This article is written by Mike Semel, a CMMC Certified Assessor who has created CMMC for MSPs, which includes Customer Responsibility Matrix (CRM) training and a template, to help MSPs deliver CMMC Level 2 compliance.
FREE OFFER to MSP Success readers – You want to be the one people remember for telling them about the new HIPAA Security Rule first. CLICK HERE to download two fact sheets about the new rule. One is for your MSP business, and the other is to give to prospects and clients.
The proposed HIPAA Security Rule update has moved to the Final Rule stage and is scheduled for publication in May 2026.
If the final rule is similar to the proposed rule that was released in December 2024 for comments, big changes are in store for healthcare providers and the businesses that support them, including MSPs.
MSPs tell me the same story over and over:
“We want to do the right thing for healthcare clients … but HIPAA is vague, doctors and dentists don’t take it seriously, and they won’t pay for solutions that actually reduce risk because they aren’t required.”
That’s a real problem. Vague rules create clients who want to implement only the absolute minimum that is clearly required. That’s why the White House and Congress demanded stricter healthcare cybersecurity regulations, after devastating data breaches and ransomware attacks crippled the healthcare payment system and breached millions of patient records.
The new rule won’t magically make doctors and dentists love cybersecurity, but it makes compliance harder to dodge: More items become mandatory, deadlines get tighter, and “show me the evidence” becomes the default. This will give federal enforcers the power they lacked because of the vague wording in the current rule, which has been challenged successfully in court. It will also further empower state attorneys general, who have the authority to enforce HIPAA along with their state data breach laws, and lawyers suing healthcare providers on behalf of patients after data breaches, ransomware attacks, and privacy violations.
And here’s the part MSPs often miss: HIPAA compliance isn’t only for Covered Entities—doctors, dentists, and health plans.
If you sell to healthcare, you can also sell to the ecosystem around healthcare.
Who else gets pulled into HIPAA, besides healthcare providers and health plans?
HIPAA is required for Business Associates—vendors that touch Protected Health Information (PHI) or the systems that process it.
These companies are almost always Business Associates when servicing healthcare organizations:
- Medical billing/Revenue Cycle Management, coding, or claim processing organizations
- Medical research universities
- Answering services
- Backup/BC/DR providers
- MSPs/outsourced IT/help desk
- SOC/MDR/IR vendors operating in PHI environments
- EHR and practice management vendors
- Patient portals/secure messaging portals
- Telehealth platforms (when contracted by a provider/plan and handling PHI)
- Appointment reminder system vendors
- Transcription/scribing vendors
- Document scanning/indexing, records storage, shredding/destruction vendors
- Email archiving/eDiscovery for healthcare mailbox vendors
- Analytics vendors using identifiable patient data
- Nurse triage call centers
These companies are considered Business Associates if they access PHI when servicing healthcare organizations:
- Law firms (malpractice defense, collections—not personal injury)
- Accounting firms
- Consultants
- Collection agencies, payment processors
- Software developers/system integrators
- Medical device vendors (i.e., those offering remote support/monitoring)
- Printing/mailing vendors
- Secure fax/e-fax providers
- Reputation management firms/patient surveyors
- Health Information Exchange (HIE)–related vendors
That means more clients, more projects, and more recurring revenue—if you productize it and get your own house in order first.
Where this sits in the rulemaking process
- The antiquated and ineffective 2005 HIPAA Security Rule, which was updated in 2013, is still the law today. It won’t be replaced until a final rule is published in the U.S. Federal Register. The final rule has passed the critical White House review and is scheduled to be published in May 2026.
- Even though the rule continues to move forward, it’s still possible that it won’t reach the finish line. Timelines can move. Proposed rules can be rescinded.
- This rule is getting a lot of push-back. As you can imagine from hearing doctors and dentists complain about cybersecurity costs, their associations are complaining to Congress and the White House about the costs of the strict cybersecurity requirements in this rule, particularly in light of cuts to Medicaid payments. That may cause some requirements in the proposed rule to be relaxed, delayed, or abandoned.
- Like previous HIPAA rules, expect that the new rule will not be enforced for six months after publication, to give covered organizations time to implement the requirements.
- The smart move is to align clients with the direction of travel now—because everything in the proposal is also “common sense” modern cybersecurity and incident defensibility. Many things in the proposed HIPAA rule are already required by cyber insurance companies, so you can position a cybersecurity review as ensuring both compliance with insurance and readiness for the new HIPAA rule.
Why this is different even in the ‘proposed’ stage
- HIPAA’s confusing “addressable vs. required” structure gave businesses an excuse to do the minimum. The proposed update is more prescriptive: written policies, testing and reviews on a defined schedule, tighter timelines, and clearer expectations for common controls (e.g., MFA, encryption, patching, logging).
- Translation: The “traffic laws” get specific. Just like if they crash, your client won’t get to argue that stop signs were “optional.”
What MSPs should pay attention to
- This is not a “buy tools” rule. It’s a program + documentation + evidence rule. Being able to provide clients with evidence of their compliance is as important as implementing cybersecurity. Sound familiar? The new HIPAA rule is similar to many other compliance requirements: CMMC, the FTC Safeguards Rule, GLBA, PCI-DSS, cybersecurity clauses in contracts, and cyber insurance.
- Expect more scrutiny on Business Associates (including MSPs). Covered Entities will need documented proof your HIPAA safeguards are deployed, maintained, and tested—not just promised in a Business Associate Agreement.
- Some organizations will want to outsource the “security official” role. That can be a premium service opportunity … or a liability trap if you don’t properly define scope and limits in a Shared Responsibility Matrix and limit your liability in your master service agreement. It will also require you to expand your knowledge from the systems you currently manage to all the systems your client uses. I made that leap and it was surprisingly easy.
In my next article, I will explain what’s in the proposed rule, and what you should do to prepare yourself and your clients.
Happy HIPAA!
Disclaimer: This article is educational and does not constitute legal advice. Consult qualified counsel that specializes in MSPs for legal interpretation and contracting decisions.
For more compliance advice, check out Semel’s last article on why the customer responsibility matrix is critical to CMMC.
