Updated 2025: Looking for a Business Associate Agreement? Download our FREE template

TotalHIPAA Logo

Managed Service Provider Helps with HIPAA Compliance

Summary:

Jason Karn, Total HIPAA Chief Compliance Officer, spoke with Greg Manson, Direct of Security, Audit, and Compliance at Carolinas IT, about the process of hiring a Managed Service Provider (MSP). In their discussion, Greg provides a list of questions companies should ask before hiring a managed service provider. Listen to this episode of our podcast […]

Jason Karn, Total HIPAA Chief Compliance Officer, spoke with Greg Manson, Direct of Security, Audit, and Compliance at Carolinas IT, about the process of hiring a Managed Service Provider (MSP). In their discussion, Greg provides a list of questions companies should ask before hiring a managed service provider. Listen to this episode of our podcast HIPAA Talk here or on your mobile device via Apple Podcasts. Or, read our summary below. We break down what a Managed Service Provider is and give details about why your company could benefit from hiring one.

What is a Managed Service Provider?

A managed service provider, or MSP, is a company that remotely handles its customers’ IT systems.1  MSPs are categorized as Business Associates because they see Protected Health Information (PHI) on behalf of their clients. Small enterprises who must comply with HIPAA may find that hiring outside help by employing a Managed Service Provider enables them to devote less time and internal resources to their compliance plan. 

Even companies with an in-house IT team can benefit from partnering with a Managed Service Provider. MSPs offer a team of professionals equipped to handle all of your organization’s challenges. An MSP can work with your IT team to enhance your cybersecurity program. Additionally, MSPs typically charge a flat monthly rate. So, companies are not responsible for providing a salary or benefit to individuals; rather, they can access a team of experienced workers for a monthly charge.2

There are several questions you should ask your potential managed service provider before hiring them and allowing them access to your company’s confidential information. MSPs are well aware of government regulations, like HIPAA, and should be able to service Covered Entities.  In fact, regulatory compliance is predominantly why companies hire managed service providers.

Because MSPs are Business Associates, you must have a signed Business Associates Agreement in place before you begin working together. Additionally, your Managed Service Provider should have standard operating procedures for regulatory compliance in place that you may view or audit. If an MSP does not have these procedures or is unwilling to share them with you, you should reconsider the partnership.

What Questions Should You Ask Your Managed Service Provider?

Greg Manson of Carolinas IT, a Managed Service Provider with a great deal of experience servicing HIPAA compliant clients, walked us through several questions you should ask a Managed Service Provider before working with them.

Has this MSP worked with HIPAA compliant clients before?

This is the most important thing you should talk about with your Managed Service Provider. They must understand HIPAA law and have the knowledge and technical expertise to help your company maintain HIPAA compliance. Make sure to select an experienced vendor; ask how long they have been in business.

Question the quality of their security system.

Your Managed Service Provider should be able to answer questions about their security system. They should be able to tell you about the quality of their encryption and how they protect your PHI at rest, in storage, and in transit.

What environmental controls does your MSP abide by to maximize security?

For example: Do you have policies or rules for staff handling sensitive information? Your MSP should have access levels in place just like your company. This ensures that only necessary parties access PHI on your organization’s behalf. As a client of an MSP, you deserve to know that someone who knows what they’re doing handles your account. It is also important to know that not everyone in the company has access to your account and your private information.

What are your MSP’s company policies for employees?

Do employees lose access to information when they leave or are fired from the MSP? Are they locked out of IT systems? Is their account disabled? Are important passwords changed? What happens when one of your MSP’s employees loses a device?

What technologies does your Managed Service Provider use?

A ticket tracking system is a software that creates lists and records issues with the software. This system allows your MSP to tackle issues as soon as they arise, and to maintain a record of security incidents.3

What will your MSP do to continuously monitor your system?

Ensure that your MSP will monitor and maintain your system consistently, not just when you begin working together. Ask them how they plan to do this.

Evaluate the cost of your MSP’s solution.

This is typically what conversations between clients and MSPs boil down to. While this is an important factor, it is not the most important factor – prioritize your company’s security above all else. However, this is a fair question. There are many MSPs working in this industry, and your organization should be able to partner with one that fits your cybersecurity and financial needs.

In conclusion, your partnership with a Managed Service Provider is meant to make HIPAA compliance simpler for your business on the IT end. It is not your MSP’s responsibility to bring your company into full compliance with the HIPAA law. Your MSP is there to help your company work through the technical portion of your Risk Assessment and establish protocols for protecting electronic data.

Our HIPAA compliance services help ensure that your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts is dedicated to providing affordable rates and personalized solutions to help you become HIPAA compliant. We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance. Contact us today to learn more about how we can help you protect your patients, your employees, and your business.

Sources

SearchIT Channel’s article “Managed Service Provider (MSP)

Continuity Center’s article “Managed Services vs. In-House IT: Who comes out on top?

SysAid’s article “What is a Ticketing System?

Sharing is caring!

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

Related Posts

Why do we need to test our Disaster Recovery Plan every year?

Why do we need to test our Disaster Recovery Plan every year?

Even if your internal software and servers remain perfectly static, the infrastructure, vendor updates, and cyber threats around them are constantly shifting. Waiting 2 or 3 years to test your backup systems leaves you vulnerable. This post breaks down the four external factors that degrade an untested playbook, explores HIPAA compliance mandates under NIST SP 800-66, and provides a granular, step-by-step example of what a compliant disaster recovery blueprint actually looks like.

How to Maintain HIPAA Compliance in Public Cloud Environments

How to Maintain HIPAA Compliance in Public Cloud Environments

Storing ePHI in the public cloud offers scalability but requires a strict “Shared Responsibility” approach. To remain HIPAA compliant, organizations must go beyond basic Business Associate Agreements (BAAs). The implementation of AES-256 encryption, multi-factor authentication (MFA), and microsegmentation are now required. This guide outlines the essential steps to securing your cloud infrastructure while meeting the latest HHS and OCR standards.

How to Stay HIPAA Compliant with Audit Logs

How to Stay HIPAA Compliant with Audit Logs

HIPAA audit logs are a mandatory technical safeguard under the HIPAA Security Rule, designed to track and record system activity across your network. To ensure complete compliance, organizations must actively maintain and routinely review these logs to detect unauthorized access to electronic protected health information (ePHI). This guide covers federal hipaa audit log requirements, the essential six-year hipaa audit log retention rules, best practices for tracking digital and physical data access, and how utilizing a structured hipaa audit log template protects your organization from catastrophic data breaches and costly federal penalties.

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)