Table of Contents
Choosing a managed service provider has quietly become one of the highest-stakes decisions a healthcare organization makes. In 2025, HIPAA-regulated entities reported 772 large data breaches to the HHS Office for Civil Rights (OCR), the most in any single year on record, exposing the protected health information of roughly 139.7 million people, according to breach data compiled by The HIPAA Journal from the OCR portal. Healthcare has now been the costliest industry for data breaches for 14 consecutive years, averaging $7.42 million per incident in IBM’s 2025 Cost of a Data Breach Report. Against those numbers, HIPAA IT compliance is no longer a quiet back-office checkbox. It is a board-level risk decision, and for most providers it runs directly through the MSP they choose.
This guide explains what HIPAA IT compliance actually requires in 2026, how the proposed overhaul of the HIPAA Security Rule will reshape what you should demand from a vendor, and it gives you an original scoring model, the SHIELD framework, for evaluating any HIPAA compliant MSP before you sign a contract.
Quick answer
A HIPAA compliant MSP is a managed service provider that qualifies as a HIPAA business associate, signs a business associate agreement (BAA), and implements the administrative, physical, and technical safeguards the HIPAA Security Rule requires to protect electronic protected health information (ePHI). Choosing the right HIPAA MSP in 2026 means verifying six things: a signed BAA with clear liability, healthcare-specific experience, incident detection and response capability, encryption and access controls, an active risk analysis and risk management program, and audit-ready documentation.
What is a HIPAA compliant MSP?
A HIPAA compliant MSP is a managed IT provider that is legally recognized as a business associate under HIPAA and can prove it meets the safeguards required to handle patient data. Under the HIPAA Rules, any vendor that creates, receives, maintains, or transmits ePHI on behalf of a covered entity is a business associate, and since the 2013 Omnibus Rule, business associates carry direct liability for their own HIPAA violations.
That legal detail is the whole point. A HIPAA compliant MSP is not simply an IT company that happens to have healthcare clients. It is an accountable partner that has signed a BAA and can demonstrate, on request, how it protects your ePHI. A generic MSP that touches patient data without a BAA is not a convenience. It is an open compliance gap that OCR can attribute back to you.
What does HIPAA IT compliance actually require in 2026?
HIPAA IT compliance rests on three federal rules: the Privacy Rule, which governs how PHI may be used and disclosed; the Security Rule, which sets the standards for protecting ePHI; and the Breach Notification Rule, which dictates how and when breaches must be reported. For anything IT-related, the Security Rule is the engine, and it is the rule your HIPAA MSP lives inside every day.
Covered entity vs. business associate: where your MSP sits
Covered entities are the providers, health plans, and clearinghouses that deliver and pay for care. Business associates are the vendors that handle ePHI on their behalf, and that is exactly where a HIPAA MSP sits. The practical consequence: both you and your MSP can be investigated and penalized. In 2025, OCR resolved 21 HIPAA cases with financial penalties, its second-highest annual total ever, collecting $8,330,066 in fines (The HIPAA Journal). Several of those actions were against business associates, not just the healthcare organizations they served.
What are the HIPAA safeguards an MSP must cover?
The HIPAA Security Rule organizes protection into three categories of HIPAA safeguards: administrative, physical, and technical. A credible HIPAA compliant MSP should be able to show you exactly how it delivers each one, not just claim it does.
Administrative safeguards
These are the policies and processes that govern security. They include a formal security management process, a documented risk analysis, workforce security and access management, security awareness training, contingency planning, and periodic evaluation. A strong HIPAA MSP treats these as living programs, not one-time paperwork.
Physical safeguards
These control physical access to systems and data: facility access controls, workstation use and security policies, and device and media controls that govern how hardware and storage holding ePHI are handled, reused, and disposed of.
Technical safeguards
These are the controls most people picture when they think of HIPAA IT compliance: access controls with unique user identification, audit controls that log activity, integrity controls that prevent improper alteration of ePHI, and transmission security such as encryption. Notably, encryption of ePHI on servers was involved in a large share of 2025 breaches, with the majority of the year’s incidents traced to PHI stored on network servers (61.5%) and compromised email accounts (24.9%).
Together, these HIPAA safeguards form the backbone of any credible HIPAA IT compliance program, and a capable HIPAA MSP should map its services directly onto all three categories rather than treating them as a menu.
Why does a HIPAA security risk assessment matter when choosing an MSP?
A HIPAA security risk assessment, also called a security risk analysis or SRA, is the single most scrutinized requirement in HIPAA enforcement. Throughout 2025, OCR ran a dedicated risk analysis enforcement initiative, and the agency has confirmed it will expand that focus to risk management in 2026, according to The HIPAA Journal. In plain terms, OCR no longer just wants proof that you identified risks. It wants evidence that you actively reduced them, on a timeline.
A proper HIPAA security risk assessment inventories every system and location where ePHI lives, evaluates the threats and vulnerabilities against each, rates the likelihood and impact, and produces a prioritized remediation plan. The right HIPAA MSP should run this assessment with you at least annually, keep it current when your environment changes, and tie each finding to an action and an owner.
Enforcement in the real world
In 2025, an Illinois business associate, Health Fitness Corporation, paid a $227,816 penalty after OCR determined it had not conducted a compliant, organization-wide risk analysis following a credential-stuffing incident (The HIPAA Journal). The lesson for buyers is direct: if your HIPAA MSP cannot show you a current, thorough HIPAA security risk assessment, that gap is a liability you inherit.
How is the 2026 HIPAA Security Rule update changing MSP requirements?
On December 27, 2024, HHS OCR issued a Notice of Proposed Rulemaking (NPRM) to overhaul the HIPAA Security Rule, published in the Federal Register on January 6, 2025. It would be the first substantial update to the Security Rule since the 2013 Omnibus Rule. The public comment period closed on March 7, 2025, drawing roughly 4,700 to 5,000 submissions.
Important status check (verified mid-2026)
As of mid-2026, this remains a proposed rule. No final rule has been published, and the current HIPAA Security Rule stays fully in effect. OCR’s regulatory agenda had targeted a 2026 finalization, but the timeline is uncertain, and the proposal could still be finalized as written, modified, delayed, republished, or withdrawn entirely. Any vendor that tells you these specific requirements are already law is misinformed. Treat the proposal as the direction of travel, not settled regulation.
The direction, however, is unmistakable, and OCR’s own 2025 enforcement already leans this way. The proposal would end the long-standing “addressable” flexibility that let organizations document their way out of controls such as encryption and multi-factor authentication (MFA). If finalized as proposed, the following would become mandatory, with only narrow exceptions:
- Encryption of ePHI at rest and in transit
- Multi-factor authentication for systems that access ePHI
- Network segmentation to isolate ePHI systems
- A written technology asset inventory and network map, reviewed at least annually
- Vulnerability scanning every six months and annual penetration testing
- Enhanced, annually reviewed risk analysis with documented risk management
- Annual compliance audits and stronger business associate oversight, including updated BAAs
If a final rule is eventually published, healthcare organizations are expected to have roughly 240 days to comply. The proposal has drawn real pushback over its cost, especially from smaller and rural providers, which is part of why the timeline remains uncertain. None of that changes the smart planning move: build toward these controls now, because enforcement is already trending in this direction.
Here is why this shapes your choice of HIPAA MSP today. The Change Healthcare ransomware attack, which affected roughly 192.7 million people and stands as the largest healthcare breach in US history, was reportedly enabled by a remote-access portal that lacked MFA. Nearly every control in the proposed rule maps to a documented, real-world failure. The prudent move is to choose a HIPAA compliant MSP that already operates as if encryption, MFA, segmentation, and continuous testing are required, because that is where enforcement is heading regardless of the final rule’s exact wording.
The SHIELD framework: how to evaluate a HIPAA compliant MSP
Most HIPAA MSP checklists are just feature lists, which tell you what a vendor sells but not whether it will keep you compliant. Drawing on managed security partner work across healthcare IT environments, Zazz.io uses a weighted, six-domain scoring model we call the SHIELD framework. Score each domain from 0 to 5, apply the weight, and total the result. As a rule of thumb, any HIPAA MSP scoring below 70 out of 100 should not be trusted with your ePHI.
Domain | What it measures | What a strong HIPAA MSP looks like | Weight |
S — Signed BAA & shared accountability | Legal accountability for ePHI | Signs a detailed BAA, accepts defined liability, names a compliance contact | 20% |
H — Healthcare-specific track record | Real experience with HIPAA, not generic IT | References from covered entities and business associates; understands PHI workflows | 15% |
I — Incident detection & response | Speed to find and contain a breach | 24/7 monitoring, tested incident response plan, clear breach-notification support | 20% |
E — Encryption, MFA & access controls | Core technical safeguards | Encryption at rest and in transit, MFA everywhere, least-privilege access, audit logging | 20% |
L — Living risk analysis & management | Ongoing SRA and remediation | Annual HIPAA security risk assessment plus tracked, prioritized remediation | 15% |
D — Documentation & audit evidence | Provable compliance | Policies, asset inventory, network map, training records, ready for OCR audit | 10% |
How to read your score
- 85 to 100: A mature HIPAA compliant MSP ready for both today’s rule and the proposed 2026 controls.
- 70 to 84: Workable, but require a written plan to close gaps before you sign, especially in the E and I domains.
- Below 70: Do not grant access to ePHI. The compliance risk outweighs any cost savings.
What questions should you ask a HIPAA MSP before signing?
Use these questions in a vendor evaluation call to pressure-test a provider’s HIPAA IT compliance. Vague or defensive answers are themselves a signal.
- Will you sign a business associate agreement, and what liability do you accept under it?
- Can you show a recent, organization-wide HIPAA security risk assessment and your remediation tracker?
- Is ePHI encrypted at rest and in transit across every system you manage for us?
- Is MFA enforced on all access to systems that touch ePHI, including remote and vendor access?
- What is your average time to detect and contain an incident, and can you prove it?
- How would you support us through the 60-day HIPAA breach notification timeline if a breach occurs?
- Do you maintain a current asset inventory and network map for our environment?
- How are you preparing for the proposed 2026 HIPAA Security Rule controls?
- What healthcare clients can you reference, and have any been through an OCR investigation?
- How often do you run vulnerability scans and penetration tests, and will you share the results?
Red flags that an MSP is not truly HIPAA compliant
These warning signs tend to surface quickly once you start asking about HIPAA safeguards and HIPAA IT compliance in detail.
- Refusing or delaying a BAA: A HIPAA compliant MSP signs one without hesitation.
- Claiming to be “HIPAA certified”: There is no official government HIPAA certification. The claim signals a weak understanding of the rules.
- Treating encryption or MFA as optional: This is exactly the “addressable” thinking the proposed 2026 rule is designed to end.
- No current risk analysis: The most common failure OCR cites, and the easiest one for an auditor to find.
- Stating the 2026 requirements are already law: They are not, as of mid-2026. Precision here reflects genuine expertise.
- No audit-ready documentation: If they cannot produce evidence quickly, neither can you when OCR asks.
What does a HIPAA breach really cost?
The cost of choosing the wrong HIPAA MSP is measurable, and it dwarfs the price difference between vendors. In 2025, a healthcare data breach cost an average of $7.42 million according to IBM’s annual report, the highest of any industry, and healthcare took the longest of any sector to detect and contain a breach, close to nine months. On top of that sit regulatory penalties, breach-notification costs, and legal exposure.
And those figures only capture the quantifiable damage. They leave out the lost patients, the reputational hit, the disruption to care, and the operational drag of a months-long investigation. When a single incident can cost millions and take the better part of a year to clean up, the gap between a cheap MSP and a genuinely HIPAA compliant MSP is not a line item. It is your risk exposure.
Frequently asked questions
Is there an official HIPAA certification for MSPs?
No. There is no government-issued HIPAA certification. Any MSP claiming to be “HIPAA certified” is overstating its status. What matters is whether the HIPAA MSP signs a BAA and can demonstrate the required administrative, physical, and technical safeguards, plus a current risk analysis.
Does my MSP need to sign a business associate agreement?
Yes. If your MSP creates, receives, maintains, or transmits ePHI, it is a business associate under HIPAA and must sign a BAA. Without one, both you and the MSP have a compliance gap that OCR can act on.
Are the 2026 HIPAA Security Rule changes in effect yet?
No. As of mid-2026, the changes remain a proposed rule. HHS OCR published the NPRM in the Federal Register on January 6, 2025, but no final rule has been issued. The current HIPAA Security Rule remains in effect, and the proposal could still be finalized, modified, delayed, or withdrawn.
How often should a HIPAA security risk assessment be done?
At minimum annually, and again whenever your environment changes materially, such as a new system, a merger, or a move to the cloud. Inadequate risk analysis is the most common Security Rule failure OCR cites in enforcement.
What are the three types of HIPAA safeguards?
Administrative safeguards (policies, training, risk management), physical safeguards (facility and device controls), and technical safeguards (access controls, audit controls, integrity controls, and encryption). A HIPAA compliant MSP should cover all three as the foundation of your HIPAA IT compliance.
How much does a healthcare data breach cost?
Healthcare data breaches averaged $7.42 million in IBM’s 2025 report, the highest of any industry for the 14th year in a row, and took roughly 279 days to detect and contain. Choosing a genuinely HIPAA compliant MSP is a direct way to reduce that exposure.
Ready to see how Zazz can transform your IT operations? Schedule a consultation with our enterprise IT specialists today.



