Managed service providers that handle, transmit, or store protected health information (PHI) on behalf of covered entities are Business Associates under HIPAA — and that designation carries real legal and financial exposure. The HHS Office for Civil Rights has levied fines against MSPs, not just the healthcare organizations they serve. This checklist covers every technical safeguard, administrative control, and audit-readiness requirement your MSP must address in 2025.
Why MSPs Are Directly Liable Under HIPAA
The HIPAA Omnibus Rule of 2013 made Business Associates directly liable for HIPAA violations — not just the covered entities they serve. If your MSP manages IT infrastructure, provides remote monitoring, or hosts systems that touch PHI, you are a Business Associate. A signed Business Associate Agreement (BAA) does not limit your liability; it formalizes it.
The penalties are tiered by culpability, ranging from $100 per violation for unknowing violations to $50,000 per violation for willful neglect not corrected — with an annual cap of $1.9 million per violation category. The reputational damage from a breach notification is often worse than the fine.
Key Insight
OCR's enforcement trend shows increasing scrutiny of MSPs and cloud service providers. The 2023 enforcement actions included settlements with two MSPs whose clients experienced ransomware attacks that exposed PHI.
The Technical Safeguards Checklist
HIPAA's Security Rule (45 CFR § 164.312) specifies the technical safeguards covered entities and their Business Associates must implement. For MSPs, these translate directly into RMM-visible controls.
Access Control (§ 164.312(a)(1))
- Unique user identification: every user account accessing PHI systems must have a unique identifier — no shared accounts
- Emergency access procedure: documented and tested procedure for obtaining access to PHI during an emergency
- Automatic logoff: sessions accessing PHI must time out after a defined period of inactivity
- Encryption and decryption: PHI must be encrypted at rest and in transit using NIST-approved algorithms (AES-256, TLS 1.2+)
Audit Controls (§ 164.312(b))
- Hardware, software, and procedural mechanisms to record and examine activity in systems containing PHI
- Log retention: audit logs must be retained for a minimum of six years
- Log review: logs must be reviewed regularly — at minimum quarterly, ideally continuously
- Tamper-evident logging: logs must be protected from unauthorized modification
Integrity Controls (§ 164.312(c)(1))
- Electronic mechanisms to corroborate that PHI has not been altered or destroyed in an unauthorized manner
- File integrity monitoring on systems storing or processing PHI
- Hash verification for PHI transmitted between systems
Transmission Security (§ 164.312(e)(1))
- Encryption of PHI in transit: TLS 1.2 minimum, TLS 1.3 preferred
- No transmission of PHI over unencrypted email without end-to-end encryption
- VPN or equivalent encryption for remote access to PHI systems
- Certificate management: expired or self-signed certificates on PHI-adjacent systems must be flagged and remediated
The Administrative Safeguards Checklist
Administrative safeguards (45 CFR § 164.308) are the policies, procedures, and training requirements that govern how your MSP manages PHI access and security.
- Designated Security Officer: a named individual responsible for HIPAA security policy development and implementation
- Risk Analysis: a formal, documented risk analysis of all systems that create, receive, maintain, or transmit PHI — updated annually and after significant changes
- Risk Management: a documented risk management plan addressing identified vulnerabilities with assigned owners and target remediation dates
- Sanction Policy: written policy for workforce members who violate HIPAA policies, with documented enforcement actions
- Workforce Training: annual HIPAA security awareness training for all workforce members with access to PHI, with attendance records
- Access Management: formal process for granting, modifying, and revoking access to PHI systems — including timely termination for departed employees
- Contingency Plan: documented backup, disaster recovery, and emergency mode operation procedures tested at least annually
- Business Associate Agreements: executed BAAs with every vendor that touches PHI on your behalf
The most common HIPAA finding in MSP audits is inadequate risk analysis — specifically, risk analyses that are too narrow in scope (covering only EHR systems rather than all systems that touch PHI) or too infrequent (not updated after infrastructure changes).
Physical Safeguards Checklist
- Facility access controls: documented procedures for authorizing physical access to systems containing PHI
- Workstation use: policies governing the use of workstations that access PHI, including screen positioning and clean-desk requirements
- Workstation security: physical safeguards for workstations accessing PHI — locked screens, cable locks for laptops
- Device and media controls: documented procedures for the receipt, removal, and disposal of hardware and electronic media containing PHI — including certificate of destruction for decommissioned drives
Audit Readiness: What Auditors Actually Look For
When OCR or a third-party auditor reviews your HIPAA compliance, they are looking for evidence — not just policies. The gap between having a policy and being able to produce evidence that the policy is followed is where most MSPs fail.
- Risk analysis documentation: the actual risk analysis document, not just a statement that one was performed
- Training records: attendance logs with dates, names, and the training content covered
- Access review logs: evidence that access rights were reviewed periodically and that terminated employee accounts were disabled promptly
- Patch management records: evidence that vulnerabilities on PHI-adjacent systems were remediated within your defined SLA
- Incident response records: documentation of any security incidents, including those that did not rise to the level of a reportable breach
- BAA inventory: a complete list of all Business Associates with executed BAA dates and renewal dates
How SynoGuard AI Helps
SynoGuard AI continuously ingests RMM and PSA telemetry to map your clients' technical controls to HIPAA requirements in real time. When a patch goes missing, an account is not disabled after termination, or a certificate expires, the platform flags it as a HIPAA control gap — with the evidence already collected and formatted for audit response.
Breach Notification Requirements
If a breach of unsecured PHI occurs, HIPAA requires notification to affected individuals within 60 days of discovery, notification to HHS, and — for breaches affecting 500 or more individuals in a state — notification to prominent media outlets in that state. The 60-day clock starts at discovery, not at the time of the breach.
MSPs should maintain a documented incident response plan that includes a breach assessment workflow — specifically, the four-factor test for determining whether an impermissible use or disclosure constitutes a reportable breach under 45 CFR § 164.402.
Summary: The 10 Most Common HIPAA Gaps in MSP Environments
- Risk analysis not updated after infrastructure changes
- Shared service accounts on PHI systems
- PHI transmitted via unencrypted email
- Terminated employee accounts not disabled within 24 hours
- Patch latency exceeding 30 days on PHI-adjacent systems
- Audit logs not retained for six years
- No documented contingency plan or untested backup procedures
- Missing or expired BAAs with subcontractors
- No formal workforce HIPAA training program
- Encryption not applied to PHI at rest on endpoint devices