If you’ve tried selling real cybersecurity into healthcare, you already know the script. You want to do the right thing, but the client shrugs. The current HIPAA Security Rule is vague, doctors and dentists don’t take it seriously because they aren’t afraid of it. They won’t pay for the controls that actually reduce risk because they don’t feel required to.
That vagueness has been the biggest reason MSPs get stuck selling nice-to-have security instead of must-do risk reduction. HIPAA’s confusing “addressable-versus-required” structure gave organizations an excuse to do the minimum.
The proposed HIPAA Security Rule update, currently scheduled for final publication in May 2026, is designed to break that stalemate by getting far more prescriptive. While the new rule has passed White House and regulatory review, there is still time to rescind it or make significant changes to the proposed draft rule published in December 2024.
The direction of travel is clear: more items become mandatory, deadlines get tighter, and documented cybersecurity becomes the default.
HIPAA Security Rule Update Changes the MSP Sales Game
Currently, too many healthcare owners treat security as optional — until they’re breached. Under the updated rule, the conversation shifts from “Should we?” to “How fast can we prove it?”
This is a program, documentation, and evidence rule. It means that your client’s ability to produce proof that it is protecting electronic Protected Health Information (ePHI) becomes as important as the technology itself.
This is similar to rules in other industries. Regulations like PCI, GLBA, the FTC Safeguards Rule, and CMMC Level 1 make it easy to create a standard core compliance service. Then, you can wrap it with the wording and specific requirements of a particular regulation.
When evidence is the requirement, MSPs finally get a clear, defensible reason to sell the work that matters.
In practical terms, the scheduled HIPAA Security Rule update pushes healthcare toward controls and activities MSPs have been recommending for years. Only now, these are harder to dodge:
- Written security policies and scheduled reviews/testing
- Annual Security Risk Analysis (SRA) plus a documented risk management plan
- Asset inventory and network/data-flow mapping of how ePHI moves
- Patch/vulnerability management with deadlines, scheduled scanning, and annual penetration testing
- Logging and documented log review actions
- Incident response plan and annual testing
- Contingency planning with restoration objectives and restoration testing
- Core technical controls like MFA and encryption, deployed and maintained
While some of these requirements are specific to HIPAA, they are already in other requirements for healthcare organizations. Some examples include cyber insurance policies, contracts with cyber clauses, PCI-DSS for payment card data security, and state laws.
Mike Semel
The Other Hidden Win for MSPs: Vendor Scrutiny
The proposed rule also increases scrutiny of HIPAA Business Associates: vendors. This includes MSPs that come in contact with Protected Health Information (PHI) or the systems that do.
Covered Entities will need proof that all their Business Associates have deployed, maintained, and tested the required HIPAA safeguards. Promises in a Business Associate Agreement that everyone files away simply will not suffice.
That creates a second sales lever. Healthcare providers will feel pressure to standardize expectations across vendors, and MSPs that can produce evidence quickly will stand out.
This offers MSPs opportunities to help healthcare providers ensure secure cyber supply chains.
Spotting HIPAA Covered Entities and Business Associates
Some HIPAA Covered Entities are easy to spot. These are healthcare providers — doctors, dentists, pharmacists, etc. — and the health plans that pay them.
Some HIPAA Business Associates are also easy to find by looking at their names. You can also find them through the services they provide, such as medical billing companies, answering services, copier vendors, paper shredders, MSPs, cloud services that store or backup patient data. But some HIPAA Business Associates are harder to find. When in doubt, ask if they support healthcare organizations, come in contact with PHI, or have signed HIPAA Business Associate agreements.
These include:
- Law firms that defend doctors in malpractice lawsuits or offer healthcare merger and acquisition guidance
- Accountants who audit healthcare organizations, collections agencies, consultants, private equity investors, banks, and others.
To find out, you can ask healthcare organizations for a list of their vendors/advisors. You can also ask non-healthcare organizations if they are HIPAA Business Associates. If they aren’t sure, ask if they ever come in contact with patient information when servicing healthcare clients.
How to Position Your Offering without Liability
There are three things to look out for when you are providing HIPAA compliance services:
- Don’t market HIPAA-compliant services as a blanket promise. If you claim it and can’t prove delivery, it can become a legal and insurance nightmare. Your terms and conditions won’t protect you and your insurance won’t pay.
- Don’t say you can make clients HIPAA compliant. Clients can’t outsource everything. They still own pieces like workforce processes, physical security, and vendor management. Also, clients use systems you don’t manage. For example, you don’t manage Electronic Health Record (EHR) and medical imaging cloud services, connected medical devices, and connected lab equipment.
- Don’t oversell the details in the new HIPAA Security Rule. It won’t be official until it is published as a final rule in the U.S. Federal Register, currently scheduled for May. It’s likely the final rule will have changes from the proposed rule. Also, it is still possible that it will be rescinded. Regardless, start preparing now.
Your best positioning is simple: “We can’t make you breach-proof. We can make you defensible — on schedule and with evidence.” That message solves the MSP pain point the current HIPAA rule created.
The Takeaway
The current HIPAA Security Rule has unclear requirements that produce price resistance. However, with the new rule’s specificity, you can finally sell a productized HIPAA readiness program.
You can also get paid for the documentation, testing, and proof your clients always needed but rarely prioritized.
Mike Semel is owner of Semel Consulting. He is a recognized HIPAA authority in the MSP and healthcare industries. Semel authored the best-selling book, How to Avoid HIPAA Headaches. Semel’s Compliance MASTERY for MSPs training system for MSPs includes a HIPAA training course with templates and checklists. He has created two free fact sheets about the new rule. One is for your MSP business, the other is to give to prospects and clients.
Featured image: Alexandr Peers — stock.adobe.com
