HIPAA compliance for MSPs: what’s changing and what you must do now

HIPAA, the Health Insurance Portability and Accountability Act, is one of the most well-known compliance frameworks in the US and one of the most consequential for MSPs serving healthcare clients. If your MSP manages IT for hospitals, clinics, dental practices, mental health providers, health insurers, or any other organization handling protected health information (PHI), HIPAA compliance is not optional. It is a legal obligation that runs directly through the service relationship.

According to the 2026 Kaseya State of the MSP Report, 71% of MSPs reported year-over-year cybersecurity revenue growth, and HIPAA compliance services are a significant contributor for MSPs serving healthcare clients. Download the full report.

More importantly: HIPAA is changing. On December 27, 2024, the HHS Office for Civil Rights published a Notice of Proposed Rulemaking that, if finalized, will represent the most significant update to the HIPAA Security Rule since 2003. MSPs and healthcare IT teams that understand what is coming can prepare proactively rather than scrambling when the final rule drops.

What HIPAA is

HIPAA is a US federal law enacted in 1996, administered by the HHS Office for Civil Rights (OCR). It establishes privacy and security standards for protected health information (PHI), individually identifiable health information that relates to a person’s past, present, or future health condition, healthcare treatment, or payment for healthcare.

The law applies to “covered entities” (healthcare providers, health plans, and healthcare clearinghouses) and, critically, to their “business associates” — any organization that creates, receives, maintains, or transmits PHI on a covered entity’s behalf.

For IT professionals, HIPAA’s Security Rule, which covers electronic PHI (ePHI), is the most operationally relevant component. It requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI.

Who HIPAA applies to, including MSPs

Covered entities are healthcare providers that conduct standard electronic transactions (billing, referrals, eligibility checks), health plans, and healthcare clearinghouses.

Business associates are any person or organization that performs functions involving PHI on behalf of a covered entity. This includes IT service providers, cloud services hosting PHI, billing companies, legal firms handling health matters, and managed service providers.

An MSP that provides IT services to a covered entity, whether managing systems that contain PHI, providing backup that includes PHI, offering remote access to clinical systems, or managing network security, is a business associate and is directly subject to HIPAA Security Rule requirements.

Sub-contractors of business associates are also considered business associates. If an MSP uses a cloud backup vendor to store PHI backups, that vendor is a business associate of the covered entity too. HIPAA obligations flow down the supply chain.

The three HIPAA rules IT teams must know

The Privacy Rule governs how PHI may be used and disclosed. It is primarily a policy and administrative matter, but IT teams need to understand it to correctly configure access controls and disclosure logging.

The Security Rule (45 CFR Parts 160 and 164) is the primary technical compliance requirement. It requires covered entities and business associates to implement three categories of safeguards:

• Administrative safeguards: Risk analysis, risk management, workforce training, access management procedures, incident response procedures.
• Physical safeguards: Facility access controls, workstation use and security policies, device and media controls.
• Technical safeguards: Access controls (unique user IDs, emergency access, automatic logoff, encryption), audit controls (hardware and software activity logs), integrity controls (ensuring ePHI has not been improperly altered), and transmission security (encryption of ePHI in transit).

The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases media, within 60 days of discovering a breach of unsecured PHI. Business associates must notify the covered entity without unreasonable delay and within 60 days of discovering a breach affecting the covered entity’s PHI.

The proposed Security Rule update: what MSPs need to track

The December 2024 Notice of Proposed Rulemaking (NPRM) is the most significant proposed change to the HIPAA Security Rule in over two decades. HHS targeted May 2026 for a final rule, though the comment period generated nearly 5,000 responses and the final timeline may shift. The current administration will decide whether and how to finalize it.

The direction of travel is clear regardless of the final timeline, and OCR enforcement activity makes these areas priority regardless of whether the formal update is finalized.

The end of “addressable” specifications. The single largest structural change in the proposed rule is eliminating the distinction between “required” and “addressable” implementation specifications. Under current rules, addressable specifications allow organizations to document why a control is not appropriate for their environment. The proposed rule removes that flexibility for nearly all specifications. Controls like MFA and encryption would become mandatory with no exception pathway.

MFA for all ePHI system access. The proposal would require multifactor authentication for all access to systems that create, receive, maintain, or transmit ePHI, including remote access and onsite system access. This would close a common gap where smaller covered entities and business associates documented MFA as “not appropriate” under the addressable standard.

Encryption at rest and in transit. Encryption of ePHI would shift from addressable to required, with no exception. Encrypted ePHI that is lost or stolen already qualifies for the safe harbor exception to breach notification under current rules. Making encryption mandatory codifies what defensible practice already demands.

Network segmentation. Proposed requirement to isolate systems that handle ePHI from the rest of the network, including separation from IoT devices, building systems, and connected medical equipment. This is relevant for MSPs managing healthcare environments that have grown organically and accumulated unsegmented infrastructure.

Vulnerability scanning and penetration testing. The proposal specifies automated vulnerability scanning at least every six months and annual penetration testing of ePHI systems, conducted by qualified cybersecurity professionals, with written documentation of findings and corrective actions.

Backup and recovery requirements. More explicit requirements for ePHI backup, including offline backup copies, documented recovery time objectives, and specific attention to backup systems targeted by ransomware. For MSPs managing healthcare BCDR, this means backup architecture and recovery testing become documented compliance evidence, not just operational best practice.

Asset inventory and network mapping. Documented inventory of all technology assets that create, receive, maintain, or transmit ePHI, updated annually and after significant environmental changes. Asset discovery tools and network mapping outputs, already standard in RMM-based IT management, become formal compliance evidence under the proposed rule.

Tightened BAA requirements. The proposed rule would require BAAs to specify the technical safeguards the business associate implements and require annual verification that those safeguards are actually in place. A signed BAA alone would no longer be sufficient — covered entities would need documented evidence that their business associates are meeting their obligations.

Business associate breach notification: 24-hour reporting. The proposed rule would require business associates to notify covered entities within 24 hours of activating an incident response or contingency plan, significantly tightening the current “without unreasonable delay within 60 days” standard. An MSP that discovers a security incident affecting a healthcare client at 11 p.m. on a Friday would need to notify the covered entity before Saturday midnight.

For MSPs serving healthcare clients, even the proposed changes signal where investment belongs. Whether or not the final rule matches the proposal exactly, the enforcement trajectory is already moving in this direction.

Business Associate Agreements: the MSP compliance foundation

A Business Associate Agreement (BAA) is a HIPAA-required contract between a covered entity and its business associates. Without a BAA, the covered entity cannot lawfully share PHI with the MSP. Operating as a business associate without a BAA in place violates HIPAA for both parties.

A compliant BAA must specify:

• What PHI the business associate handles on the covered entity’s behalf
• Permitted uses and disclosures of PHI
• Security safeguards required, referencing the HIPAA Security Rule
• Breach notification obligations and timelines
• Obligations to downstream sub-contractors, including sub-BAA requirements
• Obligations at contract termination: return or destruction of PHI

MSPs that have not executed a BAA with every healthcare client handling PHI are in violation. This is one of the most consistently cited HIPAA enforcement deficiencies and one of the most entirely preventable. OCR’s 2025 enforcement actions explicitly included risk analysis and BAA failures as central findings across multiple business associate settlements.

Under the proposed rule, BAAs would need to be significantly more specific. Rather than general security obligation language, BAAs would need to identify the specific technical safeguards in place and include annual verification of compliance. MSPs should review their existing BAA templates now against the proposed requirements.

Compliance Manager GRC from Kaseya supports BAA documentation and HIPAA Security Rule gap assessment, giving MSPs a structured way to track which clients require BAAs, what commitments are in place, and what technical evidence is needed to support them. Explore Compliance Manager GRC.

HIPAA enforcement: what the penalties look like

HIPAA civil penalties are tiered by culpability and adjusted annually for inflation:

– Tier 1, Did not know: $100 to $50,000 per violation, annual cap $25,000

– Tier 2, Reasonable cause: $1,000 to $50,000 per violation, annual cap $100,000

– Tier 3, Willful neglect, corrected: $10,000 to $50,000 per violation, annual cap $250,000

– Tier 4, Willful neglect, not corrected: $50,000 per violation, annual cap $1.5 million

Criminal penalties under HIPAA can reach $250,000 and 10 years imprisonment for knowing violations. State attorneys general can also bring parallel enforcement actions under state law, which can carry additional penalties and remediation requirements.

OCR enforcement hit a significant milestone in 2024, with 22 investigations resulting in civil monetary penalties or settlements — one of the most active enforcement years on record. In the first five months of 2025 alone, OCR announced 10 resolution agreements spanning covered entities and business associates.

The consistent finding across recent enforcement actions: failure to conduct a thorough and documented risk analysis. OCR’s 2025 enforcement actions included a $3 million settlement with a medical billing company that had not conducted a risk analysis before a ransomware attack compromised the data of 585,000 individuals. The company was a business associate, not a covered entity. Direct business associate liability is a settled enforcement reality, not a theoretical risk.

Building a HIPAA-compliant MSP practice

The following steps apply both to an MSP’s obligations as a business associate and to the compliance programs it delivers on behalf of healthcare clients.

Step 1: Identify all healthcare clients handling PHI. Know who you serve and what data flows through their environments. This determines the scope of your BAA obligations and your own compliance program.

Step 2: Execute BAAs with all covered entity clients. If signed BAAs are not in place with every healthcare client handling PHI, this is the immediate priority.

Step 3: Conduct a documented risk analysis. HIPAA requires an accurate and thorough security risk analysis, identifying risks to ePHI in the systems you manage, assessing likelihood and impact, and documenting risk management decisions. This is the administrative foundation of compliance. Without a documented risk analysis, no other technical controls can be considered defensibly compliant. OCR’s enforcement record in 2024 and 2025 makes risk analysis failure the clearest path to a settlement.

Step 4: Enforce MFA on all ePHI-system access. Given both current addressable guidance and the proposed mandatory standard, MFA on all access to systems containing PHI is necessary for defensible compliance. This includes remote access, admin accounts, and any portal with access to clinical systems.

Step 5: Implement encryption. Encrypt ePHI at rest on all managed devices and in transit across all networks. Encrypted ePHI that is lost or stolen qualifies for the safe harbor exception to breach notification under the Breach Notification Rule — encryption is both a compliance control and an incident response risk reduction tool.

Step 6: Ensure HIPAA-compliant backup. Backup of ePHI with documented recovery procedures, tested restoration capability, and offline or immutable copies that survive ransomware. Datto BCDR provides the technical capability for MSPs managing healthcare environments; the operational procedures need to be documented and tested against defined recovery time objectives.

Step 7: Implement audit logging. Log all access to systems containing ePHI. Review logs regularly. Retain logs for at least six years under the HIPAA record retention standard.

Step 8: Document and test incident response. The proposed rule would require annual testing of formal incident response plans. Getting incident response procedures documented and tested now positions you ahead of the requirement and closes a gap that OCR enforcement has cited repeatedly.

Compliance Manager GRC includes a HIPAA Security Rule assessment module that allows MSPs to track compliance status against current requirements, conduct and document risk analyses, map controls to the Security Rule, and generate evidence for OCR audits or client security reviews. Explore it here.