ScalePad
ControlMap

HIPAA Field Guide for MSPs

HIPAA compliance, made operational: the MSP's tactical playbook

A tactical playbook for managed service providers guiding healthcare clients through the Security Rule, the Privacy Rule, and the Breach Notification Rule, with a step-by-step ControlMap workflow for assessments, controls, policies, and evidence.

The Rules, Decoded

HIPAA at a glance: why it lands on the MSP's desk

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting health information in the United States. Its administrative simplification rules are enforced by the HHS Office for Civil Rights (OCR), and they don't just apply to doctors. The moment your MSP touches a healthcare client's data or systems, you become a regulated business associate.

Two Regulated Parties

Covered entities

Health plans, healthcare clearinghouses, and healthcare providers that transmit health data electronically: your clients, including clinics, dental groups, physio practices, behavioral health, specialty offices. The covered entity always owns its compliance program, including the Privacy Rule operations and patient-facing duties the MSP can support but never own.

Business associates: that's you

Any vendor that creates, receives, maintains, or transmits protected health information (PHI) for a covered entity. MSPs hosting, backing up, monitoring, or remotely accessing client systems qualify, and are directly liable under the Security and Breach Notification Rules. The moment you touch a healthcare client's data or systems, you're regulated.

What counts as PHI? Any individually identifiable health information held or transmitted by a covered entity or business associate, in any form: electronic (ePHI), paper, or spoken. Names, dates, contact details, medical record numbers, billing data, device identifiers, and even IP addresses tied to health records all qualify. There are 18 identifier categories in total.

The Three Rules

The three rules this guide covers

Security Rule

Protect ePHI. Administrative, physical, and technical safeguards for electronic health data: the rule where MSPs do the heaviest lifting.

Privacy Rule

Govern PHI use. Who may see and share health information, the minimum-necessary standard, and patients' rights over their own records.

Breach Notification Rule

Respond when it goes wrong. Risk-assess incidents and notify individuals, HHS, and sometimes the media on strict timelines.

Why it matters: OCR civil penalties are tiered by culpability, from "did not know" up to "willful neglect, uncorrected", and can reach seven figures per violation category, per year, alongside corrective action plans, state attorney-general actions, and reputational damage. For an MSP, one client's breach can also become a contract, insurance, and liability event for the practice itself.

The Operating Model

Shared responsibility: the MSP × healthcare client operating model

HIPAA compliance is never "outsourced." The covered entity always owns its compliance program, but as managing IT provider and business associate, the MSP operates many of the controls. Use this model to set expectations in writing before the engagement starts.

MSP × healthcare client: who runs what

"Its own BA obligations" is the row MSPs miss: as a business associate you carry direct Security and Breach Notification Rule duties for your own firm, not just the client's.

MSP operates

  • Technical safeguards
  • Backup & recovery
  • Patching & endpoint security
  • Monitoring & audit logs
  • Access provisioning
  • Incident detection
  • Its own BA obligations

Shared

  • Risk analysis
  • Policies & procedures
  • Security training
  • Incident response
  • Contingency planning
  • BAA management
  • Evidence & audits

Client owns

  • Privacy & Security Officers
  • Privacy Rule operations
  • Patient rights fulfillment
  • Workforce conduct & HR
  • Clinical workflows
  • Final risk acceptance
  • Privacy notices (NPP)

Sign the BAA

A Business Associate Agreement is mandatory before any PHI touches your stack. It defines permitted uses, safeguard duties, breach reporting windows, and subcontractor flow-down: the written version of the responsibility split above.

Map every control

For each HIPAA safeguard, record who performs it, who approves it, and where the evidence lives. The responsibility tables in each section of this guide are your starting template.

Prove it continuously

OCR doesn't grade intentions, it asks for documentation. Centralize assessments, policies, and evidence in a GRC platform so proof is one click away when the auditor, insurer, or investigator asks.

The golden rule: the client can delegate the work, never the accountability, and the MSP carries its own direct liability as a business associate. Put the split in writing, revisit it annually, and never let "we assumed the other party had it" be the finding in a breach investigation.

01

3 Families · 18 Standards

The Security Rule: safeguards for ePHI, where MSPs do the heaviest lifting

The Security Rule requires covered entities and business associates to ensure the confidentiality, integrity, and availability of all electronic PHI they create, receive, maintain, or transmit, protecting it against reasonably anticipated threats and impermissible uses. Its 18 standards sit in three safeguard families: administrative, physical, and technical.

Anatomy of the Rule

9 · Administrative

Policies, people, and process: risk analysis, training, access governance, incident response, contingency planning. Over half of the Security Rule lives in these nine standards: the program backbone.

4 · Physical

Buildings, workstations, and hardware: facility access, workstation placement and use, device and media lifecycle, four standards where the client's front office and the MSP's asset practices meet.

5 · Technical

The systems themselves: access control, audit logging, integrity protection, authentication, transmission security, five standards that map almost one-to-one onto the modern MSP security stack.

The Program Backbone

Administrative safeguards: nine standards

These nine standards establish the security management program your client must run, and that your MSP will largely operationalize.

StandardWhat it demands in practiceType
Security management processConduct an accurate, thorough risk analysis of ePHI; implement risk-management measures; apply a sanction policy for violations; review system activity (logs, audit trails) regularly.Required
Assigned security responsibilityName one accountable Security Officer for the client organization, a person, not a vendor.Required
Workforce securityAuthorization/supervision procedures, workforce clearance, and termination procedures so departing staff lose access immediately.Addressable
Information access managementGrant access to ePHI based on role; isolate clearinghouse functions; document how access is authorized and modified.Required + addressable
Security awareness & trainingOngoing training program: security reminders, malware protection, login monitoring, password management, for the entire workforce.Addressable
Security incident proceduresIdentify, respond to, mitigate, and document security incidents and their outcomes.Required
Contingency planData backup plan, disaster recovery plan, emergency-mode operation plan; test and revise; analyze application/data criticality.Required + addressable
EvaluationPeriodic technical and non-technical evaluation of safeguards, repeat whenever the environment changes materially.Required
BA contracts & other arrangementsWritten Business Associate Agreements with every vendor that handles ePHI, including the MSP and the MSP's subcontractors.Required

Spotlight

The risk analysis is the keystone control

A missing or stale risk analysis is the single most common finding in OCR enforcement actions. If you run only one engagement deliverable this quarter, make it this one.

  1. 1

    Inventory ePHI

    Where it lives, flows, and leaves, every system, device, vendor, and data path.

  2. 2

    Identify threats

    Vulnerabilities and threat sources, internal and external.

  3. 3

    Rate risk

    Likelihood × impact for each threat and vulnerability.

  4. 4

    Treat & document

    Remediate, accept, or transfer, with the decision written down.

  5. 5

    Repeat annually

    And on any major change to systems, vendors, or the environment.

Required vs. addressable: two words that decide the build

Required

Must be implemented, full stop, no alternatives, no opt-outs. Examples: the risk analysis, unique user identification, and breach-response procedures. Build these first; every required specification is a floor, not a suggestion.

Addressable

Not optional. For each addressable specification: implement it, implement an equivalent alternative, or document why it isn't reasonable and appropriate for the environment. Every "addressable" decision must be written down: the paperwork is the compliance.

The Security Rule is technology-neutral and scalable: safeguards must be "reasonable and appropriate" for the organization's size, complexity, and risk. The required/addressable distinction is where that flexibility lives, and where undocumented shortcuts become findings. MSP tip: treat every addressable spec as required unless a documented risk decision says otherwise, that documentation is exactly what OCR asks for first.

The Other Nine Standards

Physical and technical safeguards: from the server closet to the stack

The remaining two families split the work between the building and the systems. Physical safeguards govern facilities, workstations, and hardware; technical safeguards govern the systems that hold and move ePHI, and translate almost directly into the tooling a mature MSP already runs.

Two Families, Nine Standards

The nine standards in practice

FamilyStandardIn practice
Physical4 standardsFacility access controlsLimit physical access to systems and facilities: locks, badges, visitor logs, contingency facility access, maintenance records.
Workstation useDefine proper use and physical surroundings of workstations that touch ePHI (e.g., screens away from waiting rooms).
Workstation securityPhysical restrictions: privacy screens, cable locks, auto-lock, restricted areas for servers and admin consoles.
Device & media controlsTrack hardware and media through receipt, movement, re-use, and disposal, sanitize or destroy before retirement; maintain an asset log; back up before moves.
Technical5 standardsAccess controlUnique user IDs, emergency access procedure, automatic logoff, encryption at rest.
Audit controlsHardware/software mechanisms that record and let you examine activity in systems containing ePHI.
IntegrityMechanisms to confirm ePHI hasn't been improperly altered or destroyed (checksums, versioning, immutable backups).
Person/entity authenticationVerify identity before access, strong passwords plus MFA as today's de-facto standard of "reasonable."
Transmission securityIntegrity controls and encryption for ePHI in motion: TLS, VPN, secure email/file exchange.

Translate it to your MSP stack: MFA + conditional access → person/entity authentication · disk encryption (BitLocker/FileVault) → access control · SIEM/log retention → audit controls · email encryption gateway → transmission security · asset lifecycle & ITAD → device & media controls · RMM patching → risk management · EDR/MDR → malware protection · BCDR appliance + tests → contingency plan · offboarding runbook → workforce security · security awareness platform → training.

Who Does What

Security Rule responsibility split

Typical allocation across the Security Rule for an MSP-supported practice: the BAA and your control map record the real split per client.

Risk analysis & risk register
MSP
Shared
Client
Technical safeguards (MFA, encryption, logging)
MSP
Shared
Client
Backup, DR & contingency testing
MSP
Shared
Client
Security awareness training
MSP
Shared
Client
Naming the Security Officer; sanctions policy
MSP
Shared
Client
Physical facility controls
MSP
Shared
Client
Risk acceptance & budget decisions
MSP
Shared
Client
MSP leadsSharedClient leadsProportions measured from the source guide's chart: the BAA records the real allocation per client.

02

Rights Over All PHI

The Privacy Rule: who may see and share health information

The Privacy Rule defines when PHI, in any form, not just electronic, may be used and disclosed, and gives patients enforceable rights over their own health information. The covered entity owns most Privacy Rule operations; the MSP's job is to know the rule well enough to configure systems, workflows, and access in a way that doesn't break it.

Use & Disclosure

When can PHI be used or disclosed?

Without authorization: "TPO"

Treatment, Payment, and healthcare Operations, plus disclosures to the individual, certain public-interest uses, and incidental disclosures that occur despite reasonable safeguards.

Written authorization needed

Marketing, sale of PHI, most psychotherapy-note uses, and anything outside TPO and the listed exceptions.

Minimum necessary

Even when use is permitted, access and disclose only the least PHI needed for the task: the standard that drives role-based access design.

Six Patient Rights

1 · Access & copies

Inspect and obtain records, generally within 30 days, in the form requested where readily producible.

2 · Amendment

Request corrections to inaccurate or incomplete records: the practice must act on the request and document the outcome.

3 · Accounting of disclosures

Request a list of certain disclosures made outside treatment, payment, and healthcare operations.

4 · Restriction requests

Ask to limit uses and disclosures, practices must honor self-pay restrictions to health plans.

5 · Confidential communications

Choose how and where they're contacted, an alternate address or number the practice must reasonably accommodate.

6 · Notice & complaints

Receive a Notice of Privacy Practices and complain without retaliation.

Privacy Operations

Privacy Rule operations: and the MSP's supporting role

Core requirementWhat the practice must put in placeHow the MSP supports it
Privacy OfficerDesignate an accountable Privacy Official and a contact for complaints.Track the designation as evidence; route privacy tickets correctly.
Notice of Privacy Practices (NPP)Publish and distribute a notice describing uses, disclosures, and patient rights; post on the website; obtain acknowledgment where required.Host/post the NPP on web properties; version-control updates.
Minimum necessary & role-based accessDefine which roles may access which PHI, for which purposes.Configure it: security groups, EHR roles, share permissions, least-privilege admin.
Workforce privacy trainingTrain all staff on policies; retrain on material changes; keep records.Deliver and track training via the awareness platform; surface completion reports.
Administrative safeguards for all PHIReasonable safeguards for paper and oral PHI too, shredding, fax cover sheets, private check-in areas.Advise on printer/fax/scan-to-email flows and secure document handling.
Patient-rights fulfillmentProcedures and tracking for access, amendment, accounting, and restriction requests within deadlines.Build export workflows from EHR/file systems; log disclosure events.
BAAs with all vendorsIdentify every vendor touching PHI; execute and refresh agreements.Maintain the vendor inventory; flag shadow-IT SaaS that touches PHI.

Who Does What

Privacy Rule responsibility split

Privacy Officer, NPP & patient-facing duties
MSP
Shared
Client
Role-based access & minimum necessary (technical)
MSP
Shared
Client
Privacy training program
MSP
Shared
Client
Vendor inventory & BAA tracking
MSP
Shared
Client
Deciding uses & disclosures of PHI
MSP
Shared
Client
MSP leadsSharedClient leadsProportions measured from the source guide's chart.

MSP boundary line

As a business associate, your firm may use PHI only as the BAA permits, never for your own analytics, marketing, or AI training. If a technician can see PHI while fixing a server, that's permitted incidental access; browsing it is not. Put that in your own staff training.

Practical sequence

Inventory where PHI lives and who touches it → define roles → enforce least privilege in every system → adopt the privacy policy set → train and attest → review access quarterly. Every step produces an artifact you can store as evidence.

When an incident isn't a reportable breach

Not a breach: narrow exceptions

Unintentional, good-faith access by a workforce member within their authority · inadvertent disclosure between similarly authorized people inside the organization · a good-faith belief the recipient couldn't have retained the information. Everything else starts the notification analysis.

The encryption safe harbor

PHI encrypted to NIST standards (with keys uncompromised) is not "unsecured", a lost encrypted laptop is generally not reportable. Encryption everywhere is the cheapest breach insurance an MSP can deploy.

The Breach Notification Rule presumes an impermissible acquisition, access, use, or disclosure of unsecured PHI is a breach unless a documented risk assessment shows a low probability that PHI was compromised. Two things keep an incident off the notification path: the rule's narrow exceptions, and encryption done right.

03

When PHI Is Exposed

The Breach Notification Rule: who must be told, and when

When unsecured PHI is acquired, accessed, used, or disclosed impermissibly, the affected individuals, and regulators, have a right to know. The clock starts at discovery: the first day the breach is known, or would have been known with reasonable diligence. Run the four-factor risk assessment first, then work the notification clock.

Four Factors, Documented

1 · Nature & extent of PHI

Which identifiers, and how sensitive, SSNs and clinical detail raise the stakes more than a name alone.

2 · Who received or accessed it

Another HIPAA-regulated entity bound by the same rules, or an unknown external actor: the recipient changes the risk.

3 · Was PHI actually viewed?

Forensics answer it: was data opened, exfiltrated, or merely exposed without being accessed?

4 · Mitigation achieved

A recovered device, a signed attestation of destruction, revoked access, document every answer to all four factors.

The Notification Clock

Who must be told: and by when

  1. Day 0

    Discovery

    Contain, preserve evidence, and run the four-factor risk assessment with counsel and the cyber insurer, document the conclusion.

  2. BA

    MSP → client

    The business associate must notify the covered entity, 60 days is the legal maximum, but BAAs typically demand 24–72 hours. Know yours.

  3. Day 60

    Individuals

    First-class mail (or email if agreed), day 60 at the outside; substitute web/media notice if 10+ are unreachable; 500+ in a state or jurisdiction means notifying prominent media too.

  4. HHS

    HHS / OCR portal

    500+ affected: within 60 days of discovery. Under 500: log it, then report within 60 days after the calendar year ends.

All deadlines run "without unreasonable delay": the day counts are outer limits, not targets. Notice contents: what happened · the types of PHI involved · steps individuals should take · what you're doing to investigate, mitigate, and prevent recurrence · contact procedures.

The First 72 Hours

The MSP incident runbook

  1. 1

    Contain & preserve

    Isolate systems; keep logs and images intact.

  2. 2

    Notify per BAA

    Alert the client's Privacy/Security Officer in the contracted window.

  3. 3

    Scope the data

    Whose PHI, what fields, encrypted or not.

  4. 4

    Run the 4 factors

    With counsel and the cyber insurer; document the conclusion.

  5. 5

    Notify & remediate

    Individuals, HHS, and media as required; fix the root cause.

  6. 6

    Retain evidence 6 yrs

    Assessments, notices, and decisions are auditable records, keep them for six years.

Who Does What

Breach Notification responsibility split

Detection, containment & forensics
MSP
Shared
Client
BA-to-CE breach notification
MSP
Shared
Client
4-factor risk assessment & breach determination
MSP
Shared
Client
Notifying individuals, HHS & media
MSP
Shared
Client
MSP leadsSharedClient leadsProportions measured from the source guide's chart.

ControlMap by ScalePad

From this guide to a running compliance program: in one platform

ControlMap is ScalePad's multi-tenant GRC platform built for MSPs. Everything the previous sections demand, assessments, mapped controls, policies, training attestations, vendor BAAs, and audit-ready evidence, lives in one workspace per client, so you can run HIPAA as a repeatable, billable service instead of a yearly scramble.

The Five-Step ControlMap Workflow

  1. 1

    Onboard & adopt the framework

    Create a dedicated client workspace, select HIPAA from the framework library, and let ControlMap load the pre-mapped control set covering the Security, Privacy, and Breach Notification Rules. Cross-mapping means work done here also counts toward CIS, NIST CSF, or SOC 2 later.

  2. 2

    Run the assessments: gap and risk

    Use built-in questionnaires to baseline the client against every safeguard, then build the risk register: assets, threats, likelihood × impact scoring, and treatment decisions. This is the documented risk analysis the Security Rule requires, exportable for the client's records.

  3. 3

    Implement controls with guidance

    Each control card explains what the safeguard means, what "implemented" looks like, and what evidence satisfies it. Assign owners: your engineers or the client's staff, set due dates, and track status from gap → in progress → implemented on the client dashboard.

  4. 4

    Build policies & get them signed

    Start from the HIPAA policy template library (security management, access control, contingency, privacy, breach response…), tailor to the practice, version-control approvals, and push to staff for electronic acknowledgment. Attestation records become evidence automatically.

  5. 5

    Collect evidence & report

    Attach evidence to each control, screenshots, exports, configs, and automate what you can through integrations with the Microsoft/Google clouds and your MSP stack. Recurring evidence tasks re-prompt before items go stale, and dashboards turn it all into client-ready compliance reports for QBRs.

Package it as a service

Multi-tenant design means one pane for every healthcare client. Productize it: Assess (one-time gap + risk engagement) → Remediate (project work) → Manage (monthly compliance-as-a-service with recurring evidence, reviews, and QBR reporting).

Make the QBR land

Walk the practice owner through the compliance dashboard: posture score, closed gaps, open risks with owners, upcoming evidence tasks. Compliance progress is the easiest security story a non-technical client will ever understand, and the strongest renewal argument.

Keep it alive

HIPAA compliance decays: staff turn over, systems change, evidence goes stale. Set ControlMap's recurring tasks, quarterly access reviews, annual risk analysis refresh, annual policy review and re-attestation, and the program maintains itself on schedule.

Take Action

Map the platform, run the first 90 days, work the checklist

Where each rule lives in ControlMap and the evidence OCR expects; a realistic first-90-days arc per client; and the ten-point quick-start checklist to put the whole guide in motion.

ControlMap in Action

Mapping ControlMap to each rule: and the evidence OCR expects

RuleDo this in ControlMapEvidence you'll bank
Security RuleRun the HIPAA gap assessment; build the risk register; assign the 18 safeguard standards as controls with owners and due dates; schedule recurring tasks for log review, access reviews, and DR tests; track training campaigns.Completed risk analysis & register · control status history · access-review sign-offs · backup/DR test results · training completion records
Privacy RulePublish the privacy policy set from templates; record the Privacy Officer designation; manage the vendor register with BAA status for every PHI-touching vendor; push staff attestations; track patient-rights procedures as documented controls.Approved & versioned policies · e-signed staff acknowledgments · vendor list with executed BAAs · NPP version history
Breach NotificationLoad the incident-response and breach-notification policies; document incidents in the register; attach the 4-factor risk assessment to each event; store notification letters and HHS submission confirmations; run post-incident review tasks.Incident log with timestamps · documented breach determinations · copies of notices · 6-year retention in one place
Your own MSPStand up a workspace for your own firm, as a business associate you carry direct Security and Breach Rule obligations. Reuse the same framework, policies, and evidence flows internally.Your BA-side risk analysis · internal policies · subcontractor BAAs · proof for cyber-insurance and client due-diligence questionnaires

Per Client

A realistic first-90-days arc

  1. W1-2

    Sign & stand up

    BAA signed · workspace created · HIPAA framework adopted · kickoff with the Privacy and Security Officers.

  2. W3-6

    Assess & price

    Gap assessment and risk register complete · remediation plan priced and approved.

  3. W7-10

    Implement & train

    High-risk controls implemented · policies approved · staff attestation and training launched.

  4. W11-13

    Operate & report

    Evidence flowing · recurring tasks scheduled · first compliance report delivered at QBR.

Take Action

Your 10-point HIPAA quick-start checklist

1

Execute or refresh the BAA

With every healthcare client, and with your own subcontractors. No PHI touches your stack before it's signed.

2

Confirm the named officers

The client must designate a Privacy Officer and a Security Officer, a person, not a vendor, in writing.

3

Inventory everything that touches PHI

Every system, device, vendor, and data flow: the map the risk analysis and the BAA register both depend on.

4

Complete the documented risk analysis

In ControlMap: the keystone control, and the one OCR asks for first.

5

Enforce MFA, unique IDs, and encryption

At rest and in transit, everywhere PHI lives or moves, today's de-facto standard of "reasonable."

6

Stand up tested contingency plans

Backup, disaster recovery, and emergency-mode operation, tested, revised, and with the test reports kept as evidence.

7

Publish the HIPAA policy set

From ControlMap templates, tailored to the practice, version-controlled, and acknowledged with staff e-attestations.

8

Train the entire workforce

Security and privacy training for all staff, with completion tracked as evidence.

9

Rehearse the breach runbook

Incident and breach procedures, including your BAA notification window, practiced before you need them.

10

Schedule the recurring cadence

Quarterly access reviews, annual risk analysis refresh, annual policy review and re-attestation, so the program maintains itself.

This guide is provided for general educational purposes and reflects the HIPAA rules as commonly understood at time of publication. It is not legal advice, and individual circumstances vary, covered entities and business associates should consult qualified healthcare counsel for compliance and breach-determination decisions. HIPAA, HHS, and OCR references are to U.S. federal regulation (45 CFR Parts 160 and 164).

ControlMap

ControlMap by ScalePad

Turn HIPAA into your next managed service

See how MSPs run multi-client HIPAA programs, gap and risk assessments, mapped safeguards, signed policies, and audit-ready evidence, in one ControlMap workspace per client.