IT-as-a-Service and HIPAA Compliance – Part One

March 21st, 2017
Vadim Vladimirskiy
Vadim VladimirskiyFounder & CEO, Nerdio

With ever-expanding rules and laws concerning the handling of data, privacy, reporting requirements, and security concerns, compliance can be a resource intensive job for any client.

The financial, education, healthcare, retail, and government industries are just a few of many that have sector specific rules and regulations that consume resources. Managed service providers (MSPs) can reduce the stress to resources and provide documented, audit friendly solutions by using compliant solutions as the core of their solution set.

Let’s explore one of the regulatory laws that impact a huge number of customers: HIPAA. MSPs can ease some of the compliance requirements because of HIPAA’s rigor and breadth of contact with a client’s environment. Basically, if you’re HIPAA compliant, there will be a simpler road to other compliance measures.

Healthcare, HITECH, and HIPAA

Clients in this industry can move most their IT related HIPAA regulatory requirements into the “I’m compliant” checked bin through Nerdio.

Healthcare clients have a chaotic schedule with many compliance-related tasks filling their day.  Obviously, we all want them spending their valuable time assisting patients, not worried about IT. The HITECH Act opened funding routes that enable Electronic Health Records (EHR), also referred to as Electronic Medical Records (EMR).  While modernizing access to patient records, imaging, and test results, this Electronic Protected Health Information (ePHI) is regulated under HIPAA and mandates additional compliance burdens.


Required vs. Addressable Safeguards

HIPAA safeguards fall into two categories: required and addressable.  The difference between the required safeguards and the addressable safeguards is that required safeguards must be implemented items – whereas there are certain flexibilities with addressable safeguards.

This is where the act is both open to interpretation and often a point of contention, based on the subjectivity of the auditor.  If it is not “reasonable” to implement an addressable safeguard from the HIPAA compliance list, covered entities (which can include anyone who might have access to the ePHI data, including the janitorial staff) have the option of introducing an appropriate alternative – or not introducing the safeguard at all.

healthcare compliance

“Addressable” doesn’t mean they can be ignored.  Each addressable item needs to be explained.  There are two opportunities here; provide a HIPAA compliant data solution and the additional opportunity, or provide services that’ll assist with policies and controls for on-premises requirements outside of data handling.

By removing the need for the client to create a documented response or a new policy that’s subject to interpretation by an outside auditor, there’ll one less component to worry about. This leads to more saved time that can be focused on their core business – patients.


Now that we know the difference between the two safeguard types, stay tuned for part two, which will cover the HIPAA security rule and examples of the technical, physical, and administrative safeguards that accompany it. And, of course, how Nerdio will assist with HIPAA compliance.