The Health Insurance Portability and Accountability Act (or HIPAA) passed in 1996 made it so that those who interact with personal health records are responsible for following the standards published by the Secretary of Health and Human Services in relation to the privacy and security of health-related information. Those standards include the electronic exchange of health records.
Healthcare providers have increasingly moved their records and related applications outside of their intranet and into the cloud for many reasons, including th
In order for a hosting company’s services to be considered HIPAA compliant, they must pass the items in the following checklist.
LiquidWeb is a certified HIPAA web hosting company, one of a few web hosts who will sign a Business Associate Agreement (BAA) with their clients who need to be HIPAA compliant.
HIPAA Compliant Hosting Checklist
- The host must be willing and able to sign a Business Associate Agreement (BAA)
- On-site support must be provided around the clock: 24/7/365
- The hosts core data centers must be wholly owned by the host, not rented or co-owned.
- The servers must be Fully Managed, meaning they are in an isolated hosting environment in which the hosting provider handles the setup, administration, and support of the web hosting services.
- The server cabinets (where the servers are physically kept) must be secured.
- The host must use a high availability infrastructure, meaning that it is designed to operate continuously, with safeguards in place to prevent failure.
- There must be a hardware firewall installed and configured.
- Data At-Rest Encryption (DARE) must be used by the host to secure data that is in databases, file systems, and other forms of data that is not being moved across a network.
- Administrative and physical safeguards must be in place as directed by the HIPAA regulations and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
Business Associate Agreement (BAA)
A Business Associate Agreement must be in place between the web host and the customer who’s storing data in the host’s data center and transferring that data to and from the data center through their network.
The Business Associate Agreement formally allows the hosting company to be an “associate” of the HIPAA-restricted customer (referred to as the “Covered Entity” in the BAA) for the purpose of handling data that is considered protected health information.
The Business Associate Agreement outlines the duties of the host with regard to the protected health information that is being managed by them. The details listed in the checklist above are typically spelled out in the Business Associate Agreement.
HIPAA Compliant Web Hosts
Because of how complicated and intensive the HIPAA requirements are, most web hosting companies are not HIPAA compliant. Many of those web hosts who are not HIPAA compliant will actually have a section of their terms of service language that forbids using their web hosting services for storing protected health information as defined by HIPAA.
Among the thousands of web hosts that exist, only a small fraction of them are HIPAA compliant. Here are a few of them.
Amazon Web Services (AWS)
HHS HIPAA Health and Technology: https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/index.html