top of page

HIPAA Business Associate Readiness Checklist - MSP Edition 

Zyalto

 

Managed Service Providers frequently become HIPAA Business Associates without explicit designation. This checklist helps MSPs quickly assess HIPAA exposure, preparedness, and audit evidence readiness from an operational and technical perspective.

Administrative Safeguards 

☐ Do we have BAAs with all HIPAA-covered clients?
☐ Are BAAs reviewed and updated regularly?
☐ Do we document which MSP services touch ePHI?
☐ Is HIPAA responsibility defined in contracts and SOWs?
☐ Do we have a HIPAA risk analysis specific to MSP operations?

Technical Safeguards

☐ Is access to ePHI systems role-based and documented?
☐ Are access reviews performed and recorded?
☐ Do we have audit logs and monitoring evidence?
☐ Are backups, restores, and DR tests documented?
☐ Is encryption documented beyond “enabled”?

Physical & Workforce Safeguards

Are technician device policies documented?
☐ Do we control and document remote access methods?
☐ Are onboarding and offboarding procedures documented?
☐ Is HIPAA training documented for MSP staff?

Vendor & Subcontractor Oversight

Do we know which vendors touch ePHI?
☐ Do we have BAAs with those vendors?
☐ Do we review vendor security posture?
☐ Is this oversight documented?

Incident & Breach Preparedness

Do we have a documented HIPAA incident response process?
☐ Can we show decision logic for breach determination?
☐ Do we retain incident evidence?
☐ Do we know who notifies whom and when?

Incident & Breach Preparedness

Do we have a documented HIPAA incident response process?
☐ Can we show decision logic for breach determination?
☐ Do we retain incident evidence?
☐ Do we know who notifies whom and when?

Evidence Reality Check

Could we produce this evidence within 48 hours?
☐ Could we explain it to an auditor confidently?
☐ Is evidence centralized or scattered?

If you answered “no” to more than a few of these, HIPAA risk exists — even if no audit has occurred.

Why This Checklist Matters

HIPAA enforcement is increasingly:

  • Complaint-driven

  • Evidence-focused

  • Vendor-inclusive

MSPs are no longer “behind the scenes.”
They are part of the compliance surface.

How This Ties Back to Zyalto

Tools don’t fail HIPAA audits.
Unprepared evidence does.

That’s why Dossier PRO Core+ with the HIPAA AssureCard Library exists — to give MSPs a structured, auditable way to answer HIPAA questions before OCR asks them.

HIPAA ACL v1.0 — January 1, 2026
Early access: dcote@zyalto.com

Need more information? Search this site or contact me directly at 661-816-1875.

KnowledgeAlign 
Information Design | Development | Training | Knowledge Management | Audit Response Management | Documentation Platform Architecture | Compliance Management | IT and MSP Documentation

Subscribe Form

Thanks for submitting!

dcote@knowledgealign.com

661-816-1875

5409 Veneto St.  Bakersfield, CA 93308

  • LinkedIn

Copyright 2024 David R. Cote

SlicProcess, KnowledgeAlign, AssureSphere360, and Zyalto are trademarks of David R. Cote

Privacy Policy

bottom of page