What should you look for in a HIPAA Compliant Host?

It’s an important question, since there are some hosts that might claim to be compliant with HIPAA regulations, but actually are not.

A probable reason that they aren’t compliant is that they’ll typically be missing one of the managed services listed below.

While the following list isn’t comprehensive of all the security services that might be offered, you can be confident that if a host does have these in place, it is much more likely that they are compliant with HIPAA.

  • Office site Backups – A HIPAA Compliant host can either rotate media that contains your hosting files to a safe location or they may have a second data center where they can sync the backups to each day. The second is better because it is continuous. The former is only as good as the rotation of the media. If the rotation is done only once per month, then it is not as good as rotating it each week or daily.
  • SEIM – Keeping track of the logs is a HIPAA requirement and this is the job of the log manager. All the hosts must pass their logs to the log manager. The log manager should minimally allow the logs to be searched. In addition, the log manager should handle correlation. Correlation is the ability to find data that is relevant across the various hosts (servers)
  • HIDS – Host Intrusion Detection. HIDS monitors log activity and sends email alerts to the system administrator when an anomaly is detected. HIDS automatically adds firewall rules to block the source of any anomaly.
  • WAF (Web Application Firewall) -Blocks and monitors network traffic at the application level. Rule customization and advanced security features protect applications and services. Whereas a physical firewall allows traffic through HTTP and HTTPS, the WAF filters attacks to stay within the HIPAA compliant web hosting guidelines.
  • 2 Factor-Authentication  – A method of authentication that is more secure than using a simple password alone. It employs the use of a second factor that adds to the complexity of user authentication.
  • BAA – (Business Associate’s Agreement) – A signed, legal agreement in which the host pledges to maintain HIPAA compliance with the client’s protected health information (PHI).   
  • Password Management – A means of ensuring strong passwords to prevent unauthorized access to PHI.  

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at strout@hipaavault.com.