If you host a website that will interact with patient information, then you should find a HIPAA specialist in web hosting. Patient information is considered Protected Health Information (PHI) or Electronic Health Records (EHR) and is protected by the regulations of the Health Insurance Portability and Accountability Act (HIPAA).
A web host may claim that they follow the same practices of a HIPAA compliant web host, so you are obligated to do your due diligence in verifying this claim. On the other hand, you might have a relationship with a web host already that you really like and feel that they can do the job. Besides, their price might be very reasonable and you understand that HIPAA Compliant Hosting providers charge a lot more! Either way, it’s important to verify that your host is following the HIPAA guidelines; otherwise, you could be in for a surprise if there is a break in security that causes you to prove you and your host were following HIPAA regulations.
A non-HIPAA web hosting specialist will likely not provide one of the following. Ask them specifically if they provide:
2. Monthly vulnerability scans of your servers
3. Mitigation of the vulnerabilities discovered by the monthly vulnerability scans
4. Server hardening
5. Off-site backups
6. Log retention of 6 years
Let’s review these items one by one, so you can understand them better before discussing it with your prospective HIPAA Compliant host. A signed BAA is important because it ensures that your hosting provider understands and accepts the liability of hosting PHI data. They are as liable as you are in protecting the data from unauthorized access.
The HIPAA Compliant host should scan your HIPAA related servers at least once a month and provide a report to you whenever you ask for it. The purpose of the scan is to discover vulnerabilities in the hosting environment. In addition to providing the report, they should be involved in helping remediate the vulnerabilities that are related to the infrastructure. You can’t expect the HIPAA host to fix your application issues though (unless you hired them to write your app as well).
The HIPAA Compliant web host should also harden your servers as part of their deployment process. Ask them for a copy of their server hardening steps. Server hardening is the process of applying security measures to your servers. Typically, these include: closing unneeded ports, removing unnecessary programs, adding security policies such as password policies, and creating a security banner that is displayed to the user when they log in and warning them that your server is only for authorized users. Ask the host to show you a copy of the banner as well.
Ask the web host if they provide offsite backups and how far the backups are physically from where your servers are hosted. The backups should be geographically in a separate location. A next door building is too close, it should be at least 50 miles away or further. Basically, you don’t want a natural disaster such as an earthquake to take out both your servers and the backups.
When you are finished using a particular server that contained PHI data, it can’t simply be powered off and made available to the next client that the web host might have. The server’s hard drives should not be used again until they have been wiped by several passes. The passes ensure that the data cannot be read again. Ask your host what mechanism they use to wipe the hard drives and how many passes they make. The right answer should be multiple passes. The right answer can vary as to exactly how many, but the important point is that the web hosting company is at least is aware of what you are talking about and has a policy that involves multiple passes.
Selecting a web host that actually follows the HIPAA guidelines is not the same thing as finding an inexpensive host that does a good job at hosting websites that don’t contain patient information. Hopefully, this article has given you some useful questions you can ask the web hosting providers you are considering for your project.