Have you ever looked at something or someone successful and thought “Dang! I could’ve done that.”? Yeah, me too!

Fortunately, new and interesting opportunities pop up all the time. Within the healthcare community, there is this huge government regulation known as HIPAA. With healthcare providers and others legally bound by these HIPAA regulations, MSPs and small, independent IT providers can take advantage with HIPAA compliant IT support. Just what exactly is the market need? How costly are HIPAA violations for prospective healthcare clients that don't use your managed IT services? How can you introduce new monthly recurring revenue streams for your MSP business?


HIPAA, which stands for the Health Insurance Portability and Accountability Act, has been around since 1996, but something very interesting happened more than a decade later when in January 2013, the Omnibus Rule (also known as the Final Rule) was added to the existing legislation. As a result, the HIPAA implications for MSPs have changed significantly, placing a greater importance on IT compliance. 

In addition to the Omnibus Rule, the “enforcement arm” of HIPAA has begun to flex its muscle. HIPAA fines for violations are HUGE! Could your business survive this financial blow? Could your clients survive after losing $50 K? Some would even agree that the penalties are draconian. I believe the chart below demonstrates this fact, but what do you think?


Just so you understand the table, the more neglectful a healthcare provider is in NOT following HIPAA, the higher the fines (up to $1,500,000 annually per violation. Yes $1.5 Million!). The chart fails to show, however, that HIPAA violations can result in prison time in addition to monetary fines. Then, add on top of this the costs involved with handling the fallout, which typically are much higher. Being found in noncompliance is brand-damaging. If you were a doctor, do you think your patients would trust you with their medical records, knowing your practice had a record of its own?

Bottom line: Healthcare providers can't afford to ignore the law. They must comply with HIPAA regulations! 

Related: 4 Things MSPs Need to Know About HIPAA Compliance

What does this mean for you… the IT person?

HIPAA is divided into three parts, called Safeguards. The three safeguards are Administrative, Physical and Technical. Can you guess which one of those you are well suited to help with? Yep, the technical aspects!

However, there is one caveat. In order to service and support these healthcare clients, YOUR business is also subject to HIPAA and the fines listed above. OUCH!

This simply means that you must know HIPAA, you must understand HIPAA, your business must be HIPAA compliant and you must protect the information, your client and your business with diligence.

The HIPAA Opportunity for MSPs

Now, here’s the real story. With the introduction of the Omnibus Rule, healthcare providers and any business that falls under HIPAA are required to use HIPAA compliant IT support by law! Let me say that again… healthcare clients are REQUIRED to use HIPAA compliant IT.

Do you know of any other examples where you can say that a business sector is legally required to use your services and support?

As these regulations settle in and fines are levied on healthcare providers, they are increasingly looking for IT providers who are HIPAA compliant and can help keep their clients' sensitive data secure. Are you beginning to see the opportunity here? Great! Now let’s open it up even more.

Related: How to Add HIPAA Compliance to Your Service Offering

Business Associates Expand an MSP's Prospect Pool

In addition to healthcare providers, which are called Covered Entities, there is also an even larger number of businesses that support Covered Entities, these are known as Business Associates. Not every business that services or supports a Covered Entity is a Business Associate but many, like VARs, BDR vendors and cloud providers, are. Take a small doctor’s office for example. That one Covered Entity (the doctor’s office) will probably have six to a dozen Business Associates it does business with.

Ready for the kicker? Those Business Associates, bound by HIPAA, must also use HIPAA compliant IT! Did you see what just happened? The number of potential clients for MSPs serving the healthcare vertical just increased exponentially!

With all of these potential clients looking for HIPAA compliant IT management, do you think there is a need there? An opportunity? Maybe the next big thing for your business?

I can tell you that it has been for my business. I got into healthcare heavily just before the Omnibus Rule came out. Since then, I’ve been able to grow my business like never before.

“It Won’t Happen To Me” Syndrome

Don’t get me wrong, its not as though clients are beating down my doors. Many healthcare providers are reluctant to change and more still are reluctant to give HIPAA the attention it deserves, despite the extreme consequences. It’s what I call the “It won’t happen to me” syndrome. I’m sure you’ve seen it before. Maybe someone you knew died because of drunk driving… maybe you know someone that is divorced because of infidelity… maybe you know someone that was hurt while doing something stupid. All of these examples are people that thought it would never happen to them. After all, did you start a business with the intentions of failing in less than 5 years? Yet so many start-ups never make it.

Even though the Omnibus Rule came out in January of 2013, the adoption of it has been slow. This is good news for you! This means that there is still time to take advantage of this lucrative opportunity. I can tell you, by the number of members is gaining on a continual basis, IT professionals recognize the business potential every day and work hard to learn how they can position themselves to capitalize on it.

You will hear more and more about HIPAA as time goes on. The way the regulation is structured, you may not have any healthcare clients but could still be liable and bound to its regulation. You can learn and embrace it now or you can run from it and hope it doesn’t find its way into your business later… after the real deals are all wrapped up.

Related: Understanding the Basics of HIPAA Compliance: MSPradio 45


But Wait, There's More!

HIPAA requires that Covered Entities - your prospective clients - have disaster recovery plans, constant monitoring, IT auditing, IT security, training and more. All of these requirements are monthly recurring revenue (MRR) streams. Even better, many require little work once setup and running properly. Stop running wide open day-after-day, chasing the next billable hour. As I’m writing this article, I have had three support tickets come in. Each one was handled without leaving my home office. I may not have a support ticket come in all day. A few times, I haven’t had a single support ticket all week… but my monthly recurring revenue never goes down.

Is it all easy? Nope!

Have I worked my butt off to get here? Yep!

Is there a lot of liability? Yep!

Will most IT pros and MSPs run from HIPAA? Probably, which just makes my business that much more in demand.

Would I go back to trading hours for dollars? Heck No!

Can you do it? Absolutely!

Now, I have time to grow my business even more. My clientele is high end and rarely do I ever have to send out late notices. Never have I had a client not pay an invoice. Here’s another shocker, I bill in advance. That’s right! I get paid before I do the work.

If you think all of this is just how I run my business and you can’t do the same, you’re wrong! I know dozens of HIPAA compliant MSPs and IT providers who have broken into the healthcare IT vertical and are making the same MRR. I didn’t come up with these ideas. I patterned them after other successful businesses along my journey.

The next big thing is here!

The real question is, are you going to take advantage of it this time or sit back and once again say, “Dang, I could’ve done that!”?


Learn Why MSPs Are Increasingly Embracing Healthcare IT!

Download HIPAA compliance eBook