s pre-day event will be a four-hour hands-on event … in which you will build your own cloud service offering and take that live experience back to your office, ready to offer to your clients! As a group, we’ll go over possible cloud offerings that you can resell. Then each attendee will work through exercises to sign up for reseller programs, create bundles, and design an overall strategy for making Lots of Money with cloud service offerings.

Super Early Bird Registration: TWO attendees for only $99

Plus all content will be provided to registrants whether you actually attend or not. Includes audio recording, slides, handouts, and workbook.

Find out more at

Friday, August 23, 2013

Steve Ballmer Resigns - Good or Bad for Small Business?

Steve Ballmer, CEO of Microsoft since 2000, has announced that he'll be stepping down in the next year. A search committee has been formed. Microsoft's stock soared 7.5% on the news.

Where Bill Gates was generally loved and had a Teflon coating when it came to criticism, Ballmer has more of a Velcro coating. Folks outside Microsoft quickly blame Ballmer for the decline of PC sales world wide as well as the lackluster reception of Office 2013, Windows 8, and the Surface.

But who cares what others think: Is Ballmer's exit good or bad for small businesses?

In my opinion it is good. I've never met the man and I have nothing against him. Some people love to hate him. That's not where I'm coming from.

But somehow in the last decade or so, Microsoft's focus has become un-focused from this outsider's perspective. I have mentioned for years that Microsoft "owns" the desktop. Their operating systems are on virtually every computer in the world! And their Office suite is on virtually every computer with a commercial office suite.

But Microsoft seems to be giving up that market. I know we all need to go to the cloud. I'm actually a huge advocate of that. But Microsoft took a collection of products that I could make $200/desktop on and turned it into an offering that would take me 36 years to make $200 on.

The result? I don't push their stuff any more. Like many small I.T. consultants, we removed the Microsoft logos from our business cards. We didn't renew our certified partnership after ten years.

People like me and you make decisions based on OUR bottom line. I can't afford to write off $900 million because I created a product and then messed up the marketing and sales of that product.

We have to make profitable decisions for our businesses, and for our clients.

Microsoft has moved away from the partner-centric model that got them where they are. They are paying the price for that with Windows 8 and the Surface. If Microsoft had 300,000 partners able to sell the Surface, they would be back-ordered right now. Instead, they're being given away in lieu of $5 Starbucks cards.

Creating a new team at the top of Microsoft has to be good for fresh ideas, fresh focus, and taking stock of what has really worked for the company. Competing against your biggest hardware "partners" and all of your channel "partners" is just bad policy. With luck, the new leadership will take that to heart.

Having given away the desktop, Microsoft now has to focus on what they CAN do to own the small business market. That's good for all small businesses. That means a renewed effort to innovate, create, and combine technologies that will make us all more productive. Good innovation also makes people happy because we use technology for pleasure as well as work.

Microsoft has the money to create amazing innovations that can change our lives. They hold a lot of promise for humanity. That's not an exaggeration. But it would be a horrible shame if a company with such potential floundered about for another decade.

Microsoft is one of the most (perhaps the most) important companies in the world. They need strong, forward looking leadership. I am looking forward to it.

And finding someone who's a lot less angry wouldn't hurt either.

Here's the Wall Street Journal article:!


SOP Friday: Quarterly Roadmap Meetings

There are a handful of things we do that truly define our business and separate us from other IT providers. One is our monthly maintenance process. Another is our Quarterly Roadmap Meetings.

Roadmap meetings actually start with prospects before them become clients. Many of the questions are the same. Basically, you want to get a sense where the client's business is today and where they expect to be in the next year or so. If you can, you should try to find out where they hope to be in five years.

Basically, the Roadmap is a rough plan for the client's technology "department" (even though most do not have such a department). The Roadmap meeting is an opportunity to sit down with the client and talk about their future.

Three Benefits of Quarterly Roadmap Meetings

First: We use our Roadmap questionnaire to get to know clients and help assess their technology. In my opinion, this is far superior to an assessment of technology alone. Once we know what the company wants to do, we can determine whether they have the right technology now, and what they will need in the future.

Second: For existing clients, these regular meetings provide a non-salesy discussion of their technology so we can really participate as a member of their team. This helps us stay connected to the client on a casual level when we're not addressing a service request.

Third: As the clients plan their technology spending, we can plan our sales. It's very nice to know when projects are coming up and when we will be selling servers, workstations, etc.

What We Talk About

Is the client growing or shrinking? How dependent are they on technology? Do they have a budget? Do they have a technology budget? It is quite amazing how easy it is to get clients to tell your their plans, hopes, and dreams. We've gotten responses like these:

"We're having financial problems and need to cut back."
"We're going to add three more people this year."
"We have $3 Million in revenue and expect it to be $3.5M within 18 months."

This is great stuff. You get this stuff by asking.

But you can't casually ask. You need to have a process and procedure in which 1) They've agreed to participate, and 2) These are just a few questions in a longer list.

We use our own "Roadmap" process, but many of the questions are either similar to, or taken from the original Microsoft Business and Technology Assessment Toolkit. The best place to get this is from an old MSDN or Technet CD from at least five years ago. That's because the assessment was just a Word doc and was easy to customize.

The current version is at It requires InfoPath and is convoluted and a pain in the neck to use. Note that this is not the same as the Microsoft Assessment and Planning Toolkit, which is for evaluating client technology so you can give advice on upgrades and migrations.

We print out our questions on blue paper with a cover sheet so it looks like a set of forms. That way prospects and clients see that there really is a standardized process here.

When clients are growing, you can give them the big heads up that technology spending will increase. No "sales" necessary. Just say things like "You know you can't add three people and all their data in that old server. So you don't need it today, but you know you will."

There's no sales here, so they'll just nod their head and say "I know, I know."

But not everyone is growing. In this recession we have had to help several clients manage the shrinking of their business. That includes using the best machines as some machines are taken out of service. In two cases it meant helping the clients shut down their physical office and move to virtual offices (and to the cloud). In one case, we managed technology as our client was purchased by their competition.

Our company provides free planning meetings for our clients under contract. Our definition of "managed services" focuses heavily on being the outsourced I.T. department for our clients. As such, we try to help develop the budget, the policies, and the 1-, 3-, and 5-year plans for the "I.T. Department." Basically, if they have a big business plan or binder, we provide the I.T. section that slips into place.

Here are some examples of activities we promote through Roadmap meetings:

- Some clients buy whatever brand of computers and equipment is the cheapest. We help them see the longer-term savings of standardization for PCs, monitors, UPSs, etc. This is a gradual change over time.

- For some clients, open licenses make the most sense. For many small businesses, OEM licenses make more sense. We help clients gradually move to the right licensing programs as technology refreshes.

- Clients always have concerns about upgrades - servers and workstations. So again we help them create a plan so that decisions are mostly made when a machine needs to be ordered.

As you can see, all of these decisions are interrelated. And they all involve lots of money and labor. And timing matters. MOST small businesses make these decisions one at a time, trying to save the most money on each purchase. The result is that they spend more money as time goes on.

And we don't push upgrades just to push upgrades. If Microsoft gave these folks everything they wanted for free, they would still have the costs of our labor plus downtime per desktop and potential downtime for servers just to install it all. So we don't push every update that comes down the road.

Scheduling Meetings

We call these "Quarterly" Roadmap Meetings. But that almost never happens. Basically, we schedule them with all clients. Our office manager knows that Mike and I have certain slots open in our calendar, so she can fill those with Roadmap meetings and know they won't conflict with anything else. It also means that we spread out the meetings so we're not taken off of tech support or other tasks for large chunks of the week.

Once we've completed a round of Roadmap Meetings, she starts scheduling them again. Some clients delay and delay. So overall, most clients end up having 1-3 meetings a year. And of those, most are 1-2 meetings a year. But that's enough. It keeps us in touch and keeps the conversation going.

Meetings are generally one or two hours. This is not a time to address individual service ticket issues, but it IS a time to discuss service overall. If clients have concerns about nagging issues or overall service, this is a great opportunity for them to bring that up.

Summary of Benefits:

- Better customer relationships
- Clients understand our philosophies about technology and upgrades
- More consistency in ordering and choice of equipment
- Higher sales overall
- Happier clients

If you aren't doing "roadmap" meetings with clients, I highly recommend that you start soon.

Comments welcome.

- - - - -

About this Series

SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete "table of contents" for SOP Friday at

- - - - -

Next week's topic: Outsourcing (some) of Your Monthly Maintenance


SMB Books, Audio Programs, and More 

100% Small Business I.T. Focused 
- Technical - Business - Marketing - 
- Managed Services - Cloud Computing - 
- Network Migrations - Sales - 

All these resources and more. 

SMB Books is THE resources for the small business IT consultant who wants to move up to the next level. 

Tuesday, August 20, 2013

Hot August Nights Sale at SMB Books - Everything 20% off right now

Well, it's Hot August Nights time. Summer is blazing over 100 degrees in Sacramento.

Instead of getting grumpy and bored, I decided to get generous - and YOU are the beneficiary!

Right now through August 31st, EVERYTHING at SMB Books is 20% off. Even 20% MORE off of items that are already on sale!

Hot August Nights at SMB Books!
Use the code HotAugust at checkout and your entire order will be reduced by 20%.

Sales ends August 31st

Everything means everything . . .

  • Seminar recordings
  • My big SMB Preday event
  • Paperback books
  • E-Books
  • Audio books
  • Audio programs
  • Video programs
  • Cloud training
  • Relax Focus Succeed ®
  • Book publishing materials
  • Marketing books
  • Business books
  • Managed Services
  • White Papers
  • SMB Online Conference packages
  • Bundles
  •  . . . Everything!

* That's a one-time code and cannot be combined with other codes.


Friday, August 16, 2013

SOP Friday: Trip Charges and On Site Minimums

One area of service delivery has changed dramatically over the last five years: On Site vs. Remote support. We rarely go on site to clients for support these days. Almost every on site visit is related to sales or client relations. Some of us have clients in other states and other countries.

The really good news about remote support is that it's a lot more profitable, particularly if you have employees. Let's use the example of a client that's 20 miles from your office and it takes about 30 minutes to drive there and park. So an on site visit takes about one hour longer than the time you are actually on site.

If you pay an employee to make that visit, you (should) pay 56.5 cents per mile for the mileage reimbursement. So that's $22.60. And let's say your tech earns $20/hr so your real cost is about $25 just for the travel time. At this point you are out $47.60 just to BE on site. If you have to pay for parking, it's easily more than $50. A senior engineer might be twice that.

Note: Even if it's you and not an employee, you need to make the same calculation. This is critical to understanding your cost of delivering service!

Do You Charge for Trips?

You have two basic options for recouping these costs: Charge a "trip charge" or charge a minimum that guarantees you will be profitable.

Most MSPs have a minimum charge rather than a trip charge. For whatever reason, there is some resistance to a charge just for showing up. Having said that, every consultant I've talked to who does have a trip charge says they have no problems with it. They just make it part of their policies and clients know it's coming. So it becomes a non-issue.

Luckily, in our business, a one hour minimum is normally enough to guarantee that we're profitable. If the travel to and from a client's office costs you about $50, and the next hour on site costs another $25, then you are making some profit as long as your hourly rate is $76 or more.

Of course you don't want a profit of only $1 for two hours of your employee's time. At $100/hr you will make at least $25.

Microsoft MapPoint Driving Zone
To make the on site minimum work, you need to make sure that you keep travel time within the 30 minute drive time. One cool way to do this is with Microsoft MapPoint. See the graphic.

First you plot your office. Then choose the option to define a drive time zone of 30 minutes. MapPoint will draw the zone automatically.

From there you can make a few adjustments. But it's a great start on determining your "One Hour Minimum" drive zone.

If you're a Microsoft Certified Partner or a MAPs subscriber, then you have access to MapPoint. If you haven't played with it, this is a great place to start.

When you write your policy about "local" travel, this is your local travel area. Within this area you should find most of your clients. Within the zone (your local area), there is a one-hour minimum.

Outside this area you need a higher minimum. It might be three hours or four hours. It depends on the distance. In Sacramento, we have a nice compact area around the metro area. But we have a lot of clients in the Bay Area - a minimum of 1.5 hours drive each way with perfect traffic. So those clients have a four hour minimum. On average, 3-4 hours is needed just for travel. So even an hour on site costs us a lot of money.

So, here's the basic outline for your SOP:
1) Do you have a separate Trip Charge? Yes/No
2) If no, what is your on site minimum for local travel?
3) Is there a second "zone" for travel (e.g., 31-60 minutes of travel time)?
4) If not, how do you calculate on site minimums for non-local travel?

Train Your Employees To Stay Profitable

It is very important that your employees understand the cost of travel time. There are hard costs (e.g., the $50 calculated above) and there are opportunity costs. If you pay someone to drive two hours a day and do not charge for that, you have lost the opportunity to have that person bill out two hours of labor for remote support.

Encourage technicians to group their travel in order to minimize it. For example, combine client visits so that you don't have a trip all the way back to the office between clients.

Discourage on site visits for tech support unless they are really necessary. We can close more tickets and bill more hours if we work remotely.

Control travel in general. Your employees should not be "running errands" like driving to the store to get a network cable. Plan your day. Have enough supplies on hand so that such trips are unnecessary.

This is the kind of policy that might seem trivial, but it can have a significant effect on your profitability -- even if you are a one-person shop. Time spent driving is always less profitable than time spent working. And with remote support being so widely available, there are fewer and fewer tasks that have to be done on site.

Comments welcome.

- - - - -

About this Series

SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete "table of contents" for SOP Friday at

- - - - -

Next week's topic: Quarterly Roadmap Meetings


Register Today!
SMB Preday 2013

How to Create a Hugely Profitable Cloud Solution for Small Clients 

A 4-Hour Hands-On Event! 

October 9, 2013
1-5 PM
Las Vegas, NV

All-New Workshop Format 

This year’s pre-day event will be a four-hour hands-on event … in which you will build your own cloud service offering and take that live experience back to your office, ready to offer to your clients! As a group, we’ll go over possible cloud offerings that you can resell. Then each attendee will work through exercises to sign up for reseller programs, create bundles, and design an overall strategy for making Lots of Money with cloud service offerings.

Super Early Bird Registration: TWO attendees for only $99

Plus all content will be provided to registrants whether you actually attend or not. Includes audio recording, slides, handouts, and workbook.

Find out more at

Friday, August 09, 2013

SOP Friday: HIPAA Part Three - Documentation

So far we've looked at HIPAA Training and HIPAA Compliance. This week the topic is HIPAA Documentation. See the first HIPAA post for terminology and the second for a graphic on the steps to a great HIPAA compliance program.

Documentation is the most important piece of HIPAA compliance for you and for your clients. The rules are very clear: If you do everything right and don't document it, then you are out of compliance. Luckily, the requirements for small covered entities (doctors, etc.) and business associates (you) are not overly burdensome. See the documents at the Health and Human Services web site, especially the PDF "Security Standards: Implementation for the Small Provider."

Start With Yourself

Before you go sign Business Associate Agreements (see the first two posts on HIPAA), you need to make sure you are compliant. Assuming you are a pretty normal I.T. consulting company, you don't handle individually identifiable patient health information (patient records) in your office or one your computers, tablets, USB keys, or phones. In other words, there's nothing in YOUR office or possession that is protected information. So documenting your compliance is pretty straight forward.

You need to document how you handle protected information (in paper or electronic format) when you are providing service to the covered entity. Again, in most cases, you "handle" this information only when you are working on client computers or moving data. But you almost never see any actual patient information (hence the term "individually identifiable" patient health information).

So you need a tiny little binder that you can keep in your office. In that binder you need some kind of documentation that shows you have been trained on HIPAA. This could even be self-training by reading official government web sites. But you need to document it.

Next you need a statement about when and where you might have access to individually identifiable patient health information and how you handle such information. Again, this can be a paragraph or two typed up, because you just don't have much exposure.

Finally, you need copies of your Business Associate Agreements that you've signed with all clients.

Everything needs to be dated.

That's it for you. Basically, you need to be able to hand that binder to someone who wants proof of your HIPAA compliance.

Documenting Covered Entities

Covered Entities are a little more complicated because they obviously do have individually identifiable patient health information and access it every day. Remember the three components: training, compliance, and documentation. You'll need a slightly larger binder for your clients.

First, you should have a section where you document each employee's training. Whether this was provided by you or someone else. If you hold a company-wide training, you simply need to describe that in a paragraph and list the employees who attended. For on-going training after that, the client will need to make sure this section is kept up to date.

Second, you need two sections on compliance. The first is a section on technical compliance (related to the HITECH Act - Health Information Technology for Economic and Clinical Health Act). The second is for client procedures about how their office operates. Luckily, you (probably) only have to be involved in the first.

HITECH compliance consists of describing how data are handled, encrypted, etc. and how breaches are handled. For small offices this is not complicated. Electronic medical records (EMR) are going to be inside whatever software the client is using to manage their office. You need to describe how this information is stored, managed, and moved. By "describe" I also mean describing what you've put in place to make sure the client is complying with the HITECH Act.

The client's section on compliance has more to do with the daily procedures of the office. This includes physical barriers so that patients cannot hear conversations, view other patients' charts, etc. It also includes copies of forms that might be used, including a patient privacy policy. Information in this section of the binder is outside the authority of the HITECH Act and you can avoid responsibility for it by simply limiting your services to compliance with the HITECH Act.

Third, the binder needs a section on documentation. The binder itself is documentation, of course. But you need more. You need to put all HIPAA related policies, procedures, and documents here. This includes physical descriptions of how data are handled. It also includes copies of all signed Business Associate Agreements.

Finally, you should have procedures in place to make sure that employee training is maintained, data handling procedures are followed, and documentation stays up to date. Personnel changes are a key piece of this. When someone new is hired, they need to be trained in company procedures and HIPAA generally. And that needs to be documented in the binder.

It's Just Another Day . . .

Many techs I've talked to are worried about HIPAA and concerned that they won't be able to take on the challenge of helping clients with HIPAA compliance. But don't panic. This is just another in the woods.

The I.T. business is always changing. And it changes fast. If you've been in business five years, you've seen major changes already. And if you've been in business ten or fifteen or more years, the changes huge. We all learned the skills that got us where we are. So now we need to learn some new skills.

The biggest challenge seems to be getting doctors and other covered entities to follow the law. I'd love to hear any strategies you have for that!

Everything else is just an opportunity to expand your services and make more money.

Comments welcome.

- - - - -

Pinterest Resource for You

I've created a Pinterest board where I'm posting information on HIPAA compliance and fines. It's a place you can point your medical clients to if they tell you that there's no enforcement and they have nothing to worry about.

It's at:

- - - - -

About this Series

SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete "table of contents" for SOP Friday at

- - - - -

Next week's topic: Trip Charges


Check Out the #1 ranked Managed Services book at Amazon:

Managed Services in A Month
by Karl W. Palachuk

2nd Edition - Newly Revised and Updated with NINE new chapters

Only $24.95. The best deal in managed services today!

Order Today!


Monday, August 05, 2013

Free Webinar: Working In Real Time

Got a note from my brother Manuel. He's putting on a couple of webinars today and tomorrow.

If you're in I.T. then you know that time is the most important variable you need to measure. Join Manuel to learn how you can make the most of it.

His memo:

- - - - -

Are you losing Time and Money because of poor Time Tracking habits?
If so, Today's presentation is for you... 

MSP Coach Manuel Palachuk presents:  
"Working & Tracking Time in Real-time" 
What gets measured gets paid!

Hosted by BrightGauge - Custom Reporting Made Awesome!
Tackle the single toughest obstacle to super high profits in your service delivery system with this in-depth webinar prepared specifically with IT Services in mind. In this presentation, we will lay out the evolution of time tracking in Levels, from One to Five. Level One: time stamps and notes taken on a paper tablet throughout the day, to Level Five: entering time in real-time directly into your PSA. Along the way, the great myth that a technician who multitasks is more efficient is exposed and dispelled.  

Agenda includes: 
- Why Track Time?
- Working and Tracking Time in Real-time Maturity Level
- Time Increments for the Service Industry
- Profit and Value Potential
- The Multitasking Myth
- The Three Golden Rules of Working and Tracking Time in Real-time
- Time Tracking Log Examples
- General Rules of 5 and 15 Minute Time Entry
- Steps to Success in Working and Tracking Time in Real-time
There are two opportunities to catch this must-see webinar.

Event Times:
Monday, August 5, 2013, 7:30 PM EDT / 4:30 PM PDT

Tuesday, August 6, 2013, 10:00 AM EDT / 7:00 AM PDT

I really hope you have the opportunity to participate in this informative and powerful event.

Good luck in all your endeavors,

- Manuel Palachuk

Friday, August 02, 2013

SOP Friday: HIPAA Part Two - Compliance

Last week we talked about HIPAA Training. This week the topic is Compliance. For terminology, see last week's post.

Click on the graphic to enlarge it if you need to. These are the big stages to a great HIPAA Compliance program internally and with your clients. Last week we talked about training and next week we'll cover documentation. Today we'll cover the middle parts.

There are primarily four things you need to address regarding HIPAA compliance:

1) You need to become HIPAA compliant

2) You need to sign Business Associate Agreements

3) You need to develop and deliver HIPAA assessments

4) You need to help your clients become (and stay) compliant

... and you need to do it all by September 23rd.


Luckily, there are actually few requirements for small Covered Entities (doctors, etc.) and small Business Associates (you). That means it is pretty easy for them to become HIPAA compliant. The big stick that cures most potential problems is encryption. If a laptop is secured and the hard drive encrypted, for example, you don't even have to report a lost laptop that contains thousands of patient records.

Data can be in use, at rest, archived, or backed up to various media. In all cases, everything in the world of HIPAA compliance is easier if the data are encrypted. We have not, traditionally, encrypted everything at every stage. But in some cases, that will be the answer going forward.

Let's look at the four items a bit more.

1) You need to become HIPAA compliant. That means you need to develop one or more policies to document how you handle client data, training, etc. Going through this process will help you start to build HIPAA assessments and procedures for your clients.

If you don't know where to start or what you need to do, the best place to start is training. See last week's SOP post.

2) You need to sign Business Associate Agreements (BAAs) with all Covered Entities you have as clients and all other Business Associates you do business with. Copies of all of these should go into your HIPAA compliance file/folder/binder. Copies go into each clients' HIPAA compliance file/folder/binder and each of your BA's HIPAA compliance file/folder/binder.

There are sample BAA's on the Internet. You will also receive a sample with any good training you take. If you think this is just a huge meaningless exercise in covering your butt . . . you'd be correct. But a good BAA will address the core elements of your compliance.

Keep very good records. You need to create a binder (yes, a physical binder) and an electronic folder where you store all signed BAAs. As a service provider, this is the most important part of your HIPAA compliance: Documentation.

3) You need to develop and deliver HIPAA assessments. There's actually quite a bit of work here. And with every doctor's office you visit you'll add things to the list. So right now we're charging for the assessment because there's so much work involved. Even delivery of the assessment takes some effort because you have to document everything that doesn't need to change as well as everything that does.

The assessment should go into the client's HIPAA Compliance Binder and become both the action plan for remediation and the first draft of a report on HIPAA Compliance Documentation.

Eventually your assessment tool will be a very thorough checklist (Doesn't that sound familiar?). Part of it is based on client interviews (doctors and staff), part on observation in the office, and part on an examination of hardware, software, and data-related processes.

Please note: You probably want to deal with only the HITECH (Health Information Technology for Economic and Clinical Health Act) portion of HIPAA. You are not responsible for all HIPAA compliance because some of it has to do with the layout of the office, staff procedures, and other elements over which you probably have no control.

4) You need to help your clients become (and stay) compliant. Remediation (fixing) of problems related to record management and data services is where you excel. Once you have an assessment, you can begin to fix things.

Fixes will include documentation, processes, education, and probably changes to hardware, software, and services. Remediation might be cheap or it might be expensive, depending on the current practices and equipment.

A Few Practical Considerations

We have developed a "package" for assessing, remediating, and documenting a small medical office. Right now it's pretty expensive because we are including all labor not directly related to projects that might result from a major problem (e.g., if the server needs to be replaced altogether, that's a separate project).

If you decide you don't want to get into all this stuff, you really need to figure out what you will do with medical-related clients. At a minimum, you need to have them sign BAAs to cover YOUR butt whether they choose to be HIPAA compliant or not.

If you choose not to offer HIPAA compliance services, you should find someone who does and work out a referral or affiliate arrangement.

Just remember: The clock is ticking. September 23rd is the deadline.

Comments welcome.

- - - - -

About this Series

SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete "table of contents" for SOP Friday at

- - - - -

Next week's topic: HIPAA Part Three - Documentation


Check Out the All New Book:

Cloud Services in A Month
by Karl W. Palachuk

396 pages - plus lots of juicy downloads

Paperback - Ebook

A great resource for managed service providers or anyone who wants make money selling and bundling cloud services.

Featuring all the details you need to create and sell YOUR custom Cloud Five-Pack (TM)

Learn More!

Thursday, August 01, 2013

Windows XP End of Life: Brings Consultants and Small Businesses Together

I got a very cool memo today from Harry B over at SMB Nation. They are launching a "co-op" type program to help YOU make more money in the next year.

The new site - - is a place for small businesses to look for computer consultants to help them move off of WindowsXP. It's also a place where YOU can register as a consultant to connect with those businesses.

As you know, Microsoft announced that after April 8, 2014, it will no longer support Windows XP, Office 2003, Windows Server 2003, Exchange Server 2003 and Windows Small Business Server 2003 (SBS). As a result, small businesses who ignore this deadline will be on their own come April 9, with no support and service for these now obsolete operating systems.

I've posted the press release below. Also see the news coverage from Redmond Magazine.

I happen to know something about the funding of this project (NDA for now). So let me assure you that this program has a lot of support from some very big players. Trust me: You want to be part of this!

- - - - -
For Immediate Release
For more information, contact:
Harry Brelsford
Founder and Chairman
SMB Nation
206-201-2943 x103 Aims to Assist SMBs with Windows XP Device Upgrades
New co-op community of talented expert certified Geeks is dedicated to upgrading Windows XP devices prior to April 8, 2014 end-of-life deadline.

Bainbridge Island, WA – August 1, 2013 –, a new co-op community of talented expert certified SMB IT Pros (“Geeks”), was launched today for the purpose of assisting small and mid-sized businesses (SMBs) with upgrading away from Windows XP prior to the April 8, 2014 end-of-life deadline.

Earlier this year, Microsoft announced that after April 8, 2014, it will no longer support Windows XP, Office 2003, Windows Server 2003, Exchange Server 2003 and Windows Small Business Server 2003 (SBS). As a result, SMBs who ignore this deadline will therefore be on their own come April 9, with no support and service for these now obsolete operating systems. However, help is on the way, with, which is designed to assist SMBs with upgrading from Windows XP to
the Windows 7/8/8.1 family. is comprised of Certified Windows XP Migration Experts (CME) who come from the valued SMB Nation community, all of whom are trained professionals that are equipped to perform your upgrade away from Windows XP with minimal disruptions to your business life. The following seven steps below outline the steps involved to performing the Windows XP migration process:

1.)    Hire Once we define your business and technology needs to migrate from Windows XP, we create a job in our proprietary system and assign local talent to perform the work. 
2.)    Arrival and Assessment: The Certified Windows XP Migration Expert (CME) arranges with our office and you to arrive at your site to conduct an in-person technology and business assessment to create the final statement of work for your project.
3.)    Approval: You review the assessment report and approve the migration plan.
4.)    Procurement: All necessary new hardware and software is ordered to successfully complete the Windows XP migration.
5.)    Performance: The migration work is successfully completed! 
6.)    Acceptance: The final project checklist and survey is completed and approved.
7.)     Satisfaction: And you the customer have “gone to modern” with

XP Migrations is also holding a series of education events across the U.S .starting August 2013. Attendees will discover why migration away from Windows XP before April 8, 2014 is so important when it comes to operating their SMB. The events will feature expert trainers who are highly experienced thought leaders, all of whom have expertise and background within Microsoft and Windows Operating Systems. The event series will occur on the dates listed below in the corresponding cities:

  • Auburn, WA: September 4, 2013
  • Seattle, WA: September 5, 2013
  • Bellevue, WA: September 6, 2013
  • New York City: September 12, 2013
  • Chicago, IL: September 13, 2013
  • Houston, TX: September 17, 2013
  • Austin/San Antonio, TX: September 18, 2013
  • Los Angeles, CA: September 24, 2013
  • Irvine, CA: September 25, 2013
  • San Diego, CA: September 26, 2013 will also be hosting a series of online Web Seminars on the following dates and times below:

  • August 14, 2013 at 10AM PDT
  • August 28, 2013 at 8AM PDT
“XPMigrations was created as a co-op community for today’s SMBs to be able to easily, quickly and affordably make the upgrade from Windows XP to an updated operating systems in time for the fast-approaching April 8, 2014 deadline,” said SMB thought leader and author Harry Brelsford, who also serves and Founder and Chairman of SMB Nation. “I am very adamant about telling SMBs that if they ignore the April 8 deadline, come next year, they will be faced with a literal Windows XP ‘zombies’ that will attack their PC starting the next day. I can’t express how important it is to make this upgrade prior to April 8. If you choose to ignore this message, then you run the risk of interruptions within your business, or worse, the possibility of permanent downtime.”

“Don’t overlook the increased productivity from upgrading to the new technology and away from Windows XP,” said Jay Weiss of Computer HMO in Los Angeles, CA and the first person to register to provide services via “Buying a new device, such as a laptop, tablet or desktop, is the only way to run away from XP!”

XPMigrations co-op members will also be excited to know they receive Xpoints for each dollar spent or earned. Xpoints can be redeemed for geek gadgets, merchandise and conference passes.

To learn more about XPMigrations, and to have one of our representatives contact you with more information, go to is a co-op community of talented expert certified Geeks dedicated to upgrading your Windows XP devices. We’re 40,000 strong and able to serve any region in the U.S. and Canada to help you get to a more modern technology environment that is more productive, more secure and more fun! As specialists, we know what to do and how to do it! For more information, visit

- - - - -