Compliance / HIPAA

HIPAA for MSPs

If any client handles protected health information, HIPAA's Security Rule reaches your MSP the moment you touch their systems — business associate agreement or not.

Why this reaches an MSP, not just the client

A dental office, a therapy practice, a small clinic — healthcare clients this size are common MSP business, and HIPAA doesn't have a small-practice exemption for the technical safeguards a vendor with system access is expected to support: access controls, audit logging, encryption in transit and at rest.

What the Nexus compliance module tracks

  • Technical safeguard posture — access control, audit controls, integrity, transmission security — tracked per client, not assumed
  • Every write action across the platform is audit-logged, which is itself part of the evidence a BAA conversation asks for
  • Encrypted secrets and per-tenant data isolation (PostgreSQL row-level security) are platform defaults, not a HIPAA-specific mode you have to remember to turn on
  • Gap reporting flags what's implemented versus still open, so a HIPAA conversation with a client starts from real posture, not a template checklist

This describes what the module tracks against HIPAA — not a claim that Nexus or any client on it is certified or audited against it. See the compliance & QBR module for the full picture, or read the blog for more on how we think about compliance tooling.

Ready to see HIPAA posture tracked for real?

Join the design-partner cohort and we'll walk through the control mapping for your own clients.