Nuronus
LoginSign Up
Back to Blog
Compliance

HIPAA Compliance Checklist for MSPs (2026 Edition)

The complete HIPAA compliance checklist for MSPs serving healthcare clients. Updated for 2026 with the latest requirements, penalties, and best practices.

Nuronus TeamApril 7, 202615 min read

HIPAA Compliance for MSPs: Everything You Need to Know in 2026

If you're an MSP serving healthcare clients, HIPAA compliance isn't optional—it's the cost of doing business. And in 2026, the stakes have never been higher. OCR (Office for Civil Rights) enforcement is up, penalties are steeper, and your healthcare clients are asking tougher questions.

This checklist covers everything you need to ensure your MSP and your clients stay compliant.

Understanding Your Role: Business Associate Obligations

As an MSP handling Protected Health Information (PHI), you're classified as a Business Associate under HIPAA. This means you're directly liable for compliance—not just your healthcare clients.

What Makes You a Business Associate?

You're a Business Associate if you:

  • Access, store, or transmit PHI on behalf of a Covered Entity
  • Provide IT services to healthcare organizations
  • Manage systems that contain patient data
  • Have access to email systems with patient communications
  • Handle backups that include PHI
  • Provide cloud hosting for healthcare applications

Bottom line: If you touch PHI in any way, you're a Business Associate.

Part 1: Administrative Safeguards Checklist

Administrative safeguards are the policies and procedures that govern how PHI is protected.

1.1 Security Management Process

  • [ ] **Conduct annual risk assessments** for each healthcare client
  • [ ] **Document all identified risks** with severity ratings
  • [ ] **Create risk mitigation plans** with timelines and owners
  • [ ] **Implement sanctions policy** for workforce members who violate policies
  • [ ] **Review and update risk assessments** when systems change

1.2 Assigned Security Responsibility

  • [ ] **Designate a Security Officer** for your MSP (required)
  • [ ] **Ensure each client has a designated Security Officer**
  • [ ] **Document contact information** and responsibilities
  • [ ] **Establish clear escalation paths** for security incidents

1.3 Workforce Security

  • [ ] **Background checks** for all employees with PHI access
  • [ ] **Role-based access controls** limiting PHI access to job requirements
  • [ ] **Termination procedures** ensuring immediate access revocation
  • [ ] **Access review process** conducted at least quarterly
  • [ ] **Documentation of all access grants and revocations**

1.4 Information Access Management

  • [ ] **Implement least privilege access** across all systems
  • [ ] **Document access authorization procedures**
  • [ ] **Maintain access logs** for all PHI-containing systems
  • [ ] **Review user access rights** quarterly
  • [ ] **Isolate healthcare client data** from other clients (critical!)

1.5 Security Awareness and Training

  • [ ] **Initial HIPAA training** for all new employees
  • [ ] **Annual refresher training** for entire workforce
  • [ ] **Document training completion** with dates and signatures
  • [ ] **Phishing simulation testing** at least quarterly
  • [ ] **Training on handling PHI breaches** and reporting requirements
  • [ ] **Role-specific training** for technical staff

1.6 Security Incident Procedures

  • [ ] **Written incident response plan** specific to PHI breaches
  • [ ] **Incident classification criteria** (minor vs. reportable breach)
  • [ ] **Response team roles and responsibilities** documented
  • [ ] **Client notification procedures** defined
  • [ ] **OCR breach reporting procedures** documented
  • [ ] **Incident documentation templates** ready to use
  • [ ] **Post-incident review process** established

1.7 Contingency Plan

  • [ ] **Data backup plan** with PHI-specific requirements
  • [ ] **Disaster recovery plan** tested annually
  • [ ] **Emergency mode operation plan** for critical systems
  • [ ] **Testing and revision procedures** documented
  • [ ] **Applications and data criticality analysis** completed

1.8 Business Associate Agreements (BAAs)

  • [ ] **Signed BAA with every healthcare client**
  • [ ] **Signed BAA with every subcontractor** who may access PHI
  • [ ] **BAA inventory** tracking all agreements
  • [ ] **Annual BAA review** to ensure terms remain current
  • [ ] **Subcontractor compliance verification** process

Part 2: Physical Safeguards Checklist

Physical safeguards protect the physical systems and facilities where PHI is stored or accessed.

2.1 Facility Access Controls

  • [ ] **Contingency operations procedures** for physical access during emergencies
  • [ ] **Facility security plan** for offices and data centers
  • [ ] **Access control and validation** (badges, keys, biometrics)
  • [ ] **Maintenance records** for physical security systems
  • [ ] **Visitor logs and escort procedures**

2.2 Workstation Use

  • [ ] **Workstation use policies** defining appropriate use
  • [ ] **PHI handling procedures** for workstations
  • [ ] **Clean desk policy** for areas with PHI access
  • [ ] **Screen positioning requirements** to prevent unauthorized viewing
  • [ ] **Automatic screen lock** (15 minutes or less)

2.3 Workstation Security

  • [ ] **Physical security of workstations** with PHI access
  • [ ] **Cable locks or secured locations** for laptops
  • [ ] **Prohibited locations** defined (public areas, home offices without approval)
  • [ ] **Remote work security requirements** documented

2.4 Device and Media Controls

  • [ ] **Hardware inventory** tracking all devices with PHI
  • [ ] **Media disposal procedures** (NIST 800-88 compliant)
  • [ ] **Media re-use procedures** with verified sanitization
  • [ ] **Device movement tracking** and accountability
  • [ ] **Encryption requirements** for portable devices
  • [ ] **Certificates of destruction** for disposed media

Part 3: Technical Safeguards Checklist

Technical safeguards are the technology and related policies that protect PHI.

3.1 Access Control

  • [ ] **Unique user identification** (no shared accounts—ever)
  • [ ] **Emergency access procedures** documented and tested
  • [ ] **Automatic logoff** configured on all systems (15 min max)
  • [ ] **Encryption and decryption** for PHI at rest
  • [ ] **Multi-factor authentication** for all PHI system access (critical in 2026!)

3.2 Audit Controls

  • [ ] **Audit logging enabled** on all systems with PHI
  • [ ] **Log retention policy** (minimum 6 years recommended)
  • [ ] **Regular log reviews** (automated alerting preferred)
  • [ ] **Tamper-proof log storage** (WORM or similar)
  • [ ] **Documentation of audit findings** and remediation

3.3 Integrity Controls

  • [ ] **Mechanisms to authenticate PHI** integrity
  • [ ] **Hash verification** for PHI in transit
  • [ ] **Change detection** for critical files
  • [ ] **Database integrity monitoring**

3.4 Person or Entity Authentication

  • [ ] **Strong password requirements** (16+ characters or passphrase)
  • [ ] **Multi-factor authentication** for remote access
  • [ ] **Certificate-based authentication** where appropriate
  • [ ] **Authentication failure lockout** (5 attempts max)

3.5 Transmission Security

  • [ ] **Encryption in transit** (TLS 1.2 or higher—TLS 1.3 preferred)
  • [ ] **Encrypted email** for PHI (portal or encryption gateway)
  • [ ] **VPN requirements** for remote PHI access
  • [ ] **Wireless security** (WPA3 where possible)
  • [ ] **Integrity controls** for transmitted PHI

Part 4: Documentation Requirements

HIPAA requires extensive documentation. If it's not documented, it didn't happen.

4.1 Required Policies (Your MSP)

  • [ ] **Information Security Policy**
  • [ ] **Access Control Policy**
  • [ ] **Incident Response Policy**
  • [ ] **Business Continuity/Disaster Recovery Policy**
  • [ ] **Acceptable Use Policy**
  • [ ] **Data Classification Policy**
  • [ ] **Encryption Policy**
  • [ ] **Vendor Management Policy**
  • [ ] **Physical Security Policy**
  • [ ] **Remote Work Policy**

4.2 Required Policies (Each Healthcare Client)

  • [ ] **Notice of Privacy Practices**
  • [ ] **Patient Rights Policies**
  • [ ] **Minimum Necessary Policy**
  • [ ] **Authorization Policies**
  • [ ] **Breach Notification Policy**
  • [ ] **Sanction Policy**
  • [ ] **Complaint Process**

4.3 Documentation Retention

  • [ ] **Retain all documentation for 6 years minimum**
  • [ ] **Version control** for policy updates
  • [ ] **Review dates tracked** for all policies
  • [ ] **Signature/acknowledgment records** preserved
  • [ ] **Audit evidence** archived properly

Part 5: Breach Notification Requirements

Understanding breach notification is critical—violations here carry the heaviest penalties.

5.1 Breach Determination Process

  • [ ] **Written breach assessment criteria**
  • [ ] **4-factor risk assessment process** (per HHS guidance)
  • [ ] **Documentation templates** for breach analysis
  • [ ] **Legal review process** for potential breaches

5.2 Notification Timelines (2026 Requirements)

Breach SizeIndividual NoticeHHS NoticeMedia Notice
1-499 individuals60 days from discoveryAnnual logNot required
500+ individuals60 days from discovery60 days60 days

5.3 Notification Content Requirements

  • [ ] **Description of breach** in plain language
  • [ ] **Types of information involved**
  • [ ] **Steps individuals should take** to protect themselves
  • [ ] **What you're doing** to investigate and mitigate
  • [ ] **Contact information** for questions

5.4 Your Obligations as Business Associate

  • [ ] **Report breaches to Covered Entity** within 24-48 hours (per your BAA)
  • [ ] **Provide all information needed** for client notifications
  • [ ] **Cooperate with investigations**
  • [ ] **Document your response** thoroughly

Part 6: 2026 Updates and Changes

What's New This Year

Increased Enforcement Focus Areas:

  • **Right of Access violations** - OCR is aggressively pursuing these
  • **Risk analysis failures** - Still the #1 finding in audits
  • **Business Associate compliance** - Direct enforcement increasing
  • **Recognized security practices** - Demonstrating implementation can reduce penalties

Technology Updates:

  • **MFA is effectively mandatory** - OCR considers lack of MFA a deficiency
  • **Cloud security requirements** - Shared responsibility model documentation required
  • **Telehealth compliance** - Post-pandemic, temporary waivers have expired

Penalty Adjustments (2026):

Violation CategoryMinimumMaximum
Tier 1 (Unknowing)$137$68,928 per violation
Tier 2 (Reasonable Cause)$1,379$68,928 per violation
Tier 3 (Willful Neglect - Corrected)$13,785$68,928 per violation
Tier 4 (Willful Neglect - Not Corrected)$68,928$2,067,813 per violation

*Annual cap: $2,067,813 per identical violation category*

Part 7: MSP-Specific Best Practices

Client Onboarding Checklist

  • [ ] **Execute BAA before accessing any systems**
  • [ ] **Conduct initial risk assessment** within 30 days
  • [ ] **Document network topology** and PHI data flows
  • [ ] **Inventory all systems** containing PHI
  • [ ] **Verify encryption** on all PHI storage
  • [ ] **Review access controls** and user accounts
  • [ ] **Establish secure communication channels**

Multi-Tenant Security Requirements

  • [ ] **Logical separation** between healthcare clients
  • [ ] **Separate credentials** for each client environment
  • [ ] **No shared tools** that could cross-contaminate data
  • [ ] **Individual backup sets** per client
  • [ ] **Separate documentation** per client

Subcontractor Management

  • [ ] **BAA with all subcontractors** (cloud providers, backup vendors, etc.)
  • [ ] **Annual compliance verification** for each subcontractor
  • [ ] **Incident notification requirements** in agreements
  • [ ] **Right to audit clauses** included

Common MSP Mistakes to Avoid

1. **Using the same admin credentials across clients** - Never do this

2. **Storing PHI in shared ticketing systems** - Sanitize or segregate

3. **Emailing PHI without encryption** - Always use encrypted channels

4. **Neglecting your own risk assessment** - You need one too

5. **Assuming cloud = compliant** - You're still responsible

6. **Not testing backups** - Untested backups aren't backups

7. **Skipping documentation** - It will hurt you in an audit

Part 8: Audit Preparation Checklist

When OCR comes knocking (or your client faces an audit), be ready.

Pre-Audit Preparation

  • [ ] **Organize all policies** in accessible format
  • [ ] **Compile training records** for all employees
  • [ ] **Gather BAAs** for all relationships
  • [ ] **Pull risk assessment documentation** for past 3 years
  • [ ] **Collect audit logs** demonstrating ongoing monitoring
  • [ ] **Document remediation activities** from past assessments
  • [ ] **Prepare network diagrams** showing PHI flows

During the Audit

  • [ ] **Designate a single point of contact**
  • [ ] **Have legal counsel available**
  • [ ] **Respond to requests promptly** (delays look bad)
  • [ ] **Be honest** - Don't hide problems
  • [ ] **Document everything** discussed

Evidence You'll Need

  • [ ] Risk assessments (current and historical)
  • [ ] Policy documents with review dates
  • [ ] Training completion records
  • [ ] Incident response documentation
  • [ ] Access logs and reviews
  • [ ] BAA inventory
  • [ ] Encryption verification
  • [ ] Backup and recovery test results

Quick Reference: HIPAA Compliance Timeline

TaskFrequency
Risk AssessmentAnnual minimum, plus when significant changes occur
Policy ReviewAnnual
Security TrainingAnnual (initial + refresher)
Access ReviewsQuarterly
Phishing TestsQuarterly
Backup TestingMonthly
Log ReviewsWeekly minimum (daily preferred)
BAA ReviewsAnnual
Disaster Recovery TestAnnual

Getting Started: Your 30-Day Action Plan

Week 1: Foundation

  • Complete BAA inventory - identify gaps
  • Review your own risk assessment (or conduct if missing)
  • Verify MFA is enabled everywhere

Week 2: Documentation

  • Audit your policy library - update outdated policies
  • Verify training records are complete
  • Document your incident response plan

Week 3: Technical Controls

  • Review encryption status across all clients
  • Verify audit logging is enabled and retained
  • Test backup restoration procedures

Week 4: Ongoing Operations

  • Set up recurring compliance tasks
  • Schedule client risk assessments
  • Establish regular reporting cadence

Conclusion

HIPAA compliance isn't a one-time project—it's an ongoing program. As an MSP serving healthcare clients, your compliance posture directly impacts their compliance posture.

The good news? MSPs who master HIPAA compliance become invaluable partners to healthcare organizations. You're not just providing IT services—you're providing peace of mind and protection from potentially devastating penalties.

Use this checklist as your foundation, but remember: compliance requires continuous attention. Review quarterly, update annually, and stay current with HHS guidance.

*Need help managing HIPAA compliance across your healthcare clients? Try Nuronus free and see how our platform makes compliance management simple for MSPs.*

#HIPAACompliance #MSP #HealthcareIT #CyberSecurity #Compliance2026 #ManagedServiceProvider #HealthcareSecurity #ITCompliance #PHI #HITECH #DataProtection #RiskAssessment #BusinessAssociate #HIPAAChecklist #HealthTech

Ready to Add Compliance Services to Your MSP?

Start your 14-day free trial and see how Nuronus makes compliance management simple.

Start Free Trial

Nuronus Team

MSP Compliance Experts