By Gil Vidals, , HIPAA Blog, Resources

If you host a website that will interact with patient information, then it behooves you to find a specialist in HIPAA web hosting.

Patient information is considered Protected Health Information (PHI) or Electronic Health Records (EHR) and is protected by the regulations of the Health Insurance Portability and Accountability Act (HIPAA). Protecting this data is critical, yet the means to do it are complex. A web host may claim to follow the same practices as a HIPAA-compliant web host, so do your due diligence and verify their claims.

Still, you may have a relationship with a web host already that you really like and feel that they can do the job. Besides, their price might be quite reasonable and you understand that HIPAA Compliant hosting providers can charge a lot more!

Either way, it’s important to verify that your host is following HIPAA guidelines; otherwise, you could be in for a surprise when there is a breach in security that causes you to prove you and your host were indeed following HIPAA regulations.

So what’s the difference between a standard host and a host that is HIPAA compliant?

For starters, a non-HIPAA web hosting specialist will likely not provide one of the following (so ask them specifically to be sure):

1. A signed Business Associate Agreement (BAA)
2. Monthly vulnerability scans of your servers
3. Mitigation of the vulnerabilities discovered by the monthly vulnerability scans
4. Server hardening
5. Off-site backups
6. Log retention of 6 years

Let’s review these items one by one, so you can understand them better before discussing it with your prospective HIPAA Compliant host.

A signed BAA is important because it ensures that your hosting provider understands and accepts the liability of hosting PHI data. They are as liable as you are in protecting the data from unauthorized access.

The HIPAA Compliant host should scan your HIPAA-related servers at least once a month and provide a report to you whenever you ask for it. The purpose of the scan is to discover vulnerabilities in the hosting environment.

In addition to providing the report, they should be involved in helping remediate the vulnerabilities that are related to the infrastructure. You can’t expect the HIPAA host to fix your application issues though (unless you hired them to write your app as well).

The HIPAA Compliant web host should also harden your servers as part of their deployment process. Ask them for a copy of their server hardening steps. Server hardening is the process of applying security measures to your servers. Typically, these include: closing unneeded ports, removing unnecessary programs, adding security policies such as password policies, and creating a security banner that is displayed to the user when they log in and warning them that your server is only for authorized users. Ask the host to show you a copy of the banner as well.

Ask the web host if they provide offsite backups and how far the backups are physically from where your servers are hosted. The backups should be geographically in a separate location. A building next-door is too close; it should be at least 50 miles away or further. Basically, you don’t want a natural disaster such as an earthquake to take out both your servers and the backups.

You should also remember that when you are finished using a particular server that contained PHI data, it can’t simply be powered off and made available to the next client that a web host might have. The server’s hard drives should not be used again until they have been wiped by several passes. The passes ensure that the data cannot be read again. Ask your host what mechanism they use to wipe the hard drives and how many passes they make. (The right answer should be multiple passes. It can vary as to exactly how many, but the important point is that the web hosting company is at least is aware of what you are talking about and has a policy that involves multiple passes).

To reiterate: selecting a web host that actually follows the HIPAA guidelines is not the same thing as finding an inexpensive host that does a good job at hosting websites without patient information. Be sure to utilize the questions listed in this article as you’re considering the best web hosting provider for your project.

Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.

Integrating with Your Team: 4 Factors to Remember When Choosing a HIPAA Web Host
March 20, 2014
HIPAA Compliant Hosting for European-based Organizations
April 25, 2014