Healthcare clients are some of the best backup customers an MSP can have: they're required by law to protect their data, they budget for compliance, and they rarely churn. But serving them means understanding what HIPAA actually demands of a backup service — and what it demands of you as a business associate.
Backup is not optional under HIPAA
The HIPAA Security Rule contains an explicit data backup plan requirement (45 CFR §164.308(a)(7)): covered entities must "establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information." A disaster recovery plan and emergency-mode operation plan are required alongside it. In plain terms: a medical practice without working, restorable backups isn't just risking data — it's out of compliance. That's your opening conversation.
What the backup platform must provide
- Encryption in transit — TLS 1.2 or newer for every transfer
- Encryption at rest — AES-256, ideally with per-tenant keys so one customer's breach can't touch another's data
- Access controls — MFA/SSO, role-based access, least-privilege defaults
- Audit logging — who accessed or restored what, and when
- Retention and versioning — point-in-time restores, immutable copies, legal-hold support
- Ransomware resilience — object-lock or otherwise unalterable backup copies
Our infrastructure page details how these controls are implemented on our platform — encryption everywhere, per-tenant keys, immutable retention, and segmented networks.
The BAA chain: don't skip a link
When you back up a healthcare client's data, you become their business associate, and your backup provider becomes your subcontractor business associate. HIPAA requires a signed Business Associate Agreement at each link: client → you, and you → your platform provider. If your backup vendor won't sign a BAA, you cannot compliantly store PHI with them — full stop. (We provide BAAs on request.)
What compliance requires of your process
HIPAA compliance is a property of the whole system, not a product feature. A compliant platform misconfigured is still a violation. Your operating procedures need to cover:
- Documented backup schedules and retention policies per client
- Regular test restores, with results recorded (auditors ask)
- Access reviews — who on your team can see PHI, reviewed quarterly
- A breach-notification procedure with defined timelines
- Workforce training records for anyone touching healthcare accounts
Selling it: compliance as a package, not a feature
Don't sell healthcare clients "backup with HIPAA support" — sell a compliance package: encrypted offsite backup, quarterly restore tests, retention configured to their policy, audit-ready reports, and a signed BAA. Price it above your standard tier; the value (and your liability) is higher. Pricing structure ideas are covered in How MSPs Should Price Backup Services.
A note on honesty
No vendor can sell you "HIPAA compliance" outright, ours included — compliance depends on configuration, procedures, and paperwork on your side. What a platform can do is give you controls that make compliance achievable and a BAA that makes it legal. Be skeptical of anyone who promises more, and be equally skeptical of a "white label" that leaks another vendor's name into a compliance-sensitive relationship (see White Label vs. Co-Branded Backup).