Jason Karn, Total HIPAA Chief Compliance Officer, spoke with Greg Manson, Direct of Security, Audit, and Compliance at Carolinas IT, about the process of hiring a Managed Service Provider (MSP). In their discussion, Greg provides a list of questions companies should ask before hiring a managed service provider. Listen to this episode of our podcast HIPAA Talk here or on your mobile device via Apple Podcasts. Or, read our summary below. We break down what a Managed Service Provider is and give details about why your company could benefit from hiring one.
What is a Managed Service Provider?
A managed service provider, or MSP, is a company that remotely handles its customers’ IT systems.1 MSPs are categorized as Business Associates because they see Protected Health Information (PHI) on behalf of their clients. Small enterprises who must comply with HIPAA may find that hiring outside help by employing a Managed Service Provider enables them to devote less time and internal resources to their compliance plan.
Even companies with an in-house IT team can benefit from partnering with a Managed Service Provider. MSPs offer a team of professionals equipped to handle all of your organization’s challenges. An MSP can work with your IT team to enhance your cybersecurity program. Additionally, MSPs typically charge a flat monthly rate. So, companies are not responsible for providing a salary or benefit to individuals; rather, they can access a team of experienced workers for a monthly charge.2
There are several questions you should ask your potential managed service provider before hiring them and allowing them access to your company’s confidential information. MSPs are well aware of government regulations, like HIPAA, and should be able to service Covered Entities. In fact, regulatory compliance is predominantly why companies hire managed service providers.
Because MSPs are Business Associates, you must have a signed Business Associates Agreement in place before you begin working together. Additionally, your Managed Service Provider should have standard operating procedures for regulatory compliance in place that you may view or audit. If an MSP does not have these procedures or is unwilling to share them with you, you should reconsider the partnership.
What Questions Should You Ask Your Managed Service Provider?
Greg Manson of Carolinas IT, a Managed Service Provider with a great deal of experience servicing HIPAA compliant clients, walked us through several questions you should ask a Managed Service Provider before working with them.
Has this MSP worked with HIPAA compliant clients before?
This is the most important thing you should talk about with your Managed Service Provider. They must understand HIPAA law and have the knowledge and technical expertise to help your company maintain HIPAA compliance. Make sure to select an experienced vendor; ask how long they have been in business.
Question the quality of their security system.
Your Managed Service Provider should be able to answer questions about their security system. They should be able to tell you about the quality of their encryption and how they protect your PHI at rest, in storage, and in transit.
What environmental controls does your MSP abide by to maximize security?
For example: Do you have policies or rules for staff handling sensitive information? Your MSP should have access levels in place just like your company. This ensures that only necessary parties access PHI on your organization’s behalf. As a client of an MSP, you deserve to know that someone who knows what they’re doing handles your account. It is also important to know that not everyone in the company has access to your account and your private information.
What are your MSP’s company policies for employees?
Do employees lose access to information when they leave or are fired from the MSP? Are they locked out of IT systems? Is their account disabled? Are important passwords changed? What happens when one of your MSP’s employees loses a device?
What technologies does your Managed Service Provider use?
A ticket tracking system is a software that creates lists and records issues with the software. This system allows your MSP to tackle issues as soon as they arise, and to maintain a record of security incidents.3
What will your MSP do to continuously monitor your system?
Ensure that your MSP will monitor and maintain your system consistently, not just when you begin working together. Ask them how they plan to do this.
Evaluate the cost of your MSP’s solution.
This is typically what conversations between clients and MSPs boil down to. While this is an important factor, it is not the most important factor – prioritize your company’s security above all else. However, this is a fair question. There are many MSPs working in this industry, and your organization should be able to partner with one that fits your cybersecurity and financial needs.
In conclusion, your partnership with a Managed Service Provider is meant to make HIPAA compliance simpler for your business on the IT end. It is not your MSP’s responsibility to bring your company into full compliance with the HIPAA law. Your MSP is there to help your company work through the technical portion of your Risk Assessment and establish protocols for protecting electronic data.
SearchIT Channel’s article “Managed Service Provider (MSP)”
Continuity Center’s article “Managed Services vs. In-House IT: Who comes out on top?”
SysAid’s article “What is a Ticketing System?“