Most medical practices don't need a cybersecurity firm. They need an IT provider that understands healthcare — one that keeps systems running, handles the technical side of HIPAA compliance, and doesn't disappear between incidents.
The problem is that most general-purpose MSPs were not built for healthcare. They handle IT support competently. They patch systems, manage helpdesk tickets, and keep networks operational. What they don't do — and what HIPAA specifically requires — is treat your IT environment as a regulated environment with specific safeguard obligations, documentation requirements, and breach response procedures.
That gap is where small practices get into trouble.
In 2023, 79.7% of healthcare data breaches were due to hacking incidents, per HHS OCR. Third-party involvement in breaches doubled from 15% to 30% in 2025 per the Verizon DBIR — meaning your vendors and IT providers are increasingly the entry point. And OCR's single most commonly cited enforcement finding is failure to conduct an enterprise-wide risk analysis — something your IT provider should be helping you complete, not leaving to you to figure out.
This checklist covers what HIPAA actually requires from a managed IT provider, what to verify before signing, and what separates a genuinely HIPAA-capable MSP from one that claims it.
Why Your MSP Is Legally a Business Associate
This is the starting point that most practices miss.
Because MSPs manage infrastructure, cloud services, backups, and endpoint security for healthcare clients, they are considered Business Associates under HIPAA and must sign a Business Associate Agreement and comply with the HIPAA Security Rule.
That means before your MSP touches a single system that stores, processes, or transmits ePHI — your EHR, your billing platform, your email system, your cloud storage — a complete BAA must be in place.
Per 45 CFR 164.504(e), that BAA must include: permitted uses and disclosures of PHI, safeguard obligations, breach and security incident reporting timelines, subcontractor flowdown requirements ensuring any vendor your MSP uses also signs a BAA, individual rights support, HHS access provisions, and return or destruction of PHI at termination.
An MSP that won't sign a full BAA, or offers a modified version that limits their liability at the expense of your compliance, is not a viable HIPAA IT partner. Full stop.
The Administrative Safeguard Obligations Your MSP Must Meet
HIPAA's administrative safeguards under 45 CFR § 164.308 create specific obligations that flow directly to your MSP.
Risk Analysis 45 CFR § 164.308(a)(1) requires a documented risk analysis identifying all potential risks and vulnerabilities to ePHI. This is the most commonly cited gap in OCR enforcement actions — and it's something your IT provider should be helping you conduct, document, and update annually.
A risk analysis for a medical practice means identifying every location where ePHI is stored, processed, or transmitted — your EHR, billing system, email, mobile devices, fax systems, cloud storage, and any third-party platform — and evaluating the risks to each. Your MSP should know your environment well enough to produce this analysis or support a qualified person in doing so.
Security Incident Procedures 45 CFR § 164.308(a)(6) requires documented procedures to identify, respond to, mitigate, and document security incidents. Your MSP is typically the first to know when something goes wrong. If they don't have a documented healthcare-specific incident response procedure — including the four-factor breach determination under § 164.402 — you're flying blind when it matters most.
Workforce Training Administrative safeguards require that your staff receive HIPAA security awareness training. Your MSP should support this — either by delivering training directly or by ensuring the tools and policies that make training possible are in place.
Assigned Security Responsibility 45 CFR § 164.308(a)(2) requires a designated security official responsible for developing and implementing your security policies. For most small practices, this function is effectively delegated to the MSP. Your agreement should make that responsibility explicit.
The Technical Safeguard Obligations Your MSP Must Implement
HIPAA's technical safeguards under 45 CFR § 164.312 require four categories of controls that your MSP is responsible for implementing and maintaining.
Access Controls Unique user identification for every person accessing ePHI. Role-based access control limiting each user to only the ePHI they need for their specific function. Automatic logoff on inactive sessions. Emergency access procedures for when primary credentials aren't available.
Your MSP should be able to show you exactly which users have access to which systems, demonstrate that access is reviewed when staff change roles or leave the practice, and confirm that no shared credentials exist on systems containing ePHI.
Audit Controls 45 CFR § 164.312(b) requires mechanisms to record and examine activity in ePHI systems. Three categories of audit trail are required: application-level logs showing ePHI records accessed, created, modified, or deleted; system-level logs showing login attempts, devices used, and timestamps; and user-level logs showing events initiated by each individual user.
Audit logs must be retained for at least six years per 45 CFR § 164.316(b)(2)(i). Your MSP should be collecting, storing, and periodically reviewing these logs — not just confirming they exist.
Integrity Controls Technical controls preventing ePHI from being improperly altered or destroyed. Checksums, hash verification, and version controls on clinical data. Backup integrity verification ensuring that backed-up ePHI is complete and unaltered.
Transmission Security Encryption for all ePHI transmitted over networks — including email, file transfer, remote access, and any data moving between your practice and external systems. Unencrypted ePHI in transit is a HIPAA violation regardless of whether it's intercepted.
EHR-Specific Requirements Your MSP Must Understand
Your electronic health record system creates specific IT management obligations that a general-purpose MSP may not be equipped to handle.
ONC and HHS guidance identifies EHR security safeguards that must be actively managed: access controls including role-based user permissions, audit trail monitoring that is operational whenever the EHR is available for updates or viewing, and integrity controls protecting clinical documentation from unauthorized modification.
CMS specifies that the audit log must be operational whenever the EHR technology is available — not just during business hours. That means your MSP must ensure EHR audit logging is running continuously and that logs are being collected and retained appropriately.
Your MSP should also understand the specific integration points between your EHR and other systems — billing platforms, patient portals, lab interfaces, imaging systems — and ensure that data flows between systems are encrypted and that access controls are maintained across integrations.
If your MSP isn't familiar with your specific EHR platform's security configuration requirements, that's a gap worth addressing before something goes wrong.
Backup Requirements for Medical Practices
HIPAA's 45 CFR § 164.308(a)(7) — the Contingency Plan — requires a Data Backup Plan creating retrievable exact copies of ePHI. This is a required implementation specification, not an addressable one. It is not optional.
What your MSP should be providing:
Automated, regular backups of all ePHI — your EHR database, billing system, document management, and any other system storing patient information. Encrypted backups stored separately from production systems. Immutable or offline backup copies that ransomware cannot reach or encrypt. Documented backup testing with verified restoration — not just backup completion confirmations. A recovery time objective and recovery point objective appropriate for clinical operations.
Untested backups are a regulatory and operational risk. 67.7% of businesses experienced significant data loss in the past year, per Infrascale. Most weren't aware their backup process had failed until they needed it.
Ask your MSP specifically when the last restoration test was performed and what the result was. If they can't answer that question with a date and a documented outcome, your backups are untested.
Vendor Management: Your MSP's Subcontractors Are Your Problem
One of the most overlooked HIPAA obligations is the subcontractor flowdown requirement.
Under 45 CFR 164.504(e), your MSP must ensure that any subcontractor they use who creates, receives, maintains, or transmits PHI on your behalf also signs a BAA and complies with the HIPAA Security Rule.
This means that if your MSP uses a third-party NOC, a cloud backup provider, a remote monitoring platform, or any other vendor that accesses your systems — those vendors must also have BAAs in place. The chain of trust runs from you to your MSP to every subcontractor in their stack.
Ask your MSP to identify every subcontractor that touches your environment and confirm that BAAs are in place with each. If they can't provide that list, you're carrying compliance risk you may not know about.
Employee Offboarding: The Gap Most Practices Don't Close
Staff turnover at medical practices is high. Every departure creates an access risk if your MSP doesn't have a defined offboarding process.
A HIPAA-capable MSP should have an automated or documented offboarding workflow that immediately revokes: EHR access, email accounts, remote access credentials, cloud platform access, and any shared passwords the departing employee knew.
Access that isn't revoked promptly after an employee leaves is a HIPAA violation waiting to happen — particularly for practices where former staff may have had access to patient records outside their clinical role.
Ask your MSP what their offboarding procedure looks like and what the typical time between notification and complete access revocation is. The answer should be measured in hours, not days.
The Evaluation Checklist
Before selecting or renewing with an MSP for your medical practice, verify these specifically:
Will they sign a complete BAA under 45 CFR 164.504(e) including subcontractor flowdown and breach notification timelines? A modified or limited BAA is a red flag.
Can they conduct or support a documented HIPAA risk analysis identifying all ePHI locations and risks? This is the most commonly cited OCR enforcement gap.
Do they have a documented healthcare-specific incident response procedure including the four-factor breach determination under § 164.402?
Are they collecting, retaining for six years, and reviewing audit logs across your EHR, email, and other ePHI systems?
When was the last backup restoration test performed and what was the result?
Can they identify all subcontractors with access to your environment and confirm BAAs are in place with each?
What is their employee offboarding procedure and what is the typical time to full access revocation?
Do they have documented experience with your specific EHR platform's security configuration requirements?
Where Securafy Fits
Securafy provides HIPAA-aligned managed IT support for medical practices across Ohio and the United States. Every engagement begins with a documented risk analysis, includes a full BAA with subcontractor flowdown provisions, and delivers the technical safeguards, audit log management, backup testing, and incident response planning that HIPAA requires from your IT provider — not as add-ons, but as baseline delivery.
For practices that need both IT support and HIPAA compliance infrastructure from a single accountable partner, Securafy provides both under one engagement with clear documented responsibilities.
If you want to understand where your current IT environment stands against HIPAA's technical safeguard requirements, a free network assessment gives you that picture in under an hour.
To discuss what HIPAA-aligned managed IT support would look like for your specific practice, book a strategy call.
The 2026 Cybersecurity Buyer's Guide covers the security program fundamentals every healthcare organization should understand before evaluating any managed IT partner.