When searching for a HIPAA Compliant Host, it is important to understand that some hosts claim to be compliant with HIPAA regulations, but they are not. The reason they aren’t compliant is because they are typically missing one of the items listed in the URL below. This blog should not suggest that the list below is comprehensive, but only that if a host has all of these in place, it is likely they are compliant with HIPAA all around.


  • Office site Backups – A HIPAA Compliant host can either rotate media that contains your hosting files to a safe location or they may have a second data center where they can sync the backups to each day. The second is better because it is continuous. The former is only as good as the rotation of the media. If the rotation is done only once per month, then it is not as good as rotating it each week or daily.
  • SEIM – Keeping track of the logs is a HIPAA requirement and this is the job of the log manager. All the hosts must pass their logs to the log manager. The log manager should minimally allow the logs to be searched. In addition the log manager should handle correlation. Correlation is the ability to find data that is relevant across the various hosts (servers)
  • HIDS – Host Intrusion Detection — see OSSEC (google it)
  • WAF – see mod security (google it)
  • 2 Factor – see wikid systems (google it)
  • BAA – search for “HIPAA BAA”
  • VAS – see ControlScan
  • Password Management – see ManageEngine.com’s PMP (password manager pro