Turn the New HIPAA Security Rule Into More Recurring Revenue—Without Increasing Liability

FREE OFFER to MSP Success readers – You want to be the one people remember for first telling them about the new HIPAA Security Rule and the new Senate bill. CLICK HERE to download the updated fact sheets, which now include both the proposed HIPAA Security Rule and the pending Senate healthcare cybersecurity bill. One is for your MSP business and the other is to give to prospects and clients.

BREAKING NEWS! – A Senate committee just moved a new healthcare cybersecurity bill towards a vote. The Health Care Cybersecurity and Resiliency Act includes increased cybersecurity requirements for healthcare Covered Entities and Business Associates, but leaves out many of the controversial practices in the proposed HIPAA Security Rule update. The Senate bill requires input from the healthcare industry and includes grant funding for many healthcare organizations. Healthcare providers may qualify for financial assistance for MSP services and updated systems. It now seems less likely that the HIPAA Security Rule will be published in May, because the Senate bill both increases health care cybersecurity and provides more benefits to affected organizations.

In Part 1 of this two-part series, I explained the HIPAA rulemaking process and who must comply when the updated HIPAA Security Rule is published, currently scheduled for May 2026. In this article, I will explain the new requirements and how you can make money from them.

Where the proposed HIPAA Security Rule sits in the rulemaking process

• The antiquated and ineffective 2005 HIPAA Security Rule, which was updated in 2013, is still the law today. It won’t be replaced until a final rule is published in the U.S. Federal Register. The final rule has passed the critical White House review and is scheduled to be published in May 2026.
• Even though the rule continues to move forward, it’s still possible that it won’t reach the finish line. Timelines can move. Proposed rules can be rescinded. The new Health Care Cybersecurity and Resiliency Act may supersede it.
• This rule is getting a lot of push-back. As you can imagine from hearing doctors and dentists complain about cybersecurity costs, their associations are complaining to Congress and the White House about the costs of the strict cybersecurity requirements in this rule, particularly in light of cuts to Medicaid payments. That may cause some requirements in the proposed rule to be relaxed, delayed, or abandoned.
• Like previous HIPAA rules, expect that the new rule will not be enforced for six months after publication, to give covered organizations time to implement the requirements.

Proposed HIPAA requirements that create MSP opportunity

The proposed rule pushes healthcare toward the documented and auditable cybersecurity MSPs already know is needed to protect electronic Protected Health Information (ePHI)—and it’s going to be much harder for clients to ignore:

• Written security policies, procedures, and plans reviewed and tested at least annually (and updated when material changes occur)
• An annual compliance audit covering each Security Rule standard and implementation specification
• An annual Security Risk Analysis (SRA), plus a written risk management plan that prioritizes and tracks remediation
• An ongoing comprehensive technology asset inventory, along with a network map/data-flow diagram showing how ePHI moves (including ingress/internal flow/egress and external access)
• Documented evaluations before changes that could affect confidentiality, integrity, or availability of ePHI (change management)
• Patch and vulnerability management with deadlines, plus scheduled vulnerability scans and annual penetration testing
• Access governance that includes written access control procedures, rapid offboarding and timely notifications when shared access changes
• Security awareness training deadlines (initial + annual + retraining when policies change)
• Logging and documented activity reviews and response actions
• A written incident response plan with annual testing and updates
• Contingency planning with restoration objectives (restoration timelines, current backups, full restoration testing)
• Core technical controls that must be deployed and maintained (encryption, MFA, anti-malware, secure configuration, logging/audit controls, unique passwords, segmentation)
• Business Associate oversight in the form of annual audits of BAs, plus written verification that required technical safeguards are deployed

This rule is different than the current rule because of the clear wording and the oversight that healthcare organizations will need to exercise over their vendors.

Where the proposed Health Care Cybersecurity and Resiliency Act sits in the lawmaking process

The proposed legislation has sponsors from both parties and passed its committee vote 22-1, showing clear bipartisan support. The next steps are to evaluate the bill’s budgetary impact and bring the bill to the Senate floor for debate and possible amendments. A final version will be voted on by the full Senate. If it passes, it will go to the House of Representatives and, if passed, on to the President to sign into law.

Proposed Senate bill requirements that create MSP opportunities

The most significant news in the new bill is a cybersecurity grant program for many types of healthcare providers, including:

• Public or nonprofit private health centers
• Indian Health Service clinics
• Hospitals
• Cancer centers
• Rural health clinics
• Academic health centers
• Nonprofit entities that partner or coordinate referrals with qualifying providers

The proposed grant program includes funding to update systems and contracts with third parties. There are relatively few named cybersecurity requirements in the bill, which leaves the door open for the HHS Secretary to increase the cybersecurity requirements after consulting with the healthcare industry.

The current requirements mentioned are:
• Multifactor authentication
• Encryption
• Cybersecurity audits
• Penetration testing
• “Other minimum cybersecurity standards, as determined by the Secretary, in consultation with private sector entities”

If this law is passed, it will be a game-changer for healthcare cybersecurity with the government not just demanding better cybersecurity, but helping to pay for it. This bill passed through its committee with overwhelming bipartisan support and is likely to be supported by both sides in Congress and be signed by the president.

A Critical Disclaimer

MSPs will no longer be able to casually market “HIPAA-compliant services” or tell clients, “we make you compliant.” Not delivering a promise like “HIPAA-Compliant Services” is considered fraud and can nullify your Master Services Agreement and your Errors and Omissions insurance policy.

WARNING: I have assessed hundreds of healthcare organizations that rely on MSPs, and every single one failed their HIPAA assessment because the services provided by the MSP failed to meet the requirements. With the new rule, there will be measurable requirements and liability for not meeting them.

Like GLBA, the FTC Safeguards Rule, and CMMC, clients can’t outsource all their cybersecurity requirements. They need to take ownership of their employee screening, onboarding and terminations, physical security, and vendor management.

HIPAA doesn’t just apply to systems managed by MSPs. All systems in the client environment, including Electronic Health Records (EHR) cloud services, medical imaging systems, medical devices, and lab equipment are in scope of each new security control.

This is your chance to expand your cybersecurity expertise across all your clients’ systems, increase your fees and your profits, and create a very sticky relationship.

You will need to update your agreements with healthcare clients and the businesses that support them because you will need to implement more cybersecurity processes, stick to strict schedule and deliver documentation that is not currently in the scope of your services.

Action steps for MSPs, before you sell HIPAA services

If you are going to be successful with the new HIPAA Security Rule, there are some steps you can take now.

1. Clean up your own HIPAA posture first. Ensure your practices are fully aligned with the regulation and that you can easily provide documented evidence.
2. Build a digital HIPAA evidence binder or add on profitable compliance services using a Governance Risk Compliance (GRC) tool: policies, procedures, change logs, screenshots, reports, attestations—organized and easy to produce on demand.
3. Standardize your Security Risk Analysis approach for healthcare (make it repeatable).
4. Create an asset inventory and data-flow mapping workflow you can run in days, not weeks.
5. Define patch SLAs that match the proposed deadlines—and prove you hit them (tickets + reports).
6. Implement and document your vulnerability scanning cadence and annual penetration testing (scope, dates, results, remediation).
7. Turn “logging” into logging + review. Anyone can collect logs. Your value is activity reviews, alerts, escalation, and documentation. Add 7×24 SOC-as-a-Service.
8. Operationalize offboarding. If the expectation is fast removal of access, you need automation + after-hours decisions. Don’t trust automation and everyone doing things right. Every month, send the current user list to your clients to have them verify that each user is still authorized.
9. Train your own team on HIPAA-specific do’s/don’ts—and keep records.
10. Fix your contracts so they include Business Associate language, responsibilities, notification timelines, and evidence expectations. Either party can provide a Business Associate Agreement, but it’s always better to have your clients sign yours because you know it doesn’t include any unpleasant surprises. If your client insists that you sign theirs, it’s worth paying an attorney to review it so you aren’t surprised by clauses that nullify the protections in your master agreement, which was the cause of an MSP lawsuit.
11. Productize offers so you’re not writing custom Statements of Work (SOWs) every time.
12. Decide what you will NOT do (and say it clearly).
13. Don’t over-market your services. You can’t “make someone compliant” because there are always things they must do for themselves and they use technology you don’t support.

Four offers you can productize

HIPAA Readiness Sprint (fixed-fee)—These include risk analysis, inventory + data-flow mapping, gap remediation roadmap, documentation starter kit, and an executive summary the client can understand.

Ongoing HIPAA Cybersecurity Program (monthly)—Consider offering patch/vulnerability cadence, logging + reviews, training, tabletop exercises, evidence maintenance, and quarterly leadership updates.

Business Associate Compliance Package—Help non-healthcare vendors that qualify as BAs build the same evidence and controls so they can keep (and win) healthcare clients. Help your healthcare clients audit their business associate vendors to ensure they are meeting the new requirements so your clients aren’t penalized for choosing bad partners.

Expert Referral—You can make money and look like a hero by referring a qualified expert to advise your clients across all their technology, not just the systems you manage.

The talk track that gets “non-technical” healthcare owners to lean in

• HIPAA isn’t just about complying and being a good Girl or Boy Scout. HIPAA compliance is directly tied to being paid by Medicare, Medicaid, and private insurance. The new HIPAA rule aligns with the cyber insurance policies that doctors want to pay off if needed. And it’s a built-in defense against lawsuits.
• This isn’t about buying another tool. It’s about being able to prove you did the basics — on time — with evidence.
• If your client gets hit with ransomware, the question won’t be “did you have antivirus?” It will be “show me historical evidence of your risk analysis, data flows, patching, log reviews, backups, and restore tests.” The request is likely to go back months or even a year, and you can’t create it when the demand is made.
• We can’t make you breach-proof. But we can make you defensible—and we can reduce the chance you become the next headline.

Bottom line

If you wait for the final rule, you’re late. You want healthcare providers to remember that you were the one who told them about the new rule and that you can help them prepare for the new reality.

The MSPs who win in healthcare won’t be the ones with the most tools. They’ll be the ones who can produce the best evidence, fastest—and help clients do the same—across all their systems.

That’s not just good security. That’s a premium service.

Here’s your simple next move: Pick one healthcare client you like, run a readiness sprint, package the results into an executive friendly roadmap, and offer a monthly program that keeps them defensible by having a library of historical documentation you won’t be able to produce on the fly when they receive the surprise audit notice, have an incident, or are sued.

Do that a few times and you will have built a repeatable healthcare compliance practice that is sticky, profitable, and much less stressful than chasing one-off projects.

Happy HIPAA!

Related: From Trust to Proof: Why SOC 2 Is Becoming the Growth Engine for MSPs

Disclaimer: This article is educational and does not constitute legal advice. Consult qualified counsel that specializes in MSPs for legal interpretation and contracting decisions.