HIPAA (the Health Insurance Portability and Accountability Act) governs the privacy and security of protected health information (PHI) in the United States. The Security Rule's administrative, physical, and technical safeguards have specific control expectations; the Privacy Rule and the Breach Notification Rule add further layers.
For MSPs serving US healthcare practices — dental offices, family medicine, specialty clinics, behavioural health, pharmacy chains, primary care networks — HIPAA evidence collection has to scale across many client tenants without enterprise pricing. The MSP also typically signs a Business Associate Agreement (BAA), making the MSP's own posture part of the compliance picture.
What to look for
- Direct HIPAA Security Rule control mapping. Direct mapping to the Security Rule's 45 CFR §164.308, §164.310, §164.312, §164.314, and §164.316 — administrative, physical, technical, organizational, and policies & procedures safeguards.
- Multi-tenant for MSPs. One console for all client tenants with per-client isolation, billing, and co-branded reports. Not a single-tenant Vanta / Drata-style product.
- Continuous endpoint and cloud evidence. PHI lives on Windows / macOS / Linux endpoints and in M365 / Google Workspace tenants. Evidence has to come from those sources continuously, not a quarterly questionnaire.
- Business Associate Agreement awareness. The platform should be deployable in a way compatible with the MSP's BAA obligations and provide the access logging the BAA expects.
- Risk Analysis and Risk Management evidence. The Security Rule requires a documented Risk Analysis and Risk Management process. The platform should produce both.
- Breach Notification Rule support. Evidence to support 60-day breach notification timelines, including affected-individual identification and the supporting log basis.
- Audit-firm credibility. Look for platforms built or used by audit firms with healthcare-compliance experience.
Options to evaluate
Lavawall®Multi-tenant MSP platform with HIPAA framework first-class
Direct HIPAA Security Rule mapping. Continuous evidence from Windows / macOS / Linux endpoints and M365 / Google Workspace tenants. Multi-tenant by design with per-client isolation and co-branded reports. Risk Analysis and Risk Management workflow templates. Audit logging structured for Breach Notification Rule timelines. Built and used by ThreeShield, an audit firm with healthcare-compliance experience including HIPAA, BC HIA, and Alberta HIA.
Best when: MSPs serving US healthcare practices that want one platform for HIPAA evidence and the broader security stack.
Compliancy Group / HIPAA Secure Now / Accountable HQHealthcare-focused HIPAA tools
Healthcare-focused HIPAA tools popular in the dental and primary-care space. Strong on documentation and questionnaire workflow; lighter on continuous endpoint and cloud evidence collection.
Best when: Healthcare practices with limited IT and a need for guided HIPAA documentation.
Vanta / Drata / SecureframeSingle-tenant SaaS GRC with HIPAA module
Single-tenant SaaS-aimed GRC platforms with HIPAA framework modules. Strong onboarding for a single SaaS company; not designed for MSP multi-tenant delivery.
Best when: Single SaaS companies handling PHI under a BAA with their customers.
SharePoint + Excel + audit-firm engagementDocumentation-led approach
Many small healthcare practices are still on this model. Works for the smallest practices; does not scale to MSP service delivery across many tenants.
Best when: Single very small healthcare practices with their own audit relationship.
How Lavawall® fits
Lavawall® treats HIPAA Security Rule as a first-class framework. Direct mapping to 45 CFR §164.308 (administrative), §164.310 (physical), §164.312 (technical), §164.314 (organizational), and §164.316 (policies and procedures) safeguards.
Continuous endpoint and cloud evidence: encryption posture, audit logging, access control, password policies, MFA enforcement, automatic logoff, integrity controls, transmission security, workstation security, and removable-media handling are all collected from the actual Windows / macOS / Linux endpoints and M365 / Google Workspace tenants.
Multi-tenant by design: an MSP serving 30 dental practices and 5 primary-care clinics manages all of them from one console with per-client isolation. Reports can be co-branded for the practice owner. ThreeShield, the audit firm that built Lavawall®, has direct healthcare-compliance experience.
Frequently asked
- Does Lavawall® replace my BAA?
- No. The Business Associate Agreement is a contract between the covered entity and the business associate. Lavawall® provides the technical and administrative evidence supporting the controls the BAA covers.
- Does Lavawall® cover the Privacy Rule and the Breach Notification Rule?
- The Security Rule is mapped directly. Privacy Rule and Breach Notification Rule controls overlap with administrative safeguards and are supported in evidence collection (audit logs, access logs, disclosure tracking).
- Can the MSP itself be HIPAA-compliant?
- An MSP is typically a Business Associate under HIPAA when it handles PHI as part of its service. Lavawall® produces the evidence the MSP needs for its own BAA-required posture and for the client's Covered Entity controls.