For those who are not aware of this acronym, HIPAA stands for Health Insurance, Portability & Accountability Act. It is US legislation that addresses patient confidentiality and ensures your records can be moved between healthcare providers without hindrance.
If you provide services to the healthcare sector in the US, you will be aware of your responsibility to make that service provision HIPAA compliant.
Obviously, for software that deals with patient records this is a key requirement built in from day one. Similarly, cloud storage and backup solutions used by healthcare providers have clear responsibility to ensure patient records are protected by multi-level secure access controls.
But what about the PSA tools used by MSPs to provide services to healthcare providers. Are they also caught in this net?
We do not claim to be experts in this field. However, we do take data security very seriously, as required by GDPR and we provide a highly secure environment to our customers for their data.
It is our understanding that MSPs who work in the healthcare sector require their systems and processes to be HIPAA compliant. It is also our understanding that HIPAA compliance for non-medical records systems is not a certification as such, however, these systems need to support a minimum set of security and logical access standards that are managed and controlled by the user of the software.
Protected Health Information (PHI) is not generally relevant to PSA systems as they do not deal with medical records. Also, as Harmony does not provide remote-control functionality, concerns relating to support staff browsing medical records are not applicable.
However, a screen shot of a medical record could be forwarded and included on a support ticket. This situation could accidentally lead to a HIPAA breach and so consideration needs to be given to the processes, access controls and auditability of actions that take place surrounding such an incident.
Procedurally, the technician dealing with the issue should delete the image on ticket closure and this action should be included in a workflow check-list to ensure its compliance. This is a process step that is within the scope of the customer to create and we can provide guidance on how this is set up.
On the broader topic of security and logical access controls, as required by HIPAA, Harmony delivers the following:
- User access control settings which include: time-out parameters, forced password reset periods, password complexity standards; and lock-out rules on failed access attempts
- Encryption in transit as standard and encryption at rest on our Azure hosting environments
- Azure VMs are firewall protected
- Two-factor authentication using Google authenticator (Google account not required) and SAML integration included, providing the ability to integrate with other 2FA solutions
- All state changes in the system are audit logged and audit logs are available in the UI against each related object
- IIS session logs can be downloaded if required, showing which screens a user has visited but not changed
- Team and client group level security is available allowing you to specify which user teams can view data from which customer groups providing the opportunity for advanced internal data partitioning (Chinese walls)
Accordingly, we consider that when placed within an organisation that understands the process requirements of HIPAA compliance (as required by MSPs operating in this sector), Harmony can be configured to deliver a PSA solution that satisfies their needs and will meet HIPAA audit standards.
About the Author: Harmony Business Systems Ltd (HBS) is the company behind HarmonyPSA, the most complete cloud PSA software on the market. Developed with functionality to cater for even the most complex needs of MSPs, VARs, ISVs and Professional Services organisations, HarmonyPSA truly is the next generation of PSA systems. HBS is an independent company based in the UK. Follow HarmonyPSA on Twitter or LinkedIn