HIPAA Compliance for MSPs: How to Build a Healthcare Security Service Line

Healthcare has been the most breached industry sector for four consecutive years. The average cost of a healthcare data breach hit $9.8 million in 2024 — the highest of any sector and more than double the cross-industry average. The Department of Health and Human Services Office for Civil Rights (OCR) collected over $9 million in HIPAA settlements in 2024 alone, and the fines are getting bigger as enforcement matures.

If you manage IT for healthcare organisations, you are already inside this risk landscape whether or not you have a formal HIPAA service line. The question isn’t whether HIPAA is relevant to your MSP — it’s whether you’ve turned that liability into a revenue stream.

The Business Associate Problem Most MSPs Ignore

Here’s the part that surprises MSP owners: HIPAA doesn’t just regulate hospitals and clinics. It applies to Business Associates — any vendor that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a Covered Entity.

If you manage the IT for a dental practice, you’re a Business Associate. If you hold backup data for a medical billing company, you’re a Business Associate. If you support the EHR infrastructure at a physiotherapy clinic, you’re a Business Associate. The access doesn’t need to be intentional or frequent — it’s enough that you could encounter PHI in the course of providing your services.

This means the HIPAA Security Rule applies to you directly, not just to your clients. You need:

• Signed Business Associate Agreements (BAAs) with every Covered Entity you serve
• A documented risk analysis covering your own handling of ePHI
• Workforce training on HIPAA requirements
• Documented incident response procedures including breach notification
• Technical and administrative safeguards for any systems that process or store ePHI

Most MSPs have none of this in place. Many have unsigned or templated BAAs sitting in a shared drive that nobody looks at. The OCR has issued fines specifically to Business Associates — including IT vendors — that failed to meet these obligations.

Run a BAA audit before anything else. Pull your client list, identify every healthcare-adjacent organisation, and check whether you have a current, signed BAA with each one. That audit is free. A breach investigation when you’re operating without a BAA is not.

What the HIPAA Security Rule Actually Requires

HIPAA’s Security Rule is more practical than its reputation suggests. It organises requirements into three categories.

Administrative Safeguards are where most gaps live. The requirement for a documented risk analysis — an actual written assessment of the risks to ePHI that the organisation holds — is the most-cited deficiency in OCR enforcement actions and has been for a decade. It’s not technically complex. It’s paperwork. But it’s specific paperwork: the risks must be identified, assessed, and documented, and the organisation must have a risk management plan that addresses those risks.

Other administrative requirements include security awareness training for the workforce, a designated Security Officer, documented access management policies, and audit procedures. For most small practices, this means a set of policies that most of them don’t have.

Physical Safeguards cover facility access controls, workstation policies, and device and media controls. For an MSP managing the practice’s IT, this maps directly onto work you’re already doing — enforcing workstation lockout policies, managing device encryption, controlling who has physical access to server rooms or network closets.

Technical Safeguards require unique user identification, automatic logoff, encryption and decryption of ePHI, audit logs, integrity controls, and encrypted transmission. Again, for an MSP, this is largely existing work — MFA, endpoint encryption, logging, and secure remote access. The gap is usually documentation and formal policy, not the controls themselves.

One important update: HHS proposed significant amendments to the HIPAA Security Rule in January 2024. The most consequential change is making encryption mandatory rather than “addressable” — removing the current opt-out pathway that allows organisations to document why they chose not to encrypt. If these updates are finalised (enforcement is expected later in 2026), unencrypted PHI transmission becomes a per-se violation rather than a risk-based judgment call.

Building the Service Line

The service structure is clean and maps onto what MSPs already do.

Engagement 1: BAA Review and Risk Analysis

This is the entry point for healthcare clients who haven’t formally addressed HIPAA compliance. It’s a fixed-fee engagement covering three deliverables:

First, a BAA review — are all required agreements in place, are they current, and do they accurately reflect the services you’re providing? For most practices, this is a gap that needs immediate remediation.

Second, a documented risk analysis against the HIPAA Security Rule — identifying the ePHI the organisation holds, the systems that process it, the threats and vulnerabilities relevant to those systems, and the current state of controls. This is the foundational document that demonstrates HIPAA compliance intent. Without it, there is no HIPAA programme regardless of what else is in place.

Third, a remediation roadmap — a prioritised list of gaps with recommended controls, timelines, and cost estimates. Frame this as a 12-month programme.

For a small practice (5–20 employees, single-site), this engagement runs 3–5 days of work. Appropriate fee: $3,000–$8,000 depending on complexity and the depth of documentation required. For larger multi-site practices: $8,000–$15,000+.

Engagement 2: Managed HIPAA Compliance

This is the recurring revenue piece, and it’s where the service line pays for itself.

After the gap assessment, the practice has a remediation roadmap. Delivering against that roadmap — and maintaining compliance on an ongoing basis — maps directly onto managed services. Month-to-month, you’re delivering:

• Workforce security awareness training with completion tracking (required by HIPAA; most practices have none)
• Access control management: new hire provisioning, leaver de-provisioning, quarterly access reviews
• Patch management with HIPAA-relevant prioritisation (systems that access ePHI flagged as critical)
• Endpoint encryption monitoring and remediation
• Audit log management and periodic review
• Incident response: breach risk assessment for any security events, and breach notification coordination if required
• BAA reviews when the client adds new vendors — every new cloud service that processes patient data needs a BAA before it goes live
• Annual risk analysis update and Security Rule gap review

Annually: full policy review and update, penetration testing, and a formal risk analysis refresh.

Pricing for ongoing managed HIPAA compliance: $800–$1,500/month for a small single-site practice. $1,500–$3,000/month for mid-size multi-site operations. If you’re already managing the practice’s IT infrastructure under a managed services contract, the incremental work is lower than it looks — you’re adding documentation, training coordination, and compliance management to security controls you’re already running.

The stickiness is real. HIPAA compliance isn’t a one-time project. The regulatory obligation is continuous, the risk analysis needs updating when the environment changes, and OCR enforcement investigations don’t respect annual compliance windows. Clients who understand their liability tend to stay.

Connecting HIPAA to Your vCISO Practice

HIPAA compliance in isolation is a compliance service. HIPAA compliance inside a vCISO retainer is healthcare security governance — and that’s a different product at a different price point.

When your vCISO engagement wraps HIPAA alongside broader risk management, you’re not helping the client tick a compliance box. You’re positioning them for:

• Cyber insurance with healthcare-appropriate coverage. Insurers are increasingly requiring documented HIPAA compliance programmes as a condition of coverage, and under-documented programmes are generating claim denials.
• HITRUST CSF if they want third-party validation or need to contract with large health systems that require it.
• SOC 2 Type II if they’re a healthcare technology company selling to other healthcare organisations.
• ISO 27001 if they’re pursuing international expansion.

The control overlap is significant. A proper HIPAA risk analysis and the administrative safeguards programme are directly reusable for ISO 27001 and NIST CSF. An organisation that has done HIPAA properly has already done 50–60% of the groundwork for a multi-framework compliance programme. A GRC platform that maps controls across frameworks makes this explicit — you can show the client exactly which HIPAA controls satisfy which ISO 27001 clauses, which eliminates duplicate effort and makes the case for expanding the engagement.

The commercial argument for wrapping HIPAA in a vCISO retainer: a standalone HIPAA compliance service renews annually. A vCISO retainer that includes HIPAA compliance is a continuous security partnership. The retention dynamics are substantially different, and the client’s willingness to add scope — incident response, audit support, cyber insurance programme management — is higher when the relationship is framed as strategic security leadership rather than compliance delivery.

Selling This to Healthcare Clients

Most healthcare practices don’t think about HIPAA compliance until something forces them to — an OCR complaint, a breach, an insurer querying their security documentation, or a large client asking whether they’re HIPAA compliant before signing a contract.

If you already have the managed services relationship, you have the right to start this conversation. You’re not cold-selling a compliance stranger — you’re telling an existing client something they need to know about a liability they’re already carrying. The conversation is: “As your IT provider, we handle your patient data. Here’s what that means for both of us under HIPAA. Here’s where you currently stand. Here’s what we’d recommend.”

Most clients will say yes. Not because they care deeply about regulatory compliance in the abstract, but because you’ve just made the liability concrete and personal.

The objection you’ll encounter most often: “We use a cloud EHR system, so our vendor handles HIPAA.” This is a significant misunderstanding. A cloud EHR vendor is a Business Associate — they take on responsibility for the data they handle, not for your entire environment. The practice still has its own HIPAA Security Rule obligations, and the IT environment that accesses the EHR (workstations, mobile devices, staff credentials, network infrastructure) is still in scope. That’s the environment you’re managing.

What GetCybr Does Here

Running HIPAA compliance across multiple healthcare clients in spreadsheets — tracking risk analyses, training completion, BAA status, patch compliance for ePHI-adjacent systems — doesn’t scale past a handful of engagements.

GetCybr gives MSPs a GRC automation platform with HIPAA Security Rule controls mapped into the framework library alongside SOC 2, ISO 27001, NIST CSF, and PCI DSS. Evidence collection from your existing RMM, EDR, and identity tools feeds directly into the compliance record. When a patch misses a critical ePHI-adjacent system or an employee skips their training, the platform flags it — you catch the drift in week two, not when the client is facing an OCR investigation.

Client-facing reporting gives healthcare practices a clear view of their compliance posture without requiring them to read a 20-page spreadsheet. The annual risk analysis becomes a structured update of existing documentation rather than a ground-up rebuild.

The goal is to make HIPAA compliance a byproduct of the managed security programme you’re already running, not a separate manual workstream that burns team time every quarter.

The Market Is Already in Your Client Base

US healthcare employs 20 million people, operates 900,000 physician practices, and processes over three billion clinical encounters per year. The vast majority of those practices are small and mid-size businesses — exactly the client profile that MSPs serve.

Most of those practices have inadequate HIPAA compliance programmes. Most of the MSPs serving them have unsigned or incomplete BAAs and no formal HIPAA service offering. The liability is already present on both sides.

That’s not a warning — it’s an opportunity. The MSPs that build a structured HIPAA service line this year will have it embedded before the 2024 Security Rule updates take full effect, before the next round of OCR enforcement activity peaks, and before a competitor in their market decides to make healthcare compliance their differentiator.

The work isn’t complicated. The gap is documentation, policy, and a structured delivery model. If you already manage healthcare IT, you already have most of what you need.

Talk to GetCybr about building your HIPAA compliance practice.