Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
The short answer: generic MSPs cannot carry a behavioral health compliance load
Behavioral health and medical practices need specialized managed IT because generic MSPs do not configure environments for HIPAA, do not build for 42 CFR Part 2, and will not sign a Business Associate Agreement that actually covers PHI workflows. That gap shows up in OCR investigations, state licensure surveys, and payer SIU audits.
The numbers are not small. In its 2024 Report to Congress, HHS Office for Civil Rights confirmed that OCR opened investigations into all 663 large breaches occurring in 2024 and resolved 785 data breach investigations, including 12 with resolution agreements, corrective action plans, and monetary settlements or civil monetary penalties. Former OCR Director Melanie Fontes Rainer confirmed on December 31, 2024 that 22 enforcement actions were closed by OCR in 2024 with either settlements or civil monetary penalties, and inadequate risk analysis was the most-cited violation in that enforcement class.
Medical and behavioral health operators sit on diagnoses, prescriptions, mental health records, and SUD information. One misconfigured server. One unencrypted email. One successful phishing click. Any of those turns PHI into a reportable breach, and the operational picture is just as bad. Front desk staff who cannot reach the schedule. Providers who drop a telehealth session mid-visit. Billers locked out of the practice management system. An MSP that mostly supports retail shops and law firms has never sat through a state licensure survey in Florida, a CARF EOC tour in Tennessee, or a Medicaid SIU audit in Arizona or Utah.
What HIPAA-compliant IT actually looks like inside a clinical environment
The phrase HIPAA-compliant gets used loosely. OCR writes the Security Rule, and it is specific. A defensible environment includes encrypted communications at every layer, role-based access controls with audit trails, a documented risk analysis, tested backups, and a current Business Associate Agreement for every vendor that touches PHI.
Risk analysis is where most operators get caught. OCR launched a formal Risk Analysis Initiative in October 2024 for a reason. Then-OCR Director Melanie Fontes Rainer put it plainly in the announcement: “Failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware.“ The initiative was driven by a 264% increase in reported large breaches involving ransomware attacks since 2018.
The dollars show what that translates into. In its January 2025 look-back, WilmerHale reported that in the final months of 2024 OCR reached a $1.19 million settlement with Gulf Coast Pain Consultants and a $3 million settlement with Solara Medical Supplies for their alleged failure to conduct accurate and thorough risk analyses, among other purported Security Rule violations. IBM’s 2024 Cost of a Data Breach Report puts the healthcare average breach cost at $9.77 million, the 14th consecutive year healthcare has led all industries. Documented controls beat clever explanations every time, whether the auditor showed up from OCR, the DEA, or a state Medicaid SIU.
Microsoft 365 is not HIPAA-compliant out of the box. Your tenant has to be configured.
Microsoft 365 can absolutely run inside a HIPAA-eligible environment. It does not arrive that way. Microsoft states directly on its compliance page that the Microsoft HIPAA Business Associate Agreement is available through the Microsoft Online Services Data Protection Addendum by default to all customers who are covered entities or business associates under HIPAA.
That contract does not configure your tenant. You do. Microsoft is direct about the shared model. Its HIPAA documentation states plainly: “Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations.“ Microsoft also states that using Microsoft services doesn’t on its own achieve HIPAA compliance, and that the customer owns internal processes and configuration.
When my team builds a Microsoft 365 environment for a behavioral health client in Florida or Arizona, we configure Exchange Online with Data Loss Prevention policies that detect PHI in outbound mail, deploy Intune to enforce encryption and remote wipe across the device fleet, segment SharePoint and OneDrive by role, and turn on Defender for real-time threat monitoring. Teams becomes the secure communication backbone. SharePoint becomes the policy and clinical-document library with version control and access logging, the kind a Joint Commission or CARF surveyor will actually want to see during an EOC tour. None of that happens by clicking through a setup wizard.
Behavioral health carries a second compliance regime: 42 CFR Part 2
Substance use treatment providers are not just HIPAA-regulated. They are also bound by 42 CFR Part 2, enforced by OCR in coordination with SAMHSA. HHS confirms that the 2024 final rule updating 42 CFR Part 2 was effective April 16, 2024, with compliance required by February 16, 2026. The alignment with HIPAA is not a relaxation. The National Association of Community Health Centers summarizes the shift bluntly: prior to the 2024 Final Rule, violations of 42 CFR Part 2 were subject only to criminal penalties, and the 2024 Final Rule aligns Part 2 enforcement with HIPAA by providing for both civil and criminal penalties, and it applies the HIPAA Breach Notification Rule requirements to breaches affecting Part 2-protected records.
Practically, IT systems holding SUD records in Tennessee or Florida now have to support patient-consent tracking, redisclosure notices, and breach reporting in ways most general MSPs have never built before. The DEA sits in the background for any program prescribing buprenorphine, and telehealth platforms (SimplePractice, TherapyNotes, Doxy.me, Zoom for Healthcare) each carry distinct technical and BAA requirements.
One more detail operators miss: on August 25, 2025, the HHS Secretary delegated to the Director of OCR the authority to administer and enforce Part 2. The same office that fined Gulf Coast Pain Consultants $1.19 million is the office that will read your Part 2 policies.
How to evaluate a managed IT partner before you sign the MSA
If you are evaluating providers, do not lead with price or response time. Lead with healthcare experience. Ask directly: how many of your current clients are medical or behavioral health practices? Will you sign a BAA, and can you walk me through your last HIPAA risk analysis for a similar client? Can you produce documentation that would hold up in front of an OCR investigator, a Joint Commission surveyor, CARF, or Florida AHCA?
Then look at the dollars. IBM’s 2024 report noted that the average cost for a healthcare breach was $9.8 million, and the sector has held the top spot as the most expensive industry for data breaches since 2011. If a prospective MSP hesitates on a BAA, treats risk analysis as a one-time exercise, or cannot name the in-scope services under Microsoft’s HIPAA BAA, you have your answer.
Look for proactive monitoring (patching, alerts, log review) instead of break-fix response. Look for Microsoft credentialing tied to actual healthcare deployments. Look for flat-rate pricing with clear terms about what triggers add-ons. My clients across Florida, Tennessee, Arizona, and Utah who sleep at night share the same short list: a current Microsoft BAA they can produce on demand, a documented annual risk analysis, MFA enforced on every account, encrypted and tested backups, and an MSP who picks up the phone when a surveyor from CARF, the Joint Commission, or Florida AHCA walks in the door.
Frequently asked questions
Is Microsoft 365 HIPAA-compliant out of the box?
No. Microsoft offers a Business Associate Agreement covering in-scope services (Exchange Online, SharePoint Online, OneDrive for Business, Teams), and Microsoft confirms the HIPAA BAA is available through the Microsoft Online Services Data Protection Addendum by default to covered entities and business associates. Microsoft itself is explicit that the customer is “wholly responsible for ensuring compliance with all applicable laws and regulations,” and that using its services “doesn’t on its own achieve HIPAA compliance.” You still have to configure DLP, MFA, encryption, access controls, audit logging, and Intune device policies before storing PHI, and you have to produce that documentation for OCR, the Joint Commission, CARF, or a state licensure body.
What kind of HIPAA fines has OCR imposed recently on medical and behavioral health practices?
OCR closed 22 enforcement actions with settlements or civil monetary penalties in 2024. Recent examples include a $1.19 million settlement with Florida-based Gulf Coast Pain Consultants and a $3 million settlement with Solara Medical Supplies, both tied to alleged failures to conduct accurate and thorough risk analyses. HHS also collected $7,813,831 in penalties in 2024 to resolve HIPAA violations uncovered through breach investigations, plus a further $950,000 penalty stemming from a media-report investigation.
Does 42 CFR Part 2 add IT requirements beyond HIPAA for SUD providers?
Yes. The 2024 SAMHSA/OCR Final Rule took effect April 16, 2024, and compliance was required by February 16, 2026. The final rule aligns Part 2 enforcement with HIPAA and applies HIPAA Breach Notification Rule requirements to breaches affecting Part 2-protected records. HHS delegated Part 2 enforcement authority to OCR on August 25, 2025, so your IT environment has to support consent tracking, redisclosure notices, and breach reporting for SUD records, not just general PHI.
What is the single biggest IT-related enforcement risk facing behavioral health practices right now?
Inadequate risk analysis. OCR launched its Risk Analysis Initiative in October 2024, driven by a reported 264% increase in large healthcare breaches involving ransomware since 2018. In the first six months of the initiative, seven enforcement actions were announced, every one of them tied to a finding that the regulated entity failed to conduct an accurate and thorough assessment of risks and vulnerabilities to ePHI. Under-trained staff, disabled MFA, and untested controls are what move a practice from a near-miss to a reportable incident.
References
- HHS Office for Civil Rights: Understanding Confidentiality of Substance Use Disorder (SUD) Patient Records or “Part 2”
- HHS Fact Sheet: 42 CFR Part 2 Final Rule
- Microsoft Learn: HIPAA and HITECH Act compliance
- IBM Newsroom: 2024 Cost of a Data Breach Report
- HIPAA Journal: OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2024
- Eckert Seamans: First Enforcement Action Under the HIPAA Security Rule Risk Analysis Initiative
- WilmerHale: Health Data Privacy & Security: A Look Back at the Final Enforcement Push From HHS
- NACHC: 42 CFR Part 2 Confidentiality of SUD Records Fact Sheet