The HIPAA MSP Gap
Only 50% of MSPs serving healthcare clients maintain their own HIPAA compliance programs. HIPAA Journal research reveals the assumption gap: healthcare organizations assume their MSP is compliant. Half the time, they’re wrong. Average HIPAA breach penalty reached $1.5M in 2023.
The assumption creates liability. Business Associate Agreements shift some responsibility to MSPs. But 72% of OCR enforcement actions cite the covered entity, not just the BA. When OCR investigates, they investigate you.
The Compliance Inheritance Myth
Many organizations believe that using a compliant MSP makes them compliant. The math doesn’t work:
| Compliance Element | MSP Can Provide | Client Must Provide |
|---|---|---|
| Technical controls | Infrastructure security | Application security |
| Documentation | System procedures | Policy governance |
| Access management | Technical implementation | Access decisions |
| Training | Their staff training | Your staff training |
| Risk assessment | Technical assessment | Organizational assessment |
| Incident response | Technical response | Business response |
MSP compliance covers MSP obligations. Client compliance covers client obligations. Neither substitutes for the other.
The Boundary Definition Problem
Where does MSP responsibility end and client responsibility begin?
In theory: Contracts define boundaries.
In practice: Contracts define some boundaries. Reality has more boundaries than contracts anticipate.
| Gray Zone | Who Typically Assumes Ownership | Who Actually Owns |
|---|---|---|
| Application patching | MSP | Depends on application |
| User access reviews | Each assumes other | Often nobody |
| Encryption at rest | MSP | Depends on deployment |
| Data classification | MSP | Client always |
| Audit log review | MSP | Depends on contract |
| Vendor risk assessment | Each assumes other | Client responsibility |
Each gray zone creates compliance gap when auditors or regulators look closely.
The Framework Proliferation Challenge
Organizations face multiple frameworks with overlapping but different requirements:
| Framework | Focus | MSP Relevance |
|---|---|---|
| SOC 2 | Service organization controls | Core MSP compliance |
| ISO 27001 | Information security management | Enterprise standard |
| NIST CSF | Risk framework | Federal and enterprise |
| PCI-DSS | Payment card security | If payment data involved |
| HIPAA | Healthcare data | If PHI involved |
| GDPR | European data protection | If EU data involved |
| State privacy laws | State-specific requirements | Varies by state |
Each framework has requirements. Some overlap. Some conflict. The MSP may be certified to some, not others. Your obligations span all applicable frameworks regardless of MSP coverage.
The Audit Evidence Problem
Compliance audits require evidence. Evidence lives in MSP systems:
Configuration evidence. Firewall rules, access controls, encryption settings.
Log evidence. Who accessed what, when, what changed.
Process evidence. That procedures were followed.
Testing evidence. That controls were validated.
If you can’t access this evidence independently, you depend on MSP cooperation for audit success.
The SOC 2 Report Misconception
MSPs provide SOC 2 reports as compliance evidence. The reports have limitations:
Type I vs. Type II. Type I is point-in-time design. Type II is period of operation. Type I proves little about ongoing compliance.
Scope limitation. The report covers what was in scope. Your specific controls may not be included.
Time lag. Reports cover past periods. Current state may differ.
Complementary controls. Reports assume you implement certain controls. If you don’t, their controls don’t protect you.
Exceptions noted. Read the exceptions section. Material issues hide there.
The SOC 2 report supports compliance. It doesn’t substitute for your own compliance program.
The Shared Responsibility Ambiguity
Cloud and MSP services create shared responsibility models. The models look clear in marketing. They’re ambiguous in practice:
IaaS shared responsibility: Provider secures infrastructure, you secure everything above.
MSP shared responsibility: MSP secures managed components, you secure what’s not managed.
Reality: The boundaries shift based on service configuration, evolving threats, and contract interpretation.
Document your understanding of shared responsibility. Update it as services change. Don’t assume alignment.
The Regulatory Evidence Request
When regulators request evidence, response challenges emerge:
Data location. Where does the evidence exist? Can you access it?
Format. What format do regulators need? Can the MSP provide it?
Timeline. Regulators set deadlines. Can MSP respond in time?
Cost. Will MSP charge for evidence production? How much?
Completeness. Can you verify the evidence is complete?
Pre-negotiate regulatory cooperation provisions. The conversation during investigation is adversarial.
The Compliance Monitoring Gap
Compliance isn’t achieved once. It’s maintained continuously. Monitoring gaps include:
Configuration drift. Controls implemented, then changed.
Personnel changes. Trained staff leave, untrained staff replace.
Scope creep. New data types, new systems, new obligations.
Regulatory evolution. Requirements change, compliance lags.
Vendor changes. MSP changes practices, compliance affected.
Monitoring responsibility must be assigned. If neither party monitors, compliance erodes undetected.
The Multi-Jurisdiction Problem
Organizations operating across jurisdictions face compounding complexity:
| Jurisdiction | Key Requirements | MSP Impact |
|---|---|---|
| GDPR (EU) | Data subject rights, breach notification | Data processing location matters |
| CCPA/CPRA (California) | Consumer rights, sale restrictions | Definition of "sale" includes sharing |
| HIPAA (US) | PHI protection | BAA required |
| SOX (US) | Financial controls | IT controls included |
| NYDFS (NY) | Cybersecurity for financial | Specific technical requirements |
Each jurisdiction may have different MSP requirements. Compliance with one doesn’t ensure compliance with others.
Building Compliance Coordination
Effective compliance coordination requires:
Obligation mapping. Document all compliance obligations by framework and jurisdiction.
Responsibility matrix. For each obligation, assign responsibility: client, MSP, or shared.
Evidence inventory. Identify what evidence each obligation requires and where it resides.
Gap analysis. Compare obligations, responsibilities, and evidence. Identify gaps.
Remediation tracking. Address gaps with specific actions, owners, and deadlines.
Ongoing monitoring. Regular verification that obligations continue to be met.
The Cost of Compliance Assumptions
Compliance assumptions fail expensively:
Audit findings. Auditors find gaps you assumed were covered.
Regulatory penalties. Regulators fine organizations, not MSPs, for compliance failures.
Breach consequences. Non-compliance may void insurance or increase liability.
Customer impact. Customers discover compliance gaps and exit relationships.
Competitive disadvantage. Inability to demonstrate compliance loses opportunities.
Cost of proper coordination is lower than the cost of failed assumptions.
The Contract Compliance Provisions
Contracts should address compliance explicitly:
Compliance certification. MSP certifies compliance with specified frameworks.
Evidence provision. MSP agrees to provide compliance evidence on request.
Audit cooperation. MSP cooperates with client audits and regulatory requests.
Change notification. MSP notifies client of changes affecting compliance.
Breach notification. MSP notifies client promptly of compliance breaches.
Termination rights. Client can exit if MSP loses compliance status.
Generic contracts may not include these provisions. Negotiate them.
Sources
- MSP HIPAA compliance rates: HIPAA Journal
- Compliance framework requirements: Respective regulatory bodies
- Shared responsibility models: Cloud and managed services industry standards