What is MSP in Healthcare?

Posted By Steve Alder on Apr 29, 2025

The term MSP in healthcare most often relates to Managed Service Providers who support healthcare staffing, supply medical equipment, or manage multi-vendor IT services on behalf of healthcare organizations. HIPAA compliance plays a role in all three versions of MSP in healthcare, but has the biggest impact on providers of managed IT services.

When a healthcare organization engages the services of a healthcare MSP, it is usually for one of three purposes. The first purpose is to support healthcare staffing. This involves a healthcare staffing MSP placing a healthcare professional or allied health professional in a healthcare organization on a short-term or a temp-to-hire contract to cover a staffing shortage. In this scenario, the responsibility for HIPAA compliance is shared three ways:

• The healthcare organization has the responsibility for training temporary members of the workforce on its HIPAA policies and procedures and security awareness.
• Healthcare professionals and allied health professionals have the responsibility for understanding the basics of HIPAA before taking a placement through the MSP.
• The MSP has the responsibility for checking the certifications of healthcare and allied healthcare professionals – including certifications awarded on completion of HIPAA training.

The second purpose of engaging an MSP is to outsource the provision and maintenance of medical equipment. Services provided by a medical equipment MSP can include asset optimization, user instruction, and integrating the equipment’s software with the IT network. In this scenario, the MSP is responsible for the compliance capabilities of the equipment. The organization is responsible for ensuring the equipment is used in compliance with HIPAA.

Healthcare IT MSPs and HIPAA Compliance

The third purpose of engaging a healthcare MSP is to manage multi-vendor IT services. The range of services provided by a healthcare IT MSP can range from a simple MSP security stack (i.e., web filter, email filter, password manager, etc.) to a full-time virtual CISO that takes care of everything from conducting HIPAA risk assessments to managing business continuity in an emergency. A virtual CISO can effectively be an organization’s HIPAA Security Officer.

The range of services complicates who is responsible for HIPAA compliance. At the “simple stack” entry level, a healthcare IT MSP is the middleman between multiple software vendors and the healthcare organization. The healthcare IT MSP (as a business associate), the software vendors (as subcontractors), and the healthcare organization (as a covered entity) have a tiered responsibility for ensuring:

• IT solutions are developed to support HIPAA compliance,
• IT solutions are configured to support HIPAA compliance, and
• IT solutions are used in compliance with HIPAA by workforce members.

There can be a little crossover between the three responsibilities. Software vendors might provide instructions to a healthcare IT MSP on how to configure an IT solution to support HIPAA compliance, and a healthcare IT MSP might provide instructions to a healthcare organization on how to use the IT solution in compliance with HIPAA. With regards to Business Associate Agreements, the healthcare organization enters into one Agreement with the healthcare IT MSP, and the healthcare IT MSP enters into subcontractor Agreements with each software vendor.

Where it Gets Complicated for an IT MSP in Healthcare

As the range of services offered by an IT MSP in healthcare becomes more comprehensive, so do the responsibilities for HIPAA compliance. Although the HIPAA Security Rule compliance obligations remain the same, the increased range of services increases the attack surface for cybercriminals. There are more Internet-facing services to protect, more network activities to monitor, more access credentials to manage, and more software vulnerabilities to patch.

When the increased range of services is attributable to sourcing services from an increased number of software vendors, IT MSPs in healthcare also have to enter into more subcontractor Agreements. In addition, some IT solutions only support partial compliance with HIPAA (i.e., Salesforce), while others (i.e., HubSpot) can only be used to create, receive, store, or transmit PHI if a plug-in or extension is installed which isolates PHI from the software vendor’s servers.

It is important for IT MSPs in healthcare to know when IT solutions do not fully support HIPAA compliance, when plug-ins or extensions are required to enable a service to be used with PHI, and when exceptions to HIPAA exist that might allow healthcare organizations to disclose PHI via an MSP-provided service that is not configured to support HIPAA compliance. In some cases, an IT MSP in healthcare can be responsible for nearly all an organization’s IT compliance.

How to be a HIPAA Compliant Managed Service Provider

Regardless of whether your MSP business provides staffing solutions, medical equipment, or IT services, it is important it is a HIPAA compliant managed services provide when staff, equipment, or services are exposed to Protected Health Information. Not only do you need to understand the HIPAA regulations, but any employees involved in staff training, user instruction, or customer support also need to be aware of the regulations and when they apply.

With regards to Security Rule obligations as a business associate, it is possible to take advantage of the ONC/HHS Security Risk Assessment Tool. This tool will enable you to assess threats and vulnerabilities to PHI created, received, stored, or transmitted by the MSP business. With regards to Privacy Rule obligations, these vary depending on the type of service(s) provided. If you are unsure of your compliance obligations, it is best to speak with a compliance professional.