HIPAA compliant web hosting: Your options and what you need to know
Summary: First it was pixels, then it was analytics, and now its...everything. How can you make sure your web hosting is HIPAA-compliant? In short, go with one of the big three, but there are other options.
The Department of Health and Human Services (HHS) released new guidance on HIPAA and cloud computing in 2022. Ever since, health systems have faced increasing demands in areas from patient privacy to data security, going far beyond the original guidance. This has made it difficult to comply with HIPAA across websites.
Simply put, if a site allows PHI to be input, it must adhere to HIPAA. Not doing so can result in costly penalties, data theft, damaged reputation - even jeopardize patient safety. Web hosting services that house your site must be compliant, too. However, if you engage a provider, the responsibility of meeting HIPAA is still on you. The following looks at options and what to know when working with web hosting providers.
What should covered entities look for?
HIPAA-covered entities are defined as health plans, clearinghouses and providers who electronically transmit health information as outlined by HHS standards. Also included are business associates with access to a covered entities’ patient data. Whether it’s a medical billing company or the web hosting service itself, any organization that touches PHI must be HIPAA compliant, and you have the daunting task of ensuring it.
What’s needed is a web hosting service that complies with the security frameworks that HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) have mapped to. These could include certifications like ISO or HITRUST, which would provide an environment that supports compliance. Also critical are signed Business Associate Agreements (BAA) to make compliance a shared responsibility.
How do you know if a web hosting provider is HIPAA compliant?
So how do you determine if a web hosting service is HIPAA compliant? It really comes down to two things. First is their willingness to sign a BAA – if they balk, you should walk. Second is ensuring they have measures in place to keep PHI private and secure. The following are key factors to examine for determining this.
Security protocols: Must have encryption, access controls and threat detection.
Compliance certifications: Look for SOC 2 Type II, HITRUST CSF.
Data Backup and Recovery: Ensure backup frequency meets your needs and the provider has proven methods for fast recovery.
Monitoring and support: Hosts should guarantee 24/7 monitoring and customer service.
Scalability and adaptability: Be sure hosts can accommodate growth and regulation changes.
What are your HIPAA-compliant web hosting options?
If you’re already using one of the big cloud hosting providers like Azure, Amazon or Google, there’s good news – they will all sign a BAA and their services meet the required certifications. These hosting providers also regularly update their documentation on compliance offerings so IS/IT teams can stay abreast of changes.
Another option are smaller specialty providers with more healthcare focused offerings, including Atlantic, Liquidweb.com and HIPAA Vault. However, a closer look at these vendors reveals that under the hood, they’re also using one of the big three. You will need to compare the options and pricing to find the best fit.
How do you switch to a HIPAA-compliant web hosting service?
If you’re considering a switch to a HIPAA-compliant web hosting provider there’s a few things to know up front. The following sheds light on these and offers some tips for a smooth transition.
Conduct a performance review: Evaluate the hosting provider’s uptime, response time and customer support capabilities. Identify both their shortcomings and the opportunities they offer for improvement.
Identify your needs: Determine your current, near and long-term needs for ensuring HIPAA compliant web hosting. Make a list of the must-have functionality that hosts should offer.
Research and vet alternatives: See how much experience a hosting provider has working in healthcare entities, their certifications and security. Get a feel for their reputation via customer reviews
Get a BAA: Hosts should provide a signed, legal BAA that promises to protect your PHI in accordance with HIPAA regulations.
Plan your migration: Be sure there’s seamless, secure data transfer protocols in place to facilitate migration.
Insist on a trial period: A trial period is required to assess a web host’s performance and compatibility.
Need some help?
Our team at Reason One has been helping clients navigate the uncharted waters of ensuring the privacy and security of patient information. From HIPAA-compliant data analytics to CMS platforms, we’re well-versed in it all. As a result, we’re able to help healthcare organizations make informed decisions that meet their needs and align with goals and objectives. Get in touch to discuss your options.
Get the Ultimate Guide to HIPAA-Compliant Tech!
From analytics to CMS platforms to hosting and more, we're taking the guesswork out of selecting HIPAA-compliant platforms and approaches. Coming Summer 2024, The Ultimate Guide to HIPAA-Compliant Tech will help marketers narrow their options for future-forward tech.
Sign up for our newsletter below, and you'll be the first to receive it!