Expert Guide to HIPAA Compliant Hosting
Last Updated on November 24, 2021 by James Wilson
HIPAA Compliant Hosting is a must for healthcare workers. The stakes are simply too high when storing lots of sensitive patient data, to risk the information falling into the wrong hands. Making sure that your hosting is HIPAA compliant goes a long way to ensure that patient data is stored safely and complies with current legislation.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was put in place to keep patient data safe and secure. This means that data transferred or stored must adhere to the strict rules set out in the HIPAA legislation guidelines.
One thing that becomes difficult when looking for HIPAA compliant hosting is finding reliable hosting at a low cost. Other requirements, such as – HIPAA email hosting, HIPAA cloud hosting, HIPAA databases and whether your business requires HIPAA dedicated hosting are also important.
Finally, you’ll need a host that offers FTP security, so that when you are transferring data to and from your host – the data is kept secure.
In this article, we’ll explore everything that you need to know about HIPAA compliant hosting and some hosting providers that offer high-quality solutions.
What are the 3 Components of HIPAA Law?
The HIPAA legislation covers your entire organization. The law also states that employees should be aware of the HIPAA law, so training is advisable for everyone who works in the healthcare sector. The 3 main components of the HIPAA law can be summarised as follows:
2. Record keeping
Your host has a big part to play in all three areas. As they will be providing technology that must comply, holding records that must be stored securely and all parts must adhere to strict policies. Furthermore, you need to think about every single piece of data that is transferred online and whether it adheres to the strict HIPAA legislation. Otherwise, you’ll be at risk of incurring a financial penalty.
The 18 HIPAA Identifiers
HIPAA legislation protects “individually identifiable information” both at rest and in transit, this is known as Protected Health Information (PHI). There are 18 key identifiers that must be protected as follows:. Name
4. Dates related to an individual
5. Telephone numbers
6. Fax number
7. Email address
8. Social Security Number
9. Medical record number
10. Health plan beneficiary number
11. Account number
12. Certificate or license number
13. Vehicle identifiers and serial numbers, including license plate numbers
14. Device identifiers and serial numbers
15. Web URL
16. Internet Protocol (IP) Address
17. Finger or voice print
18. Photographic image
19. Uniquely defining characteristics
As you can see, that’s a lot of information to keep track of!
What is a HIPPA violation?
Before we get into the best hosting providers that offer a HIPAA compliant service, let’s look at what a HIPPA violation is and why it’s important to avoid this.
Normally HIPAA violations incur large financial penalties. The main thing you need to watch out for is that you’ve successfully performed organization-wide risk analysis. Doing this identifies risks to confidentiality, integrity, and availability of protected health information (PHI), It’s also imperative to enter into a HIPAA-compliant business associate agreement (BAA).
What are the HIPAA Compliant Hosting Requirements?
… and who needs to comply with the HIPAA legislation?
The legislation sets standards for electronic healthcare transactions and how patient records are handled. HIPAA covers a wide range of sensitive information. For example appointments, treatment information, healthcare records, and medical health histories.
There are certain precautions that must be made to ensure that people who are storing, controlling, disposing, and providing access to medical records do so in a way that ensures their safety and privacy is kept intact. Businesses that work closely with a healthcare company are also required to adhere to the legislation. As such, hosting providers must be HIPAAcompliantt to work with a Healthcare Organization legally.
What are the Encryption Requirements for HIPAA?
When selecting a HIPAA certified host they must follow strict encryption and decryption guidelines, as follows:
- Encryption and Decryption – 164.312(a)(2)(iv): Implement a method to encrypt and decrypt electronically protected health information.
- Encryption – 164.312(e)(2)(ii): Implement a mechanism to encrypt electronically protected health information whenever deemed appropriate.
These requirements were taken from hipaacentral.com.
As you can see HIPPA hosting complex and a must for anyone working in the healthcare sector. Let’s dive into the best HIPPA Compliant hosts:
Best HIPAA-Compliant Web Hosting 2019
1. LiquidWeb.com ($299.99 per month)
BEST FOR –Flexible Hosting, Ideal for Large Healthcare companies in the US or Europe
LiquidWeb offers cloud dedicated servers, and cloud-based virtual private servers (VPS). They even offer 2 pre-configured HIPAA-friendly packages that you can select and use straight out of the box. This is a lifesaver if you don’t have the time or resources to configure your server. For some reason, many hosts require you to call them up and discuss your requirements. Great for some people… sure, but not everyone has time for that. I’d expect my HIPAA compliant host to be automated, and for this reason, LiquidWeb comes up top of our list.
Alternatively, you can also work directly with one of Liquid Web’s specialists to create a customized plan. They are particularly great when it comes to managed dedicated server hosting. LiquidWeb offers instant provisioning, so if you choose to go with LiquidWeb, you’ll be up and running in minutes. Bonus!
LiquidWeb has a world-class customer support team that is both knowledgeable and quick to respond. They have a really cool customer support offering name – “24/7 Heroic Support®” where the staff is always available when you need them – via phone, chat, and email.
The company owns five state-of-the-art data centers in both the US and Europe. One thing that I love about LiquidWeb is their 100% uptime guarantee, certainly not something I come across very often. And a great feature for Healthcare workers who can’t afford to waste time waiting for data to arrive, especially in emergency situations. Data is also backed up and monitored, as well as balanced with their block storage and load balancer add-ons.
World Class HIPAA Dedicated Servers
As well as cloud hosting, LiquidWeb also offers HIPAA-Compliant Dedicated Server hosting. Meaning you can go ahead and order a dedicated server with LiquidWeb and ask for it to be made HIPAA compliant – Can’t say better than that!. This is especially useful for larger organizations that require a lot of space and flexibility with their hosting.
Their dedicated servers are fully customizable and built-to-order. LiquidWeb offers a wide variety of both Linux or Windows operating systems for your server to run on.
Best HIPAA FTP Hosting
When it comes to transferring your sensitive files to your server, this process must also be HIPAA compliant. FTP hosting and file transfer is covered when you decided to go with LiquidWeb as they offer a “ServerSecure” platform that adheres to the encryption standards and audit controls required to comply with HIPAA legislation. LiquidWeb has also been externally audited to ensure that it complies with both HIPAA and HITECH legislation. This gives extra peace of mind.
LiquidWeb HIPAA Compliant Packages and Prices
It’s complicated to put a hard and fast price on HIPAA hosting as every company has different requirements. However, LiquidWeb gives a base level cost as follows:
- Single Server HIPAA Hosting – Linux starting at $299, Windows starting at $359
- Multiple Server HIPAA Hosting – Linux starting at $788, Windows starting at $958
- 100% guarantees
- Custom configurations
- Instant provisioning
- Real-time monitoring
- Load balancer add-ons
- Money-Back Guarantee
- 24/7 Heroic Support® via phone, chat, and email
- Only cater to advanced users
2. Ntirety (Contact to discuss price)
BEST FOR – Compliance-Focused Enterprise Ready Hosting
Ntirety used to be known as “Hostway Hosting”. Ntirety was formed in 2018 through the merger of Hostway and HOSTING. Ntirety focuses on reducing risk and optimizing cost with future-ready, agile enterprise solutions. They offer compliance focused cloud hosting for Healthcare, FinTech, Manufacturing, Mission-critical SaaS and IoT and software.
The cloud hosting service from Ntiety is “The Ntirety Healthcare Hybrid Cloud Solution ” and they say that their solutions meet or even sometimes exceed compliance requirements HIPAA/HITECH and PCI DSS. Their complete end-to-end solutions is cost-effective and fully managed. They also offer desktop software to enhance security. Probably the best thing about Ntirety is that they offer a 100% guarantee that you’ll pass their audits if you go with them. That means you get your money back if you don’t pass – but that’s unlikely as they have a clean track record when it comes to getting people to pass their HIPAA audits.
Ntirety offers advanced cloud security and support to avoid cyber threats. They offer integrated compliance services from their 14 worldwide data centers, which ensure speed and performance.
- 24x7x365 support
- 14 Data Centers
- 100% guarantee that you’ll pass audits
- Don’t publicly display prices
Who offers the Best HIPAA-Compliant Email Hosting?
Sending healthcare information via email is allowable, according to HIPAA. This’s surprising, as sending and receiving messages can be notoriously insecure. To ensure your email is HIPAA compliant you must ensure that your email host offers end to end encryption, that they’ll sign a business associate agreement with you, configure your email correctly and then you must also train all employees how to make sure that their emails are protected.
HIPAA compliant email hosting is focused on secure encryption, audits, and integrity controls that protect data in transit. GoDaddy offers robust, secure HIPAA compliant email hosting services.
3. GoDaddy.com ($8.49 per user/mo)
BEST FOR – Affordable and easy to use, professional HIPAA Compliant Email Hosting
Godaddy offers two HIPAA compliant hosting packages as follows:
- Microsoft Office 365
- Business Premium
You’ll need to activate your mailbox and agree to the Office 365 Business Associate Agreement to take advantage of HIPAA email hosting from Godaddy. The HIPAA email hosting from GoDaddy is easy to use, there is no front-facing difference to their HIPAA email hosting – the only alteration (that you don’t see or feel) is that there are strong encryption, security and privacy features running in the background.
GoDaddy HIPAA Email Hosting Plans & Pricing
All of the email plans from GoDaddy offer 1TB secure storage
- Online Essentials – $8.49 per user/mo
- Business Premium – $11.74 per user/mo, can be installed on up to 5 devices
- Advanced Security – $16.73 per user/mo, includes business apps – however, these apps would all have to be checked and approved for HIPAA compliance.
- Easy to use
- Setup in minutes
- Professional email name
- Spam filtering
- HIPAA-compliance features with premium plans
- 99.9% uptime guaranteed
- Fast & Secure
- Need to pay for each individual user
PRO TIP: Remember to sign the BAA to activate your HIPAA compliant email hosting.
4. Amazon Web Services (AWS) (Free++)
Best for – Cheap, SEO-friendly PHP Hosting
If you’re looking to host with a renowned cloud hosting platform, then Amazon Web Services (AWS) could be for you. AWS use the common HITRUST Security Framework to ensure that their services comply with HIPAA and HITECH legislation. AWS is great as you can get up and running for free and scale to mammoth proportions.
If you are not technically minded, the AWS will be extremely complicated. In fact, I’ve known seasoned developers who struggle with setting up services inside AWS. They have so many settings and unique names for things, the whole process of getting your cloud hosting off the ground with AWS can be daunting. For this reason, you could find an AWS expert or partner to create your cloud server account for you. Again make sure that you’ve signed a BAA with AWS to ensure that you are HIPAA compliant.
- Start for free
5. Rackspace (contact for pricing)
BEST FOR – Amazing customer support & HIPAA-Ready Solutions for Healthcare
Texas-born Rackspace has been around since the internet was officially unveiled and available to the public. Founded in 1996, Rackspace is now the trusted host for half of the Fortune 100 fastest growing companies in the US. More importantly, Rackspace offers end-to-end HIPAA compliance and are experts in the space.
Like LiquidWeb, Rackspace takes their customer so seriously, they’ve trademarked the signature name “Fanatical Support™” – and they use Net Promoter to track customer satisfaction. Rackspace is available 24/7/365 via phone, email, and chat. No matter what kind of hosting you need, you’ll find it with Rackspace. They offer public, private, hybrid, and multi-cloud services. Again you need to give them a call to get a quote.
- 24/7/365 customer support
- Experts at HIPAA
- Established host
- Around-the-clock monitoring
- No auto-provisioning
BEST FOR –Blazingly fast and secure HIPAA cloud hosting in the US
OVH is a massive worldwide host based in Roubaix, France. They have 27 data centers located in 19 countries all around the world. This is great news if you are looking for fast servers, because the closer they are to your physical location, the quicker they’ll load.
OVH has a whopping 300,000 servers across all of its data centers. OVH has invested in next-gen tech so that they can deliver blazingly fast and secure services. Unfortunately, if you’re looking for HIPAA compliant hosting you’ll need to opt for one of their US servers as they are the only ones that have been certified by HIPAA.
The OVH hosting package – vCloud Air is the package you want to look out or if you’re on the hunt for HIPAA compliant cloud hosts. OVH states that the following products and servers have been tested for HIPAA compliance.
- Dedicated Servers
- Hosted Private Cloud
- Public Cloud Services
US data centers:
- Vint Hill, Virginia (East Coast)
- Hillsboro, Oregon (West Coast)
- 27 datacenters
- Fast servers
- HIPAA certified
- You need to contact them to set up your hosting
BEST FOR – Security-conscious, easy to use HIPAA hosting
Another company that has been around since the dawn of the internet (1994) is Atlantic.net. Founded by university students in Orlando Florida, Atlandtic.net has come a long way. All of the servers from Atlantic.net, whether cloud, website or databases have been independently audited. Again they offer a brilliant 100% uptime guarantee, which is essential for mission-critical sensitive data. One thing that Atlantic.net excels at is making its solutions simple and easy to use.
Atlantic.net uses an encrypted VPN to tunnel your information through save channels as well as multi-factor authentication, SSL certificates for added security. Atlantic.net has servers all over the world, specifically in the US and UK.
- 100% uptime guarantee
- Offsite backups
- Multi-factor authentication
- SSL certificates
- SSAE 18 certification.
- Tailored to your needs
- No out of the box solution
8. Inap (Tailored plans)
BEST FOR –Innovative hosting
Inap, previously known as “SingleHop” is a hosting provider that has grown rapidly since its beginnings, as a shared server host in 2006. Inap is a US hosting provider that focuses on automation and innovation. What is a bit odd is that they require you to contact them to set up your hosting, which seems a bit slow and not automatic?
Inap partners with the leading compliance experts AlertLogic so that they can deliver unparalleled security and HIPAA compliance.
If you want to use Inap for your HIPAA compliant hosting, then you’ll need to “hop” over (pardon the pun) and have a 30-minute review to ascertain your business needs. Inap offers users an account management features and lots of security features like DDoS protection.
- DDoS mitigation.
- AlertLogic partners
- No automatic HIPAA host setup
9. Colocation America ($79 per month)
BEST FOR –Cost-effective, US HIPAA bare-server or hybrid cloud servers
Colocation America offer secure dedicated servers that comply with all of the HIPAA requirements, and they passed their recent Audit. The features they use for this include a dedicated firewall, diligent monitoring, encryption, and a disaster recovery plan. Colocation America has 22 data centers, also offers a nice 100% uptime guarantee.
Colocation America focuses on providing storage, hardware and connectivity over a robust infrastructure. You have the choice of leasing a full bare-metal server or using their hybrid cloud solutions that include AWS, Microsoft Azure, and Google Cloud Platform.
- Dedicated servers
- HIPAA audited
- 15-year-old company
- No out of the box HIPAA hosting
Who Needs to Comply with HIPAA?
Not everyone that works in healthcare is required to comply with HIPAA. Below is a list of the healthcare bodies that must comply with HIPAA:
- Nursing Homes
- Health Insurance Companies
- Company Health Plans
- Medicare and Medicaid
The Bottom Line
The fines for HIPAA are extortionate, per violation or record it’s $100 to $50,000. The maximum penalty is $1.5 million per year for each violation. So making sure you are fully covered, if you work as a healthcare professional is essential. When you think about the possible fines, the cost for hosting seems like a tiny amount, for you to pay for your peace of mind.