The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Compliant Hosting

Posted By on Nov 21, 2023

HIPAA compliant hosting is a service most often provided by cloud service providers that enables covered entities and business associates to take advantage of a hosting environment that complies with the HIPAA Security Rule standards. Most often, a HIPAA compliant hosting service includes access controls, data encryption, operating system security, and segregated servers.

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 at a time when the Internet was still in its infancy and when most healthcare organizations were recording patient information on paper. It could not have been predicted how technology would progress and how IT practices would change over the next two decades, so the legislation has been kept technology neutral.

Web hosting and other cloud services are not mentioned in the HIPAA text, but it is covered by the HIPAA Privacy and Security Rules and there are restrictions placed on the use of cloud services in connection with protected health information (PHI ).

HIPAA does not prohibit healthcare organizations from moving patient information from secure, internal IT environments to public or private cloud platforms, provided the service provider signs a business associate agreement and agrees to implement safeguards to ensure the privacy and security of health information and comply with all appropriate provisions of HIPAA Rules.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

HIPAA Hosting Companies and HIPAA Compliance Certification

One of the problems healthcare organizations face when selecting a vendor is there is no official HIPAA certification program that guarantees a service or company is in compliance with HIPAA Rules.

Third party audits and assessments can be performed by HIPAA specialists, but they will only provide a snapshot of compliance at a particular moment in time. It is for this reason that there is no official HIPAA compliance certification body.

HIPAA compliance certification may not be officially recognized, but it does show a vendor’s commitment to compliance and provides healthcare organizations with reassurances that the platform is secure and incorporates all the necessary safeguards and controls to support HIPAA-compliance.

SOC 2 TYPE I and TYPE II certifications are not a requirement for HIPAA hosting providers, although the certifications demonstrate that vendors have proven that its systems have been designed to keep all client data secured.

Key Features of HIPAA-Compliant Cloud Hosting

To help you choose a suitable HIPAA hosting provider, we have compiled a list of some of the key features of HIPAA-compliant hosting platforms you should look for. The following list contains the most important features to look for when selecting a hosting provider whose service will be used in connection with PHI.

A HIPAA-compliant cloud hosting environment should include:

  • A robust firewall and intrusion prevention system
  • Encrypted VPNs for securely connecting to the cloud to access, upload, or download PHI
  • Robust encryption for data at rest
  • Strong authentication controls including multi-factor authentication
  • Event log management to maintain an audit trail
  • Reliable data backups, offsite backup storage, and data recovery assistance
  • 100% server availability and reliability, ideally with a 100% server uptime SLA.
  • Data stored in HIPAA-compliant data centers

Third-party HIPAA/HITECH assessments and audits are a good guide as to which hosting companies are in compliance with HIPAA. The hosting provider must also be prepared to sign a business associate agreement (BAA) covering all products and services that will be used in connection with PHI.

HIPAA-Compliant WordPress Hosting

WordPress is a popular CMS for creating and managing website content that is extensively used in healthcare. If a WordPress website interacts with anyone’s PHI, a range of privacy and security features are required to meet HIPAA requirements. The website must also be hosted with a HIPAA compliant hosting company.

HIPAA-Compliant Database Hosting

The reliability of today’s cloud platforms means healthcare organizations can reduce costs by migrating their databases to the cloud, while continuing to enjoy 100% uptime and superb performance. Third party platform providers take care of many aspects of security, reducing the administrative burden of database management.

HIPAA-Compliant Cloud Storage

Healthcare organizations are not limited to on-premises solutions for storing patient data. HIPAA-compliant cloud storage platforms provide an equivalent level of security as on-premises servers, but at a fraction of the cost.

HIPAA-compliant cloud storage services are available which offer total protection for stored data, with robust access controls and strong encryption for data at rest and in transit to and from the storage server.

HIPAA-Compliant Data Centers

Healthcare organizations that outsource their on-premises data centers can enjoy considerable cost savings while improving privacy protections for patients. HIPAA-compliant data centers store information remotely on high-performance secure servers with guaranteed uptime to ensure health data is always available to providers

HIPAA-Compliant Disaster Recovery

In the event of disaster, getting systems back online and restoring data access quickly are critical. Hosting providers offer a range of data backup and disaster recovery services to ensure cloud workloads are protected and data can always be recovered.

HIPAA-Compliant Managed Services

HIPAA hosting companies typically offer a range of managed services to healthcare organizations, from consultancy services, cloud migration assistance, to enhanced security and virtual IT department services.

HIPAA Compliant Hosting FAQ

Once data is stored in a cloud-based service, who is responsible for it?

Cloud Service Providers are responsible for the security of the cloud, but not security in the cloud. Covered entities have to take many of the same data security precautions as they would in an on-premises computing environment – including facility access controls if they operate in a hybrid cloud environment consisting of a public cloud and on-premises infrastructure.

Are colocation data centers HIPAA compliant?

It depends on whether the colocation provider has implemented the administrative, technical, and physical safeguards required by the Security Rule to protect the security and integrity of ePHI. If the provider has, and is willing to sign a Business Associate Agreement, the provider has the same shared responsibilities for protecting the security and integrity of ePHI as a Cloud Service Provider.

If I deploy sensitive workloads in the cloud, do I have to pay extra for dedicated hosting?

Some Cloud Service Providers make it a condition of their Business Associate Agreements that sensitive workloads are deployed on dedicated hosts. This not only better protects sensitive workloads, but tends to enhance performance because the workloads are not sharing the resources of a multi-tenanted server with a “noisy neighbor”.

If I sell a cloud-based SaaS solution to a Covered Entity, who is the Business Associate Agreement between?

There will need to be two Business Associate Agreements – one between you and the Cloud Service Provider (which will cover this transaction and any subsequent transactions with other covered entities), and a second between you and the covered entity purchasing your solution. The covered entity does not need to sign a Business Associate Agreement with the Cloud Service Provider.

If I sign a Business Associate Agreement with a Cloud Service Provider, can I use all their services?

You will be able to access all the Cloud Service Provider´s services; but, when creating, processing, or storing ePHI, you must only use services referenced in the Business Associate Agreement. Any breach of the agreement will likely result in the Cloud Service Provider terminating the agreement and refusing access to services your organization may rely on to function efficiently.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist