Cheap IT is not Good IT and Can Cost You Much More in the Long Run
Here’s the thing. You own or operate a healthcare practice. It might be a physician’s practice, optometrist, dentist, or even a chiropractor.
Maybe you’re running an ambulance service. Perhaps you have an independent pharmacy in the middle of town that everyone loves.
No matter what type of healthcare entity you have there’s no doubt that you’re using computers and other forms of technology.
When you need technical support you probably call around, hire someone who’s relatively cheap to fix the issue and then go about your business. You might even have someone you reach out to every time you have a problem. It could be someone referred to you by another business owner. It might even be a family member who fixes computers as a hobby.
You hired the IT Consultant in large part because they offered service at a much more affordable rate than some of the other IT consultants in the area.
That’s great. You’re saving a few bucks and getting your computers repaired when they need to be.
That IT Consultant could end up costing far more than the established, more expensive IT consultants.
Let’s forget about the bad advice, shortcuts, and mistakes an underqualified IT consultant can make. Things like using free anti-malware programs, or not properly validating your back up solutions, or even suggesting that you can use a shared Gmail address for the entire staff to simplify things (yes, I have witnessed all of these things). There is one incredibly important reason not to hire the guy down the street who fixes your neighbor’s computer for $50.
All the businesses I listed above most likely need to have a HIPAA program in place. Part of HIPAA says that anyone (vendors) who you hire to perform work that may include potentially accessing PHI (Protected Health Information) require a Business Associate Agreement (BAA).
The Omnibus Rule states that a Business Associate, which is essentially your downstream for support of your healthcare business, can be held liable under the HIPAA rules. In fact, the OCR has stated that we can expect more enforcement directed at business associates.
In other words, if a breach occurs and IT consultant is at fault then they will be the party the OCR investigates and potentially fines.
If you don’t have a BAA in place with the IT consultant, then the OCR is going to hold you liable. If they determine that a HIPAA program was not being followed (if you don’t have a BAA with your IT consultant, then you most likely don’t have a HIPAA compliance program) you could be subject to enforcement.
HIPAA enforcement can, and usually does, include financial penalties and a corrective action plan. In many cases, the corrective action plan can cost more than the settlement. The corrective action plan will also mean you’ll need to hire a qualified IT consultant that will sign a BAA.
The few hundred dollars you saved by hiring the neighborhood guy who pushes free anti-malware programs are starting to look like a bad decision, isn’t it?
Let me try to put this another way. If you’re a chiropractor and someone came into your practice because of back pain but decided they were going to go to a friend of a friend because they can fix their back issues for a lot less money would that sit well with you? No, because they’re not qualified, and they could potentially hurt the person even more.
IT consulting is no different. You want to have qualified, experienced support to prevent breaches. You want to have someone that has as much skin in the game as you.
I belong to a lot of groups on Facebook and LinkedIn. Some are IT-focused. Some are HIPAA focused. A Break/Fix IT Consultant asked a question in one of the IT-focused groups a few days ago. The question was “A physical therapist called me about doing some work on their computer. Is there anything I need to know regarding HIPAA before I help them?”
If you must ask that question you are not qualified. Also, if you must ask that question then chances are the physical therapist does not have a HIPAA compliance program in place.
I explained that a BAA would need to be in place before you could work with them. I also advised that there’s a good chance the physical therapist is not complying with HIPAA.
For a healthcare provider to have a HIPAA compliance program someone needs to be managing their technology for security. That includes patching, scanning, logging, auditing and updating as needed. This cannot happen with a break/fix shop.
That’s not a knock on the break/fix IT consultants of the world. That’s how I started out 13 years ago. A managed services provider or in-house IT is what a healthcare practice needs. Smaller practices would use an MSP while larger organizations could afford to keep someone in-house.
Yes, a qualified MSP is going to be more expensive than your husband occasionally popping in to clear the printer and update the free anti-malware (yes, I was given this answer when contacting a dentist). In the long run, you will save yourself from headaches and heartache, and probably a few dollars.
Cheap can be more expensive
Join the Get HIPAA Compliance Facebook Group
