November 7th, 2016

What Are HIPAA-compliant Hosting Requirements?

HIPAA Hosting Requirements are a set of rules that place the responsibility of protecting the privacy of patients’ healthcare data on the healthcare provider and their business associates. Whether using a hosting center, a third-party datacenter, or keeping the servers in-house, if you’re a healthcare provider or a business managing protected health information (PHI), your hosting must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HIPAA Hosting

There are three HIPAA requirements:

1. Administrative Safeguards

Healthcare providers and their business associates, as defined by HIPAA, must have policies and procedures in place to ensure the proper management, training, and oversight of staff who access or manage PHI.

2. Technical Safeguards

Systems infrastructure and things like encryption, audit controls, and data storage are subject to a strict set of requirements.

3. Physical Safeguards

For hosting, this mostly concerns the physical servers and how they secure data. It includes data redundancy and failure requirements, access to servers, and other important issues.

These three requirements cover a lot of ground. It’s necessary to understand each of them to satisfy HIPAA requirements and safeguard the sensitive PHI your hosting servers will contain. Educational institutions and private organizations offer HIPAA certification courses; if no one at your organization is familiar with HIPAA, consider having them take one of these courses, or consult a third-party expert.

It’s important to note that HIPAA hosting alone does not make you HIPAA compliant. Hosting is only one aspect of HIPAA compliance. (For more information, refer to our articles about HIPAA-compliant videoconferencing, and HIPAA-compliant websites.)

Understanding HIPAA Hosting Environments

In addition to the three requirements, HIPAA has four rules: the privacy rule, the security rule, the enforcement rule, and the breach notification rule. These rules govern how PHI is stored, transmitted, and accessed, among other things.

A hosting system needs to be developed with these rules from the ground up — it’s not easy to tweak an existing hosting system to be HIPAA-compliant. Start on the right foot by ensuring your hosting environment includes each of the following components.


It’s necessary to have firewalls fully implemented on your site. A combination of hardware and software firewalls, as well as firewalls specifically designed for web applications, will make your hosting environment as secure as possible. Make sure that your firewalls are implemented system-wide, as system-wide technology is one of the requirements for HIPAA-compliant servers.

Off-Site Backup

Your data must be backed up at an external location. This is important to ensure your electronic medical records (EMRs) are safe in the case of a fire, theft, or other event that makes it impossible for you to access your EMRs at your primary location.

SSL Certificates and an SSL VPN

Secure sockets layer (SSL) certificates establish an encrypted link between a server and a browser. This keeps the data that passes between the server and browsers private. Any parts of your site that require login credentials should feature an SSL.

An SSL virtual private network (VPN) allows an end user to access the system without having to install software on their own device, which makes the access more secure.

A Private (Dedicated) Hosted Environment

To ensure HIPAA compliance, you can’t share resources with any other entities. Your infrastructure has to be private and separate from the infrastructure of others.

Access Control and Validation Procedures

Develop and implement procedures to control and validate a person’s access to facilities with PHI. Determine which roles and functions can access software, including for testing and revision. Establish visitor control protocols.


Keep a record of the movements of your hardware and electronic data, and who is responsible for them.

This is by no means a complete checklist for establishing HIPAA-compliant hosting environments. Consult an experienced hosting provider to ensure you have covered all the bases. And remember: all the rules and requirements of HIPAA are geared towards privacy and security. When in doubt, choose the path that will keep your PHI as secure and private as possible.

How to Find an HIPAA-Compliant Hosting Provider

Finding a good HIPAA-compliant hosting provider is no easy task. It’s made more difficult by the fact that there are no governing bodies that certify whether a hosting provider is able to maintain an HIPAA-compliant hosting environment.

This means healthcare providers need to look beyond what hosting providers say they can do to establish whether or not they truly can comply with HIPAA. The alternative is being non-compliant and potentially facing a nasty fine.

When looking for a hosting provider to set up and manage your hosting environment, there are a few things you can do:

Ask the provider if they have previously set up HIPAA-compliant hosting. Get the names of healthcare providers for which they have set up hosting. Follow up with those healthcare providers to ask them if the company you’re considering was good to work with and understood all the ins and outs of HIPAA-compliant hosting. A previous client is more likely to give it to you straight than the company itself.

Look for a company that has SSAE 16 Certification. The Statement on Standards for Attestation Engagements (SSAE), created by the American Institute of Certified Public Accountants, is not a requirement for HIPAA. It’s actually more stringent in some ways, so any hosting company with SSAE 16 Certification is likely to easily meet HIPAA requirements.

Sign a business associate agreement. When a technology provider offers a service to a healthcare organization, they become a “business associate” as defined by HIPAA. Healthcare providers and business associates must sign a business associate agreement (BAA). A BAA is critical to ensuring everyone understands their obligations under HIPAA. It will clarify the role the hosting company takes, and who will be responsible should any breaches occur.

As you can tell from this article, there is no quick fix to ensuring an HIPAA-compliant hosting environment. Invest the necessary time and resources to ensure a secure, HIPAA-compliant hosting environment for your patients’ important PHI.

Have questions about HIPAA-compliant hosting environments? Leave a comment!

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.