FelinePC, a Houston-based managed IT service provider, proudly announces the receipt of HIPAA Seal of Compliance from Compliancy Group, the largest and most authoritative HIPAA compliance training and software provider in the United States. In this post, we’d like to share our experience working with Compliancy Group for the past few months and why we chose them to be the compliance partner for our business as well as our healthcare IT clients.
Why HIPAA matters a lot to FelinePC
As a managed service provider (MSP) who serves clients in the healthcare industry, FelinePC, LLC is a “Business Associate” (BA) under the definition of HIPAA (45 CFR §160.103). This designation subjects FelinePC to stringent HIPAA regulations related to the security and privacy rules it must adhere to in order to protect the “electronic protected health information” (ePHI) it encounters while providing IT service and support for its “Covered Entities” (CE) healthcare clients.
By law, we are literally all in this together
With HIPAA violation fine enforcement up 400% in recent years and series of high-profile breaches and multi-million dollar settlements that drew national attention, the importance of HIPAA compliance for both IT service providers (BAs) and their healthcare IT clients (CEs) has never been more urgent. To further complicate the matter, a “HIPAA Omnibus Rule” update in 2013 significantly extended the potential liability of non-compliance to business associates. No longer is the case where one can simply argue “we are good to go as long as it’s the the other party who’s responsible for compliance”.
The intention of the government is very clear: all parties must be HIPAA compliant in a business relationship that involves the exchange or handling of ePHI. One party’s mishap can bring devastating consequences to the other. It is therefore in a HIPAA-bound healthcare provider’s best interest to choose an IT service provider who is also HIPAA compliant, and vice versa.
94% covered entities failed their HIPAA audits — we do not want our clients to be among them
Like many federal regulations, HIPAA is notorious for being long and complicated. Yet there is no federal agency that issues official HIPAA certifications, training courses or implementation guidelines that detail exactly what an entity needs to do to achieve compliance. What the government did make sure to create though, is the Office for Civil Rights (OCR) that’s charged with auditing, prosecuting and collecting big fines.
This leaves the actual interpretation of the law down to individual covered entities and business associates. Unfortunately, compliance is much easier said than done. On one end, many choose to ignore it altogether or assume that some downloadable checklists and templates on the Internet are sufficient to get it handled in house. On the other end, some spend tens of thousands on third party consultants who charge a huge premium and yet still may not deliver a proven system that addresses all deficiencies.
The confusions and misconceptions regarding the law lead to some startling statistics: according to a recent report released by the OCR, 94% audited covered entities failed to demonstrate compliance. The consequences? Average HIPAA fine is now a stunning $1.5 million.
Sure, the number is so big in part because of the “mega fines” levied against some large healthcare corporations. But if you believe that smaller doctors’ offices are somehow immune to business-threatening level of penalty, think again: HIPAA fines can go up to $50,000 per breached record. Even a simple failure to maintain a Business Associate Agreement (BAA) on file can result in an automatic fine of $31,000, as shown in this case with a small healthcare provider in Illinois. The reality is that many doctors were never even told what a BAA is, let alone signing them with all of their business associates.
We chose to partner with Compliancy Group because frankly they’re the best in business
To mount a successful legal defense, one would want to be represented by a reputable lawyer. Similarly, to demonstrate compliance and pass a government audit, wielding the seal of approval from the best compliance training institution in the nation can certainly prove to be invaluable.
Founded in 2005, Compliancy Group and their “The Guard” software are doubtlessly the most respected brands in the HIPAA compliance industry. To prove this, one can simply perform a quick search on Google with keywords such as “HIPAA compliance” or even just “HIPAA“. You will find that compliancy-group.com is consistently listed among the top spots alongside the official government sites. We’re talking about organic rankings that cannot be purchased – not those paid Google Adword listings.
As a matter of fact, tons of other HIPAA-related organizations, including some of the nation’s biggest healthcare companies, link to Compliancy Group as their sources. This authoritative presence is further backed by the endorsements of more than 40 medical associations, SaaS providers, hosting services, cybersecurity firms and MSPs.
Their track record? One word, ZERO. Yes, zero is the number of Compliancy Group’s healthcare clients who failed OCR audits since the group was founded in 2005. It is pretty impressive for a company that serves 70000+ users and 400+ partners across the United States, even more so impressive when compared against the 94% industrial failure rate mentioned earlier in the OCR report.
What’s their secret? They will likely tell you that it surely doesn’t hurt their chances when their team consists of compliance experts with 15+ years of experience as well as former government auditors and prosecutors who understand the law inside-out.
What it takes to earn the Seal of Compliance
Compliancy Group assigns each client a “compliance coach” — friendly, highly-trained and well-qualified individuals who walk their clients through the entire training program, divided into several 30-minute online meetings. All sessions can be easily booked in advance around the client’s schedule. Generally speaking, only the designated “HIPAA Compliance Officer”, who is typically a single individual for most smaller entities, needs to attend these sessions. There is no wasted time or costly business disruptions for your staff.
The program revolves tightly around Compliancy Group’s award-winning “The Guard” software – an online portal that guides you through the initial self-audits and assessments via a series of Yes/No questions. The portal automatically stores the answers to these questions and generates “gap” reports — deficiencies to be remediated later using customized policies and procedures that Compliancy Group creates for you.
Along the way, the compliance coach helps you identify which of your vendors count as “business associates” (BAs) under HIPAA and provides you with their all-purpose Business Associate Agreements (BAAs) to sign. Other documents such as “Staff Confidentiality Agreements” are also provided. All signed documents are stored by “The Guard”, complete with timestamp and version control.
The more painful part of the program — those dreaded “policies and procedures” that just about every healthcare personnel is sick of hearing — is also handled with as much grace as possible. As you may imagine, most of these documents are based on a library of customizable templates. However, Compliancy Group takes all the guess work out for you by providing you with the exact documents and instructions that apply to your entity. All you have to do is read them, follow the instructions and store them in “The Guard”.
We can’t say this entire process requires no user time or effort – if that were true, HIPAA would not have been an issue to begin with. For that reason, please be wary of some other vendors with unrealistic sales pitches in the nature of “We do all the work for you, you just sit back and become compliant automatically”. On the same note, it is important to understand that Compliancy Group does not run a “pay for compliance” program. If an organization refuses to implement measures that are mandated by HIPAA such as full device encryption, then the Seal of Compliance cannot be issued.
What you can be rest assured though, is that Compliancy Group will always give you a clear path to compliance. They will always confidently tell you exactly what you need to do next. At no point in time you will be left directionless. If you do have any questions or concerns, from our experience the compliance coaches and the client support team have always been very responsive.
Finally, with all gaps closed and required documents uploaded, each one of your staff members will be given a unique login to “The Guard”. From there they can complete their “HIPAA 101” training which should take about 1 hour per year. They will also be required to e-sign their acknowledgement and given instructions on how to use the integrated “incident report system”, as mandated under the law.
Compliancy Group’s Chief Compliance Offier, Bob Grant, will personally review your training logs and uploaded documents to address any remaining deficiencies before wrapping up the program and issuing the Seal of Compliance. Ongoing compliance is achieved by following established policies and procedures to periodically review, audit and update certain logs and documents provided by “The Guard”, which is a lot easier after completing the initial program.
Going forward, FelinePC is well-equipped to offer Compliance-as-a-Solution for our healthcare IT clients
A significant portion of HIPAA regulations have to do with technical safeguards against unauthorized access to ePHI. Terminologies such as full drive encryption, firewall, password policies, multi-factor authentication and disaster recovery have traditionally been the challenges and weak points that most non-compliant healthcare providers face. After all, doctors like to focus on treating patients, not worrying about technical jargons.
No one is better equipped to alleviate these burdens than a HIPAA-compliant managed IT service provider that offers compliance as part of its bundled solutions. This is exactly what FelinePC, partnered with Compliancy Group and holding its Seal of Compliance, is now positioned to do.
Going through the compliance program with FelinePC means that a big chunk of your ePHI security related audit and remediation measures are delegated to us, thus freeing you to take care of the remaining components mostly related to physical security and internal administrative policies. Not only will we sign a BAA with you right from the start, but we also make sure that the vendors and tools we use to manage, monitor and backup your IT infrastructure are all HIPAA compliant and have signed BAAs on file with us. This is the “chain of trust” model that a proper HIPAA compliance strategy is based upon.
To be honest here — we absolutely do not enjoy this crazy regulatory stuff — we’d rather spend more time improving your computers and network. But as mentioned earlier in this post, if you were to become our healthcare IT client, we would then get entangled in your HIPAA obligation not by choice, but by law. We’re willing to accept that because we want to earn your business. Following the proven system Compliancy Group has already spent years putting in place, we can lift the burden of compliance off our shoulders together and return our focus on what we truly enjoy doing for our patients and clients.