Co-Managed IT for Law Firms: Better Call Your MSP
Kristina Shkriabina
A compliance-first guide to co-managed IT for law firms, CPA firms, and healthcare practices: why full outsourcing fails an audit, what your team must keep control of, and how to structure an agreement auditors accept.
A law firm can't hand its whole IT stack to an outside vendor and still tell an ethics board it controls client confidentiality. The same problem hits a CPA firm under the FTC Safeguards Rule, or a clinic bound by HIPAA. For regulated businesses, co-managed IT isn't a budget compromise - it's frequently the only model an auditor will sign off on. This guide covers why full outsourcing creates compliance risk, what your internal team has to keep, and how to structure a co-managed relationship that survives a regulatory review.
TL;DR: Co-Managed IT for Regulated Firms
- Co-managed IT splits the work. Internal staff keep control of access and policy while an outside provider handles tooling, monitoring, and overflow - the structure most regulated firms need to stay compliant.
- Compliance drives it, not cost. HIPAA, the FTC Safeguards Rule, and bar confidentiality duties all assume a named internal owner of data and access.
- You keep the keys. Admin credentials, data-access approvals, and the audit trail stay in-house.
- Auditors want a written split. A documented division of duties, not a handshake, is what passes review.
Why Full Outsourcing Creates Compliance Risk
The pitch for fully managed IT is simple: hand everything to a provider and stop thinking about it. That works for a marketing agency. It breaks the moment a regulator asks who approved a given person's access to protected records.
Most compliance regimes assume a responsible party inside the organization. HIPAA names a Security Official. The FTC Safeguards Rule requires a "Qualified Individual" who oversees the information security program. Bar association ethics opinions put the duty to safeguard client data on the firm, not its contractors. When an outside MSP holds every admin credential and the only copy of the access logs, the firm has handed away the evidence it needs to prove control. That's the gap auditors flag.
There's a second risk that rarely shows up until an incident: visibility. If a breach happens and the provider controls the SIEM, the email tenant, and the backup console, the firm is dependent on that vendor's goodwill to reconstruct what happened. Regulated firms that have lived through a breach notification, like the ones comparing notes in r/msp and r/sysadmin threads, describe the same lesson. You cannot answer a regulator's questions with data you don't hold.
Co-managed IT fixes the structural problem. The firm keeps the responsible-party role and the records that prove it, while the provider supplies the labor, the tooling, and the after-hours coverage a small internal team can't sustain alone.
What Your Internal Team Has to Keep Control Of
Co-managed doesn't mean splitting the work fifty-fifty. It means drawing a clear line around the functions a regulator expects you to own, then handing the rest to a partner. In regulated firms, the internal side keeps:
- Identity and access approvals. Who gets access to what, and the sign-off when access changes, stays with a named employee.
- The audit trail. Logs of access, changes, and security events live in a system the firm controls, not one only the provider can read.
- Data classification and retention rules. Deciding what counts as protected and how long it's kept is a firm policy decision.
- Incident command. The provider can run the response, but the call on breach notification belongs to the firm's compliance owner.
Everything else is fair game to delegate: patching, monitoring, help desk, endpoint management, backup operations, and project work. Our co-managed IT tool-ownership map breaks down who should hold each of those tools, category by category. The split mirrors what a strong internal admin would want anyway - keep the governance, offload the grind.
Co-Managed vs Fully Outsourced vs In-House
| Factor | In-House Only | Co-Managed | Fully Outsourced |
|---|---|---|---|
| Day-to-day operations | Internal staff | Shared with provider | Provider |
| Admin credentials | Internal | Internal holds master, provider gets scoped | Provider |
| Audit trail ownership | Firm | Firm | Provider (risk) |
| Compliance responsible party | Clear | Clear | Blurred |
| After-hours coverage | Hard to sustain | Provider fills gaps | Provider |
| Typical cost driver | Salaries | Salaries plus per-seat fee | Per-seat or flat fee |
| Best fit | Large internal team | Regulated SMBs | Low-compliance SMBs |
For a deeper look at the trade-off between bringing IT in-house and sending it out, the breakdown in Outsourced IT Support vs In-House IT walks through where each model pays off. Co-managed sits in the middle on purpose. For the full picture of how that middle ground works - what stays in-house and what goes to the MSP - start with our co-managed IT overview.
Co-Managed IT for Law Firms
Law firms carry a confidentiality duty that doesn't transfer to a vendor. ABA Model Rule 1.6 and the ethics opinions built on it require reasonable efforts to prevent unauthorized disclosure of client information, and several state bars have said outsourcing IT does not outsource that obligation. A firm still has to supervise the provider and keep control of the data.
In practice, that shapes the co-managed split. The firm's IT lead or office administrator holds the admin account for the document management system and the email tenant. The MSP handles the unglamorous load: patching, endpoint monitoring, ticket overflow during trial prep, and the security tooling a two-person internal team can't run around the clock. Matter-level access controls and conflict-wall enforcement stay configured by the firm, because those map directly to ethics requirements.
The threads in r/LawFirm asking about managed IT keep circling the same worry - lawyers want the help but won't accept a black box holding privileged files. Co-managed answers that directly. The provider never becomes the sole keeper of client data.
There's a practical billing angle too. A firm that controls its own document management system can run conflict checks and produce records for discovery on its own schedule, instead of waiting on a vendor's ticket queue during a deadline. Keeping that access internal isn't just a compliance line item; it's the difference between meeting a court date and missing one.
Co-Managed IT for Accounting and CPA Firms
Accounting firms got a sharper set of rules in recent years. The FTC Safeguards Rule, updated and enforced since 2023, applies to many tax and accounting practices and requires a written information security program, a designated Qualified Individual, access controls, encryption, and logging. IRS Publication 4557 layers on its own data-protection expectations for anyone handling taxpayer data.
Those rules name an internal owner, which is exactly why fully outsourcing fails an audit. A CPA firm can delegate the engineering, but the Qualified Individual has to be a real person inside the firm who can show they oversee the program. Co-managed makes that workable: the partner or controller wears the Qualified Individual hat and signs off on policy, while the provider runs encryption, monitoring, and the multifactor rollout the rule demands.
Tax season adds an operational reason on top of the compliance one. A four-person firm cannot staff for the February-to-April surge and the quiet summer at the same time. A co-managed provider absorbs the swing without the firm carrying year-round headcount it doesn't need eleven months out of twelve. For firms weighing what that coverage runs, the numbers in Cost of IT Support for a Small Business give a realistic baseline.
Co-Managed IT for Healthcare Practices
HIPAA is the strictest of the three regimes, and it's explicit about shared responsibility. Any provider that touches protected health information is a Business Associate and has to sign a Business Associate Agreement. That BAA is a hard requirement, not a nice-to-have, and it defines exactly what the provider may do with PHI.
For a clinic or small practice, co-managed IT and a BAA fit together cleanly. The practice keeps its Security Official role, controls who can open patient records, and holds the access logs the HIPAA Security Rule requires. The provider operates the EHR infrastructure, manages devices, and runs the technical safeguards - encryption at rest and in transit, automatic logoff, and audit logging - under the terms of the BAA. If the practice ever faces an Office for Civil Rights review, it can show both the signed agreement and its own records of who accessed what.
The compliance frameworks that govern healthcare, finance, and legal data overlap more than most firms expect. The Cybersecurity Frameworks List for MSPs maps how HIPAA, SOC 2, and the common control sets line up, which helps when a single firm has to satisfy more than one.
Data Residency and Access Controls Auditors Check
When a regulator or a client's security questionnaire arrives, two topics come up first: where the data lives, and who can reach it. Regulated firms lose deals and fail audits on these two points more than any other.
Data residency matters because some client contracts and some regulations restrict where information can be stored. A firm serving European clients may face GDPR data-transfer limits; a government contractor may need data kept in specific facilities. A co-managed setup lets the firm pick the hosting region and prove it, rather than discovering after the fact that a provider moved backups to a cheaper offshore data center.
Access controls are where most audit findings land. The controls a reviewer expects to see documented:
- Least privilege by default. Every account, including the provider's, gets the minimum access the job needs and nothing more.
- Named accounts, never shared. No generic "admin" login that three technicians use - each action ties to a person.
- Multifactor on everything. Especially on remote access and the provider's connections into your environment.
- Reviewable, tamper-evident logs. The firm can pull an access report on its own, without asking the vendor first.
Co-managed IT keeps these honest because the firm holds the master credentials and grants the provider scoped, time-bound access. That single design choice answers most of a security questionnaire before it's even asked.
How to Structure a Co-Managed Agreement Auditors Accept
A co-managed relationship that passes review is written down, not assumed. Start with a responsibility matrix - a simple table listing each function and marking who is responsible, who approves, and who gets informed. Auditors love this document because it answers their core question on one page: who owns what.
Pin down four things in the contract. First, credential ownership - the firm holds master admin accounts and the provider works through scoped, logged access. Second, log access - the firm can retrieve its own audit data at any time without a support ticket. Third, the right compliance paperwork - a BAA for healthcare, Safeguards Rule alignment for accounting, confidentiality terms for legal. Fourth, an exit clause that returns all data and revokes provider access cleanly, so the firm is never locked in by the vendor that holds its records.
Before signing, run the provider through the same scrutiny you'd give any vendor with access to sensitive systems. Ask where the support team sits, whether technicians work under named accounts, how the provider stores its own copy of your credentials, and what happens to your data the day the contract ends. A provider that can't answer those quickly hasn't worked with regulated clients before, and a regulated firm is the wrong place to be that provider's first lesson.
Where OpenFrame Fits for Regulated Co-Managed IT
OpenFrame is an AI-native all-in-one MSP and IT platform, built for MSPs and available directly to internal IT teams. For co-managed work in regulated verticals, two things matter. It ships native PSA, RMM, and endpoint management in one place, so a small internal team and its provider work from the same system instead of stitching together five consoles with five sets of logs. And it's designed around no vendor lock-in - the firm keeps control of its own data and a full audit trail, rather than depending on a provider's goodwill to see what happened in its own environment.
That last point lines up with the compliance reality described above. A co-managed model only holds up when the firm, not the vendor, can answer the auditor's questions. A single platform with one audit trail also means the responsibility matrix maps to something real: each action is attributable, and the firm can pull its own report without filing a request with the provider. OpenFrame is priced to fit the small regulated firms - clinics, two-partner law offices, boutique CPA shops - that need real coverage without enterprise tooling budgets, which is the segment that gets squeezed hardest when the only options are a full in-house team or a vendor that takes the keys.
Frequently Asked Questions
What is co-managed IT?
Co-managed IT is a model where an internal IT person or team shares responsibilities with an outside provider. The firm keeps governance - access approvals, policy, and audit records - while the provider supplies tooling, monitoring, help desk, and after-hours coverage the internal team can't sustain alone.
Is co-managed IT better than fully outsourced for compliance?
For regulated firms, usually yes. HIPAA, the FTC Safeguards Rule, and legal confidentiality duties all assume a named internal owner of data and access. Co-managed keeps that owner in place, while fully outsourcing can blur who is responsible and who holds the audit trail.
How much does co-managed IT cost?
Most providers charge a per-seat or per-device fee on top of the firm's existing internal salaries, since the provider supplements rather than replaces staff. The price depends on coverage hours, security tooling, and headcount, but it usually runs below a second full-time hire.
Does co-managed IT work for small law firms?
Yes, and it fits them well. A small firm often has one IT-savvy administrator who can hold credentials and approve access but can't run security tooling around the clock. A co-managed provider fills that gap while the firm keeps control of privileged client data.
What should be in a co-managed IT agreement for a regulated firm?
A responsibility matrix, master credential ownership by the firm, self-service access to audit logs, the right compliance paperwork (a BAA for healthcare, Safeguards alignment for accounting), and an exit clause that returns all data and revokes provider access cleanly.
Who is responsible for a data breach under co-managed IT?
The firm keeps the legal responsible-party role for its regulated data, which is why co-managed structures it to retain the audit trail and incident command. The provider's duties are defined in the contract or BAA, but notification decisions stay with the firm's compliance owner.
Regulators don't ask whether you outsourced your IT. They ask whether you kept control of your data - and for law firms, CPA shops, and clinics, co-managed is the cleanest way to answer yes.
Kristina Shkriabina
Kristina runs content, SEO, and community at Flamingo and OpenMSP. She spent years as a correspondent for Ukraine's Public Broadcasting Company before making the jump to tech. Now she covers MSP stack decisions and strategy. You can connect with her in the OpenMSP community or on LinkedIn.