Client Pay Portal

8 Questions to Ask Your IT Provider about HIPAA Compliance

Healthcare organizations and professionals are in the business of providing vital services to patients, leaving them to deal with sensitive information every day. While healthcare professionals are the experts in their industry, they are not expected to be Information Technology and Compliance experts.

At Bit-Wizards, we have many discussions with healthcare providers of different kinds. The one common thread of all those conversations? Managing IT and HIPAA Compliance is complicated. For medical professionals, tackling these complex requirements in-house can require a full-time position. Even then, it is challenging to make sure that you are following all the HIPAA guidelines.

Some medical offices hire a Managed IT service (or Managed service provider) to take care of their IT, but if you fail to do research on the different types of IT providers and what they offer, that can still leave vulnerabilities in your HIPAA Compliance.

Not all IT providers are the same

There are two main types, and they have very different business models: 

Break-fix IT providers.

Break-fix IT is a 'hired gun' type of IT support, and they do precisely what the name says. If it breaks, they fix it. There isn’t any active monitoring, continuous security features, or compliance built into this service. Break-fix IT is an older and reactive model of managing business technology. 

Managed IT Service Providers.

Managed IT services refers to a professional IT services company that provides active network and workstation monitoring, active security measures, help-desk services, comprehensive back-up solutions, and network and workstation updates. Many times, excellent managed IT service providers will fix issues before you are even aware they exist. This is a proactive model of managing business technology.

Managed IT service providers are not equal

Not all Managed IT service providers offer the same types of services. There are some key features that a Managed IT service provider needs to offer before you trust them with your HIPAA compliance needs. 

Below are 8 questions that healthcare professionals should ask a potential managed IT service provider before hiring them. You can also use these questions when discussing options with your current IT service provider: 

  1. Do they perform background checks on all their employees? 
  2. Do they maintain security compliance with an outside agency? 
  3. Do they use enterprise-grade network equipment and software? (Enterprise-grade equipment and software is rich with features and functionality, more scalable, and more customizable.) 
  4. Do they use archiving processes for documents and emails? 
  5. Do they have comprehensive business continuity plans for their clients and themselves if a disaster strikes? (i.e. cybersecurity attacks, hacks, hurricanes, etc.) 
  6. Do they use advanced threat protection services for email security? (This should be a fundamental element of their service offering.) 
  7. What are their IT response times, capacity, and Service Level Agreements (SLA)? 
  8. Do they offer semi-annual reports that can be ready at a moment's notice for you during a HIPAA audit?

There is an abundance of IT providers masquerading as managed IT service providers, so it is essential to your business’ security to do some research. It is worthwhile to invest in managed IT services to ensure HIPAA Compliance.

Isn't EHR/EMR software enough for compliance?

Your Electronic Medical Records (EMR) Software should always be HIPAA compliant. However, an EMR only protects the data that you enter and store within the software. If your network is unprotected or your workstations are not password-protected, you remain vulnerable to an information breach. Partnering with an authentic managed IT service provider will protect you everywhere that your EHR/EMR does not, including training employees on IT security best practices.

What do managed IT services usually cost?

You can expect to pay about $120-$250 per user, per month, for a compliant and comprehensive managed IT service provider. This cost usually includes all the needed productivity software, workstation & file/folder back-ups, help desk support, and more. 

That might sound like a lot of money to spend on IT, but remember, health care data breach costs are consistently the highest of any industry. In 2021, the Cost of Data Breach report found that the cost of a health care data breach reached 9.23 million (a 29% increase over 2020).  

HIPAA compliance is serious

As a healthcare provider, it’s crucial to take your HIPAA Compliance seriously by partnering with an IT provider who understands the details of HIPAA. Investing in your IT now will help you avoid large fines or data breaches in the future, ensuring your medical practice's long-term success. Get a free network security assessment from our Managed IT Services team today. 


Wiz E. Wig, Mascot & Director of Magic
Wiz E. Wig

Director of Magic