HIPAA

Health Insurance Portability and Accountability Act. U.S. federal legislation enacted in 1996 that establishes national standards for protecting sensitive patient health information. For MSPs, HIPAA compliance is primarily governed by the Security Rule (protecting electronic PHI) and the Privacy Rule (governing how PHI is accessed and disclosed). MSPs serving healthcare clients are classified as Business Associates and must comply with HIPAA as a condition of providing services.

Covered entities

Healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically.

Business associates

Vendors (including MSPs) who create, receive, maintain, or transmit PHI on behalf of a covered entity.

Why it matters

HIPAA violations carry civil and criminal penalties up to $1.9M per violation category per year. A data breach without a BAA in place creates joint liability for the MSP and the covered entity.