I have a medical practice client that is violating HIPAA on so many levels it is frightening. As their MSP I have advised the office manager of these violations and I get the same answer every time "I know, I know".
As their MSP; am I anyway liable if they are audited. Can any of this come back and bite me in the ass?
We perform annual audit and assessments for Massachusetts Data Protection Laws, HIPAA, PCI, etc, etc. We clearly document and provide a comprehensive report stating the client risks and shortfalls as well as the plan to remediate those issues. It is a "We told you so" and a CYA on our part which limits liability. Our MSA contracts also have verbiage in there for these instances for liability if the client cannot keep their site up to our standards. We also have the client sign off on the assessment that proves they were aware of the issues and steps to resolve. The owness is now on them and it is their business under the laws and requirements of the regulations to comply. Not ours.
The synopsis provided by Datalyst is spot-on. You can also read it as, if your MSA contract fails to spell out delineation of your liability or theirs. Also, if you do not prove a best effort attempt to warn clients of potential/existing HIPAA infraction and a remediation plan to resolve the problems identified, it can indeed 'come back and bite [you] in the ass'. *Remember that email/voicemail/ticket communication will not suffice if your company is called into court, only a signed/mailed/in-some-way indisputable document with clearly and precisely spelled out verbiage about violations with remediation examples will count.*
If you're MSA is solid, then take it as an opportunity to provide additional project support.
On a side-note: if you are in any way managing data or systems that are maintained under strict HIPAA compliance and you are not officially certified, stop. Inform the client about legal liability and use it as an opportunity to establish a new MSA contract.
This of course is just mho