The Liability Most MSPs Underestimate
An MSP that manages networks, endpoints, backups, or cloud infrastructure for a healthcare client almost certainly creates, receives, maintains, or transmits protected health information in the course of that work. Under HIPAA, that makes you a business associate — and since the HITECH Act and the 2013 Omnibus Rule, business associates are directly liable for compliance with the Security Rule and applicable parts of the Privacy Rule. Not liable through your client. Directly. OCR can investigate you, fine you, and name you in a resolution agreement, independent of anything your client did or failed to do.
Most MSPs treat the Business Associate Agreement as the finish line: sign it at onboarding, file it, move on. The BAA is the starting line. It is a contract in which you promise to safeguard PHI and to meet the Security Rule's requirements. Signing it creates the obligation; it does not satisfy it. The MSPs that get caught flat-footed in an OCR inquiry are the ones who can produce a signed BAA and nothing else — no risk analysis of their own environment, no evidence their own access controls work, no incident response plan covering a breach that originates with them.
What You Actually Owe as a Business Associate
Your obligations as a business associate mirror, in large part, the obligations your covered-entity clients carry. At minimum, OCR expects a business associate to have:
- Your own risk analysis. Not your client's — yours. A documented assessment of the risks to PHI in your systems: your RMM, your ticketing platform, your remote access tooling, your technicians' workstations, your backup repositories.
- Security Rule safeguards in your own shop. Access controls, audit logging, encryption, and workforce training applied to your own organization — because your technicians hold the keys to every client you serve.
- An incident response and breach notification plan. If the breach originates in your environment, you are obligated to notify the affected covered entities without unreasonable delay. You need a plan for that before it happens.
- Subcontractor BAAs. Any vendor you use that touches client PHI — a cloud backup provider, a documentation SaaS — needs a BAA with you. The chain of liability flows downstream.
The Concentrated-Risk Problem
Here is what makes an MSP a uniquely attractive target and a uniquely consequential breach: you hold privileged access to many healthcare environments at once. A single compromised technician credential, a single breached RMM platform, can cascade across your entire client base. This is not theoretical — supply-chain attacks against MSPs and their tools have been a recurring theme in healthcare breach data, and we have written about the broader pattern in software supply chain security. The same concentration that makes the MSP service model efficient makes the MSP a high-value breach vector. OCR knows this, and business-associate enforcement has been trending up accordingly.
Turning Your Own Compliance Into a Sales Asset
There is an upside hiding in this obligation. An MSP that runs a documented, defensible HIPAA program for itself can say something to prospects that most competitors cannot: "We don't just keep you compliant — we hold ourselves to the same standard, and we can prove it." In a healthcare prospect's eyes, an MSP that treats its own business-associate obligations seriously is a dramatically lower-risk partner. Your internal compliance becomes a differentiator in the sales conversation, not just a cost of doing business.
Run Your Program on the Same Platform You Sell
The practical move is to treat your own MSP as one more tenant in the compliance platform you use for clients. Run your own risk analysis, track your own subcontractor BAAs, train your own workforce, and monitor your own network — in the same multi-tenant workspace you use to serve covered entities. HIPAA Security Suite makes that natural: your organization is a tenant alongside your clients, with the same risk assessment, vendor management, training, and network monitoring tooling. You dogfood the product, you meet your own obligations, and you can show a prospect exactly what their program will look like — because it is the same one running your shop.
The business associate obligation is not a trap; it is an opportunity to be the partner that takes compliance as seriously for itself as it asks its clients to. Sign the BAA — then actually run the program behind it.
Related Reading
- One workspace, every client: multi-tenant HIPAA delivery
- Software supply chain security in healthcare
- The credential leak response playbook
- HIPAA breaches in 2026: what happened
Call to Action
Before you assess another client, assess yourself. Take the 3-minute readiness quiz on your own MSP and see where your business-associate program actually stands — then reach out to run your shop and your clients on the same platform.