Don’t Let Lack of HIPAA Compliance Make Your Business Sick

There are millions of American companies that don’t realize they have a HIPAA compliance problem. They’re not doctor’s offices or medical labs or hospitals or insurance companies, so many falsely believe HIPAA doesn’t apply to them.

HIPAA, after all, is shorthand for the Health Insurance Portability and Accountability Act of 1996, so if your core business isn’t delivering healthcare-related products such as insurance, it may be easy to think you’re in the clear. But this moniker is misleading.

Since 2013, a new Omnibus Rule extends HIPAA regulations to any company handling personal healthcare information (PHI). Known as business associates, they must sign agreements with any partners or customers in the healthcare space with which they do business. This makes them subject to the same rules that have been governing healthcare organizations for decades, even if they didn’t know it.

As an MSP, HIPAA compliance services are an extremely profitable value-added service you can provide to your customer base. Offering HIPAA compliance requires that you provide a portfolio of specific offerings.

Automated assessments – HIPAA compliance isn’t something that’s ever “complete.” It requires an ongoing commitment to securing PHI, and that includes ongoing assessments to identify any personal healthcare data lurking in any aspect of a client’s digital ecosystem and ensuring it is secure

Spotting problems, offering solutions – Regular scans identify any potential vulnerabilities and recommend courses of action to shore up potential soft spots.

Automatic documentation – In the event of a breach of other non-compliant event, the ability to provide proof that preventative measures were taken is a huge plus and can lead to major mitigation of fines and penalties.

Audit readiness – When an auditor comes knocking, MSPs and their clients must be fully prepared to hand over all required evidence and documentation they’ll be asked to provide.

However, before you extend HIPAA compliance services into this vast and largely untapped market, you must first make your clients aware of the problem they must address. This requires proactive sales efforts that are as much an informational overview to bring attention to the problem as they are a pitch on an actual solution.

So many of these companies have no idea that they’re supposed to be complying with HIPAA. These SMBs include accounting firms, payment processors, law firms, and even document storage and disposal companies.

These organizations are definitely not delivering healthcare services, but they are handling Personal Healthcare Information (PHI) that falls under the umbrella of HIPAA. Regardless of why a company might deal with this data, it is still responsible for handling it as meticulously as a hospital might.

When it comes to hammering this point home, it’s a good idea to emphasize the stick versus the carrot. The fines and penalties for HIPAA violations can be quite lofty, not to mention the reputational damage that comes with a violation making the headlines.

Since these companies previously were not conscious of their legal obligations in this department, referring to comparable examples is a good tactic to inject some urgency into the conversation. Offering up case studies of how companies in the same line of business have been subject to fines and negative repercussions following a HIPAA violation is a great way to “scare them straight” on the subject. Seven-figure fines are typically a pretty good motivation to invest in upfront protection from these liabilities.

To effectively go to market, you need a plethora of resources to make a scalable, professional entry into the HIPAA compliance space. Many of these have nothing to do with your technical capabilities or acumen.

It begins with the pitch and the supporting materials needed throughout the sales cycle. This includes marketing strategies, positioning, pricing guidance, and sales training on how to create urgency and overcome objections. You will also need a plethora of content, from email templates to landing pages to sales presentations.

Extensive training for your sales teams and customer-facing personnel is another area of emphasis. These individuals must become well-versed in the subject matter and familiar with what it takes to close compliance-related deals (or extend current engagements to include compliance services).

Once the ink is dry, you need to figure out how to offer high-quality compliance services efficiently to maximize profitability. And post-implementation, MSPs must also develop playbooks for how to conduct quarterly business reviews to reinforce the value they’re providing and identify additional opportunities to grow their book of business.

Developing this arsenal of training and materials isn’t typically the strong suit of MSPs, who rightfully are focused on delivering excellent service to their customers and building on their expertise in providing a wide array of outsourced IT functions.