Everything You Know About HIPAA Is Changing: An Early Look at How to Prepare Your MSP

December 31st, 2024
Kaseya
Regulatory Compliance

On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). The newly proposed HIPAA policy changes could have significant impacts on how MSPs and IT teams remain compliant with regulations.

The NPRM proposes to strengthen the Security Rule’s standards and implementation specifications with new proposals and clarifications, including:

  • Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required.
  • Require written documentation of all Security Rule policies, procedures, plans and analyses.
  • Add specific compliance time periods for many existing requirements. It also adds an annual audit of security controls at least once every 12 months.
  • Require the development and revision of a technology asset inventory and a network map at least once every 12 months.
  • Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
  • Require greater specificity for conducting a risk analysis. New express requirements would include a written risk assessment.

Why upcoming HIPAA policy changes matter to MSPs:

If you support healthcare companies, you will need to help them meet the new list of security, compliance and audit controls in 2025. Healthcare companies who historically have not seen an ROI on security or compliance are going to be forced to comply with the new HIPAA policy changes in order to remain licensed, get insurance, or be paid by Medicare/Medicaid.  Healthcare buyers are going to start asking about HIPAA, compliance services and security upgrades like penetration testing.

What should MSPs be doing to prepare:

This is the time to design and market a healthcare specific offering to meet your client’s needs, expand your business and manage risk. Evaluate your ability to properly assess network compliance and provide risk management solutions to your clients. Consider implementing solutions like Compliance Manager GRC to automate key components of compliance. Explore new security tools to help you design HIPAA compliant solutions for your customers, staying ahead of the trend before your competitors sell into your book of business.

Kaseya works hard to stay ahead of these changing regulations to make sure you can deliver automated and integrated solutions to meet these standards. Discover how you can master infrastructure audits, compliance and risk management with Kaseya’s Audit & Compliance Solutions.

One Complete Platform for IT & Security Management

Kaseya 365 is the all-in-one solution for managing, securing, and automating IT. With seamless integrations across critical IT functions, it simplifies operations, strengthens security, and boosts efficiency.

Get a demo Explore Kaseya 365

One platform. Everything IT.

Kaseya 365 customers experience the benefits of the best IT Management and Security tools in a single solution.

Explore Kaseya 365

Your success is our #1 priority

Partner First is a commitment to flexible terms, shared risk and dedicated support for your business.

Explore Partner First Pledge

2025 Global MSP Benchmark Report

The 2025 Global MSP Benchmark Report from Kaseya is your go-to resource for understanding where the industry is headed.

Download Now

Explore Categories

What is NIST compliance? A practical guide for IT teams and MSPs

“NIST” gets used to refer to several different things, often interchangeably and not always accurately. The agency. The Cybersecurity Framework.

Read blog post

IT compliance for MSPs: how to build a practice that scales

Compliance has quietly become one of the most commercially important capabilities an MSP can develop. The combination of rising regulatory

Read blog post

ISO 27001: What it is, what certification requires, and whether your organization needs it

ISO 27001 is the international standard for information security management systems. It is the most widely recognized security certification globally,

Read blog post