Industries → Healthcare IT
PSA for MSPs serving healthcare practices
Per-tenant database isolation, AES-256-GCM at rest, full audit logging, MFA + SAML SSO, and a Business Associate Addendum available on request. The control set you need when the practice is asking what happens to PHI if your PSA gets breached.
Why healthcare IT is different
The practice doesn't care about your PSA. The practice cares about HIPAA, about the BAA chain, about what happens if there's a breach. Your PSA is a sub-processor in their compliance documentation. The control set you can demonstrate determines whether they sign with you.
Controls relevant to HIPAA-aligned operation
OriginPSA is not a HIPAA covered entity itself; we operate as a sub-processor under a Business Associate Addendum with the MSP. The controls below are the ones a covered entity's compliance officer typically asks about during procurement.
Per-Tenant Database Isolation
Each healthcare customer's data lives in a dedicated MySQL database. PHI doesn't sit in a shared row pool with row-level filters that could leak through a query bug. Practice A's data can never be accidentally exposed to Practice B's session.
AES-256-GCM Encryption at Rest
PII fields (phone, address, contact details) and integration tokens (M365 OAuth, RMM API keys) are encrypted with authenticated AES-256-GCM. Encryption key managed separately from the database. Key rotation on-demand with 30-day rollback.
Comprehensive Audit Logging
Every state-changing action — ticket viewed, contact updated, invoice opened — is logged with user + IP + timestamp. Audit log is decrypt-on-read so even DB-level access doesn't expose PII without the key. Per-entity audit views on every customer/ticket/invoice/project.
Role-Based Access Control
300+ granular permissions on 98 modules. Define a 'practice manager' role that sees billing but not technical tickets; a 'practice IT contact' role that sees tickets but not invoices. Per-contact portal scoping for the practice's portal users too.
TOTP MFA + SAML SSO
TOTP MFA for both staff and customer-portal users. SAML SSO against Entra ID, Google Workspace, Okta — the practice's IdP is the second factor. MFA secrets encrypted at rest.
ClamAV + Upload Hardening
Every file upload runs through ClamAV before it's accepted. Magic-byte type detection + extension allowlist blocks executables. Archive contents inspected — no zipped-up malware can sneak through.
How healthcare-IT MSPs typically run OriginPSA
- BAA on request. Business Associate Addendum available for execution before any PHI flows. Sub-processor list published at /legal/subprocessors — review it with your compliance officer before signing.
- Multi-site practices with shared IT. One practice group with five locations can run as one OriginPSA customer with five site addresses, OR as five customers with shared portal admins. Whichever matches the contractual structure with the practice.
- Project-track HIPAA remediation work. Annual risk assessments, security audits, and remediation projects get real project records — phases, milestones, signed change orders, customer-portal status visibility — so the practice's compliance officer can see progress without filing tickets.
- Email + ticket retention. Configurable per-tenant retention policies on the email queue + ticket history. HIPAA's documentation retention requirements are tunable from the settings page; the audit log captures every change.
The BAA path
BAA execution happens before any PHI flows through OriginPSA. The form is available on request. Sub-processor list published at /legal/subprocessors; the DPA at /legal/dpa. SLA at /legal/sla.
SOC 2 / HITRUST attestations: not in scope today. We document equivalent controls transparently on the security page. For practices that require a formal attestation, talk to us early — we're on the roadmap for the larger-tier customer track.