If your organization handles protected health information (PHI), you already know that HIPAA compliance isn’t optional. What you may not realize is that your Managed Service Provider shares responsibility for protecting that data, and if they’re cutting corners, your organization is the one that will pay the price.

We’ve reviewed dozens of MSP contracts for healthcare organizations, medical practices, and businesses that handle PHI. The pattern is disturbingly consistent: MSPs promise HIPAA compliance in their sales pitch but fail to deliver the technical safeguards, documentation, and ongoing vigilance that the law actually requires.

This guide breaks down exactly what your MSP should be doing to maintain HIPAA compliance and how to verify they’re actually doing it.

Understanding MSP Responsibility Under HIPAA

Before diving into specific requirements, it’s worth understanding how HIPAA applies to your MSP relationship.

Under HIPAA, any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity is classified as a Business Associate. This includes your MSP the moment they touch any system that stores or processes patient data, which means virtually all MSPs serving healthcare organizations.

As a Business Associate, your MSP is directly liable for HIPAA violations. But here’s where it gets complicated: you, as the covered entity, are also liable if you knew or should have known that your Business Associate wasn’t complying with HIPAA requirements.

This means you can’t simply trust your MSP when they say they’re HIPAA compliant. You have a legal obligation to verify their compliance practices and hold them accountable.

The Business Associate Agreement: Your First Line of Defense

Every MSP relationship involving PHI must be governed by a Business Associate Agreement (BAA). This isn’t a suggestion. It’s a legal requirement. Yet we regularly encounter organizations that either have no BAA in place or have a BAA that’s so vague it provides no real protection.

What Your BAA Must Include

A compliant BAA must specify:

  • Permitted uses and disclosures of PHI: The agreement should clearly define what your MSP can and cannot do with patient data
  • Safeguards the MSP will implement: This should reference specific technical, administrative, and physical safeguards
  • Breach notification requirements: The BAA must specify how quickly the MSP will notify you of any security incident (HIPAA requires notification within 60 days, but best practice is 24-72 hours)
  • Subcontractor requirements: If your MSP uses third-party vendors (cloud providers, backup services, etc.), the BAA must require them to also comply with HIPAA
  • Termination provisions: The agreement should specify how PHI will be handled if you end the relationship

Red Flags to Watch For

Be wary if your MSP:

  • Resists signing a BAA or claims their standard contract “covers it”
  • Provides a generic one-page BAA that lacks specific security requirements
  • Can’t produce their own BAAs with subcontractors they use
  • Hasn’t updated their BAA since HIPAA was last amended

Encryption: The Non-Negotiable Safeguard

HIPAA requires that PHI be protected both at rest (stored on servers, drives, and backups) and in transit (moving across networks). Encryption is the gold standard for meeting this requirement, and your MSP should be implementing it comprehensively.

What Compliant Encryption Looks Like

Your MSP should be providing:

  • Full-disk encryption on all workstations and laptops: Any device that might access PHI must be encrypted. AES-256 is the current standard.
  • Encrypted backups: Backup files containing PHI must be encrypted, not just the transmission of backups to off-site storage
  • Email encryption: PHI should never travel via unencrypted email. Your MSP should have implemented encrypted email solutions or secure patient portals
  • VPN or encrypted connections: Remote access to systems containing PHI must occur through encrypted tunnels
  • Database encryption: Where possible, PHI should be encrypted at the database level, not just the file system level

Common MSP Shortcuts

We frequently find MSPs:

  • Encrypting laptops but not desktop workstations (assuming desktops are “safe” because they don’t leave the office)
  • Using outdated encryption standards
  • Failing to encrypt backup tapes or drives that are stored off-site
  • Relying on TLS for email without implementing actual message encryption
  • Not encrypting data stored in cloud applications

Access Controls: Who Can See What

HIPAA’s “minimum necessary” standard requires that access to PHI be limited to only those who need it to perform their job functions. Your MSP plays a crucial role in implementing and maintaining these access controls.

What Your MSP Should Implement

  • Role-based access control (RBAC): Users should be assigned to roles that grant only the permissions they need
  • Unique user identification: Every person accessing systems with PHI must have their own credentials. No shared accounts
  • Automatic logoff: Systems should lock after a period of inactivity
  • Strong authentication: Multi-factor authentication (MFA) should be required for accessing any system containing PHI
  • Regular access reviews: User permissions should be audited at least quarterly to remove unnecessary access

Questions to Ask Your MSP

  • How do you provision new user accounts, and what approval process exists?
  • How quickly are terminated employees’ accounts disabled?
  • Do you maintain an inventory of all users with access to PHI systems?
  • When was the last access review conducted, and can I see the results?
  • Is MFA enabled on all accounts that can access PHI, including admin accounts?

Audit Logs: The Evidence You Need

If a breach occurs, the first question investigators will ask is: what does your audit trail show? HIPAA requires that covered entities maintain audit logs that track access to PHI. Your MSP should be implementing and monitoring these logs.

What Should Be Logged

  • All successful and failed login attempts
  • Access to files, databases, or applications containing PHI
  • Changes to access permissions
  • System configuration changes
  • Email activity involving PHI
  • Data exports or downloads

What Your MSP Should Provide

  • Centralized log management: Logs from all systems should be aggregated in a central, tamper-proof location
  • Retention: Logs must be retained for at least six years (HIPAA’s documentation retention requirement)
  • Regular review: Someone should be reviewing logs for suspicious activity, not just storing them
  • Alerting: Automated alerts should trigger when unusual access patterns are detected

The Reality We See

Many MSPs:

  • Have logging enabled but never review the logs
  • Retain logs for only 30-90 days
  • Can’t produce logs when requested
  • Have no alerting configured
  • Store logs on the same systems they’re meant to protect (meaning an attacker could delete them)

Incident Response: When Things Go Wrong

HIPAA requires both a documented incident response plan and the capability to execute it. Your MSP should be prepared to detect, respond to, and help you recover from security incidents.

What Your MSP’s Incident Response Should Include

  • A documented incident response plan: This should be specific to your organization, not a generic template
  • Defined roles and responsibilities: Who at the MSP is responsible for what during an incident?
  • Detection capabilities: How will the MSP know if a breach occurs? What monitoring is in place?
  • Containment procedures: How will they stop an attack from spreading?
  • Forensic capability: Can they preserve evidence and determine what data was affected?
  • Communication procedures: How and when will you be notified?
  • Recovery procedures: How will systems be restored to normal operation?

Testing Is Essential

An incident response plan that’s never been tested is just a document. Your MSP should be:

  • Conducting tabletop exercises at least annually
  • Performing penetration testing to identify vulnerabilities
  • Running simulated phishing attacks to test employee awareness
  • Documenting lessons learned and updating procedures accordingly

Security Awareness Training: The Human Factor

HIPAA requires that workforce members receive training on policies and procedures related to PHI. While you may handle some training internally, your MSP should be supporting these efforts.

What Your MSP Should Provide or Support

  • Phishing simulation: Regular simulated phishing attacks to test and train employees
  • Security awareness content: Training materials on topics like password security, social engineering, and safe computing practices
  • HIPAA-specific training: Employees who handle PHI need training on HIPAA requirements, not just general security awareness
  • Training documentation: Records of who has been trained and when, which you’ll need for compliance audits
  • Ongoing reinforcement: Annual training is the minimum; best practice is ongoing awareness campaigns

Penalties for Non-Compliance: The Cost of Cutting Corners

HIPAA violations aren’t just a legal risk. They carry significant financial penalties that can threaten your organization’s survival.

Civil Penalties

HIPAA violations are categorized into tiers based on the level of culpability:

  • Tier 1 (Unknowing): $100 to $50,000 per violation, up to $25,000 per year for repeat violations
  • Tier 2 (Reasonable Cause): $1,000 to $50,000 per violation, up to $100,000 per year
  • Tier 3 (Willful Neglect, Corrected): $10,000 to $50,000 per violation, up to $250,000 per year
  • Tier 4 (Willful Neglect, Not Corrected): $50,000 per violation, up to $1.5 million per year

Criminal Penalties

In cases of knowing or malicious violations, individuals can face:

  • Up to one year in prison for knowing violations
  • Up to five years for violations committed under false pretenses
  • Up to ten years for violations with intent to sell or use PHI for personal gain

The Real Cost

Beyond fines and potential jail time, consider:

  • Breach notification costs (required for any breach affecting 500+ individuals)
  • Credit monitoring services for affected patients
  • Regulatory investigations and legal fees
  • Reputation damage and lost patients
  • Increased insurance premiums
  • Potential lawsuits from affected individuals

Your HIPAA Compliance Verification Checklist

Use this checklist to audit your MSP’s HIPAA compliance:

Business Associate Agreement

  • Current, signed BAA is on file
  • BAA specifies technical safeguards in detail
  • BAA includes breach notification timeline (24-72 hours)
  • MSP can provide BAAs with their subcontractors

Encryption

  • All workstations and laptops use full-disk encryption
  • Backups are encrypted at rest and in transit
  • Encrypted email solution is implemented
  • Remote access occurs through encrypted VPN
  • Encryption keys are properly managed and rotated

Access Controls

  • Role-based access control is implemented
  • All users have unique credentials (no shared accounts)
  • Multi-factor authentication is required for PHI access
  • Automatic logoff is configured on all systems
  • Terminated users are disabled within 24 hours
  • Access reviews are conducted at least quarterly

Audit Logs

  • Comprehensive logging is enabled on all PHI systems
  • Logs are retained for at least six years
  • Logs are stored in a secure, centralized location
  • Regular log reviews are conducted
  • Automated alerting is configured for suspicious activity

Incident Response

  • Documented incident response plan exists
  • Plan has been tested within the past year
  • 24/7 monitoring and response capability exists
  • Forensic capability is available
  • Communication procedures are clearly defined

Training

  • Security awareness training is provided at least annually
  • Phishing simulations are conducted regularly
  • Training records are maintained
  • HIPAA-specific training is included

Taking Action on HIPAA Compliance

HIPAA compliance isn’t a one-time checkbox. It’s an ongoing commitment that requires vigilance, documentation, and accountability. Your MSP is a critical partner in maintaining that compliance, but they’re not going to hold themselves accountable.

If you’re unsure whether your MSP is meeting their HIPAA obligations, you’re not alone. We’ve helped healthcare organizations across Mississippi uncover gaps in their MSP’s compliance practices and hold them accountable to the standards they promised.

The cost of an audit is a fraction of what a HIPAA violation could cost your organization. More importantly, it’s about protecting your patients and ensuring the MSP you’re paying is actually doing their job.

Ready to verify your MSP’s HIPAA compliance? Schedule a free consultation with our team. We’ll review your current situation, identify potential gaps, and help you understand what your MSP should be doing differently.

Mr. Fix IT Geeks is an MSP accountability consulting firm based in Jackson, Mississippi. We help businesses audit their MSP contracts and ensure they receive every IT service they pay for. We’re not an MSP. We advocate for you.

Share: