Healthcare clients are some of the best backup customers an MSP can have: they're required by law to protect their data, they budget for compliance, and they rarely churn. But serving them means understanding what HIPAA actually demands of a backup service — and what it demands of you as a business associate.

Backup is not optional under HIPAA

The HIPAA Security Rule contains an explicit data backup plan requirement (45 CFR §164.308(a)(7)): covered entities must "establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information." A disaster recovery plan and emergency-mode operation plan are required alongside it. In plain terms: a medical practice without working, restorable backups isn't just risking data — it's out of compliance. That's your opening conversation.

What the backup platform must provide

  • Encryption in transit — TLS 1.2 or newer for every transfer
  • Encryption at rest — AES-256, ideally with per-tenant keys so one customer's breach can't touch another's data
  • Access controls — MFA/SSO, role-based access, least-privilege defaults
  • Audit logging — who accessed or restored what, and when
  • Retention and versioning — point-in-time restores, immutable copies, legal-hold support
  • Ransomware resilience — object-lock or otherwise unalterable backup copies

Our infrastructure page details how these controls are implemented on our platform — encryption everywhere, per-tenant keys, immutable retention, and segmented networks.

The BAA chain: don't skip a link

When you back up a healthcare client's data, you become their business associate, and your backup provider becomes your subcontractor business associate. HIPAA requires a signed Business Associate Agreement at each link: client → you, and you → your platform provider. If your backup vendor won't sign a BAA, you cannot compliantly store PHI with them — full stop. (We provide BAAs on request.)

What compliance requires of your process

HIPAA compliance is a property of the whole system, not a product feature. A compliant platform misconfigured is still a violation. Your operating procedures need to cover:

  • Documented backup schedules and retention policies per client
  • Regular test restores, with results recorded (auditors ask)
  • Access reviews — who on your team can see PHI, reviewed quarterly
  • A breach-notification procedure with defined timelines
  • Workforce training records for anyone touching healthcare accounts

Selling it: compliance as a package, not a feature

Don't sell healthcare clients "backup with HIPAA support" — sell a compliance package: encrypted offsite backup, quarterly restore tests, retention configured to their policy, audit-ready reports, and a signed BAA. Price it above your standard tier; the value (and your liability) is higher. Pricing structure ideas are covered in How MSPs Should Price Backup Services.

A note on honesty

No vendor can sell you "HIPAA compliance" outright, ours included — compliance depends on configuration, procedures, and paperwork on your side. What a platform can do is give you controls that make compliance achievable and a BAA that makes it legal. Be skeptical of anyone who promises more, and be equally skeptical of a "white label" that leaks another vendor's name into a compliance-sensitive relationship (see White Label vs. Co-Branded Backup).