Guest Blog by Mike Semel, Semel Consulting
There has been a lot of talk about regulating MSPs or having the IT industry self-regulate like the credit card companies did with PCI. Many MSPs are talking about Louisiana’s requirement for MSPs to be certified to work with the state as the beginning of regulations and see this as the first step towards MSP licensing.
News Flash – MSPs are already regulated with some compliance requirements being self-managed or even self-inflicted, in addition to what flows down from clients.
If you understand your requirements they aren’t difficult to manage. But if you don’t know them, you can get in trouble and risk your client relationships.
STATE DATA BREACH LAWS
All U.S. states and Canada have data breach laws. These laws protect Personally Identifiable Information (PII) including Social Security Numbers, Drivers’ License Numbers, and banking information. Many states protect medical information no matter who has it, unlike HIPAA that only applies to healthcare providers, health plans, and the businesses that support them.
You need to secure and encrypt everything on your network to protect your workforce (and yourself!) and also ensure your client-facing cloud and backup platforms are secure and encrypted.
FEDERAL LAWS
If you have even one healthcare client or business that must comply with HIPAA, you must, too.
The new CMMC 2.0 reguations specifically reference Managed Service Providers and the tools they use as part of the scope of their defense contractor clients’ Level 2 assessments.
If you can meet the CMMC requirements, HIPAA is easy.
FTC RULES
The Federal Trade Commission (FTC) regulates all U.S. businesses against unfair and deceptive trade practices. False advertising, like using a HIPAA Seal of Compliance and then failing to comply, resulted in a consumer fraud finding and a 20-year monitored compliance program.
SELF-INFLICTED REQUIREMENTS
Self-inflicted compliance requirements come when you sign a contract with a client that has special requirements to get their business.
You agree to the terms of your Errors and Omissions insurance and your cyber liability insurance when you apply for the policies. The answers on your applications become compliance requirements that you must consistently adhere to or you risk having a claim denied.
Mike Semel
President Semel Consulting LLC
semelconsulting.com
Mike is a well-known authority on HIPAA and cybersecurity. He is also a member of the Association of Cybersecurity Business Authorities. Find out more at mikesemel.com/AOCBA.
🙂