What Questions Should You Ask Before Signing a Managed IT Contract?

A managed IT contract is a multi-year commitment that affects every aspect of your community's operations: care delivery, compliance posture, staff productivity, and financial predictability. Signing the wrong contract, or signing a reasonable contract without understanding its boundaries, creates problems that surface months later when it is too late to renegotiate. Our complete guide to managed IT for senior living provides the full evaluation framework for choosing a provider.

These ten questions are the ones that separate operators who are satisfied with their IT provider from operators who feel trapped by one. Ask every question before signing. If the provider cannot answer clearly, that tells you something important about how they operate.

What Questions Should You Ask Before Signing a Managed IT Contract?

Before signing, ask about scope boundaries, Service Level Agreement (SLA) specifics for life-safety and clinical systems, Health Insurance Portability and Accountability Act (HIPAA) compliance deliverables, data ownership provisions, and termination terms including transition assistance. These five categories cover the contract provisions that cause the most disputes between senior living operators and IT providers.

According to VC3's managed IT contract guide, the most common source of frustration with IT providers is not poor technical work. It is misaligned expectations about what the contract covers. A provider may deliver competent technical support while the operator expected compliance documentation, vendor management, and strategic planning that were never included in the agreement. The questions below eliminate that ambiguity.

Scope and Cost Questions

1. What is included in the monthly fee and what is billed separately? This is the most important question in the contract. The answer defines your actual cost of IT, not just the monthly invoice. Cone's 2025 MSP contract guide notes that the most common contract disputes originate from ambiguous scope definitions. Get a written list of covered services versus billable work. If "it depends" appears anywhere in the answer, push for specifics.

2. How are pass-through costs handled and are they marked up? Microsoft 365 licenses, phone system subscriptions, backup storage, and hardware are typically billed as pass-throughs on top of the managed services fee. Some providers mark these up 10 to 20 percent. Others bill at cost. Ask for the exact markup policy and compare it to retail pricing for the same products.

3. How does pricing change if we add staff, devices, or a new community? For senior living, this question is critical because staff turnover is constant. Senior Housing News reports that frontline and clinical staff turnover reached 38% in 2025. If your contract charges per user, every hire and departure changes your invoice. Per-community flat-rate pricing eliminates this variability entirely.

4. What triggers a "project" versus covered maintenance? The line between a covered service and a billable project is where most disputes occur. Ask the provider to define the threshold. Is replacing a failed switch covered? What about adding a new Wi-Fi access point? Cabling a new office? The clearer the threshold, the fewer surprises on your invoice.

How Should SLAs Be Structured for Senior Living?

5. What are your response time commitments for critical versus routine issues? A senior living IT contract must differentiate between clinical-urgency and administrative-priority issues. Life-safety systems, including nurse call, Electronic Health Record (EHR), and medication management, should carry a 15-minute or faster emergency response commitment with 24/7 coverage. High-priority issues like email outages or administrative system failures should have one-hour response targets during business hours and four-hour targets after hours. Standard requests should have next-business-day resolution targets. NinjaOne's managed services agreement reference provides examples of tiered SLA structures.

6. Who answers the phone at 2 AM if our nurse call server goes down? This is a litmus test. If the answer is "our answering service will take a message and a technician will call back," that is not 24/7 support. That is message-taking. A qualified senior living IT provider has an after-hours escalation path that reaches a live engineer within minutes for life-safety issues. Ask for the specific escalation procedure, not just a commitment.

7. Do you have experience with our specific EHR and clinical systems? Senior living communities use specialized software that general IT providers rarely encounter: PointClickCare, MatrixCare, ALIS, Yardi Senior Living, and dozens of others. The provider should have direct experience with your EHR vendor's support model, update schedules, and integration requirements. If they need to "learn" your clinical system after signing the contract, your staff will be teaching them on your dime.

What Compliance Deliverables Should the Contract Guarantee?

8. What HIPAA documentation do you produce and how often? The HIPAA Security Rule requires a security risk analysis, and the Office for Civil Rights (OCR) is expanding enforcement in 2026 to include risk management alongside risk analysis. Your IT provider should produce, at minimum: an annual risk assessment, an IT compliance binder with documented technical safeguards, staff security awareness training with completion records, incident logs, and access review documentation. These are not optional add-ons. They are regulatory requirements. If the provider treats compliance documentation as an upsell, they do not serve regulated environments. Read our detailed breakdown of how managed IT supports HIPAA compliance in senior living.

9. What happens if we have a data breach? Ask for the provider's written incident response plan. The HIPAA Breach Notification Rule (45 CFR 164.408) requires notification to affected individuals within 60 days. OCR must be notified within 60 days for breaches affecting 500 or more individuals. Your provider should have a documented breach response procedure that includes containment, forensic investigation, notification support, and remediation. If they do not have a written plan, they are improvising, and improvisation during a breach leads to regulatory violations.

What Should the Contract Say About Data Ownership and Exit?

10. What happens if we need to leave? The termination clause determines your leverage for the entire relationship. According to Capital Data's 2026 MSP contract guide, you should review your Managed Services Agreement (MSA) yearly to keep it current with pricing, service updates, and legal changes. Key provisions to verify:

• Notice period. Most contracts require 30 to 90 days written notice. Longer notice periods favor the provider.
• Early termination fee. Some contracts charge 50% or more of the remaining contract value for early termination. Understand the exact number before you sign.
• Data ownership. Your data, documentation, network diagrams, and configuration records must remain your property. The contract should state this explicitly.
• Credential transfer. All administrative passwords, vendor portal access, and domain credentials must be transferred to you or your new provider within a defined timeframe, typically 5 to 10 business days after termination.
• Transition assistance. The best contracts include a mandatory transition assistance period of 30 days where the outgoing provider cooperates with the incoming provider.

If your current contract lacks these provisions, the timeline to switch IT providers extends significantly and the risk of disruption increases.