Expert Guide to HIPAA Compliant Hosting

HIPAA Compliant Hosting is a must for healthcare workers. The stakes are simply too high when storing lots of sensitive patient data, to risk the information falling into the wrong hands. Making sure that your hosting is HIPAA compliant goes a long way to ensure that patient data is stored safely and complies with current legislation.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was put in place to keep patient data safe and secure. This means that data transferred or stored must adhere to the strict rules set out in the HIPAA legislation guidelines. 

One thing that becomes difficult when looking for HIPAA compliant hosting is finding reliable hosting at a low cost. Other requirements, such as – HIPAA email hosting, HIPAA cloud hosting, HIPAA databases and whether your business requires HIPAA dedicated hosting are also important.

Finally, you’ll need a host that offers FTP security, so that when you are transferring data to and from your host – the data is kept secure. 

In this article, we’ll explore everything that you need to know about HIPAA compliant hosting and some hosting providers that offer high-quality solutions.

What are the 3 Components of HIPAA Law?

The HIPAA legislation covers your entire organization. The law also states that employees should be aware of the HIPAA law, so training is advisable for everyone who works in the healthcare sector. The 3 main components of the HIPAA law can be summarised as follows:

1. Policies

2. Record keeping

3. Technology

Your host has a big part to play in all three areas. As they will be providing technology that must comply, holding records that must be stored securely and all parts must adhere to strict policies. Furthermore, you need to think about every single piece of data that is transferred online and whether it adheres to the strict HIPAA legislation. Otherwise, you’ll be at risk of incurring a financial penalty.

The 18 HIPAA Identifiers

HIPAA legislation protects “individually identifiable information” both at rest and in transit, this is known as Protected Health Information (PHI). There are 18 key identifiers that must be protected as follows:. Name

3. Address

4. Dates related to an individual 

5. Telephone numbers

6. Fax number

7. Email address

8. Social Security Number

9. Medical record number

10. Health plan beneficiary number

11. Account number

12. Certificate or license number

13. Vehicle identifiers and serial numbers, including license plate numbers

14. Device identifiers and serial numbers

15. Web URL

16. Internet Protocol (IP) Address

17. Finger or voice print

18. Photographic image 

19. Uniquely defining characteristics 

As you can see, that’s a lot of information to keep track of!

What is a HIPPA violation?

Before we get into the best hosting providers that offer a HIPAA compliant service, let’s look at what a HIPPA violation is and why it’s important to avoid this. 

Normally HIPAA violations incur large financial penalties. The main thing you need to watch out for is that you’ve successfully performed organization-wide risk analysis. Doing this identifies risks to confidentiality, integrity, and availability of protected health information (PHI), It’s also imperative to enter into a HIPAA-compliant business associate agreement (BAA).

What are the HIPAA Compliant Hosting Requirements?

… and who needs to comply with the HIPAA legislation?  

The legislation sets standards for electronic healthcare transactions and how patient records are handled. HIPAA covers a wide range of sensitive information. For example appointments, treatment information, healthcare records, and medical health histories.

There are certain precautions that must be made to ensure that people who are storing, controlling, disposing, and providing access to medical records do so in a way that ensures their safety and privacy is kept intact. Businesses that work closely with a healthcare company are also required to adhere to the legislation. As such, hosting providers must be HIPAAcompliantt to work with a Healthcare Organization legally. 

What are the Encryption Requirements for HIPAA?

When selecting a HIPAA certified host they must follow strict encryption and decryption guidelines, as follows:

• Encryption and Decryption – 164.312(a)(2)(iv): Implement a method to encrypt and decrypt electronically protected health information.
• Encryption – 164.312(e)(2)(ii): Implement a mechanism to encrypt electronically protected health information whenever deemed appropriate.

These requirements were taken from hipaacentral.com.

As you can see HIPPA hosting complex and a must for anyone working in the healthcare sector. Let’s dive into the best HIPPA Compliant hosts:

Best HIPAA-Compliant Web Hosting

1. LiquidWeb.com (£238 per month)

BEST FOR – Flexible Hosting, Ideal for Large Healthcare companies in the US or Europe

LiquidWeb offers cloud dedicated servers, and cloud-based virtual private servers (VPS). They even offer 2 pre-configured HIPAA-friendly packages that you can select and use straight out of the box. This is a lifesaver if you don’t have the time or resources to configure your server.  For some reason, many hosts require you to call them up and discuss your requirements. Great for some people… sure, but not everyone has time for that. I’d expect my HIPAA compliant host to be automated, and for this reason, LiquidWeb comes up top of our list. 

Alternatively, you can also work directly with one of Liquid Web’s specialists to create a customized plan. They are particularly great when it comes to managed dedicated server hosting. LiquidWeb offers instant provisioning, so if you choose to go with LiquidWeb, you’ll be up and running in minutes. Bonus!

LiquidWeb has a world-class customer support team that is both knowledgeable and quick to respond.  They have a really cool customer support offering name – “24/7 Heroic Support®” where the staff is always available when you need them – via phone, chat, and email.

The company owns five state-of-the-art data centers in both the US and Europe. One thing that I love about LiquidWeb is their 100% uptime guarantee, certainly not something I come across very often. And a great feature for Healthcare workers who can’t afford to waste time waiting for data to arrive, especially in emergency situations. Data is also backed up and monitored, as well as balanced with their block storage and load balancer add-ons. 

World Class HIPAA Dedicated Servers

As well as cloud hosting, LiquidWeb also offers HIPAA-Compliant Dedicated Server hosting. Meaning you can go ahead and order a dedicated server with LiquidWeb and ask for it to be made HIPAA compliant – Can’t say better than that!. This is especially useful for larger organizations that require a lot of space and flexibility with their hosting. 

Their dedicated servers are fully customizable and built-to-order. LiquidWeb offers a wide variety of both Linux or Windows operating systems for your server to run on. 

Best HIPAA FTP Hosting

When it comes to transferring your sensitive files to your server, this process must also be HIPAA compliant. FTP hosting and file transfer is covered when you decided to go with LiquidWeb as they offer a “ServerSecure” platform that adheres to the encryption standards and audit controls required to comply with HIPAA legislation. LiquidWeb has also been externally audited to ensure that it complies with both HIPAA and HITECH legislation. This gives extra peace of mind. 

LiquidWeb HIPAA Compliant Packages and Prices

It’s complicated to put a hard and fast price on HIPAA hosting as every company has different requirements. However, LiquidWeb gives a base level cost as follows:

• Single Server HIPAA Hosting – Linux starting at £238, Windows starting at £285
• Multiple Server HIPAA Hosting – Linux starting at £625, Windows starting at £760

Click Here To Visit Liquidweb

Pros

• 24x7x365 support
• 14 Data Centers
• 100% guarantee that you’ll pass audits

Cons

• Don’t publicly display prices

Who offers the Best HIPAA-Compliant Email Hosting?

Sending healthcare information via email is allowable, according to HIPAA. This’s surprising, as sending and receiving messages can be notoriously insecure. To ensure your email is HIPAA compliant you must ensure that your email host offers end to end encryption, that they’ll sign a business associate agreement with you, configure your email correctly and then you must also train all employees how to make sure that their emails are protected. 

HIPAA compliant email hosting is focused on secure encryption, audits, and integrity controls that protect data in transit. GoDaddy offers robust, secure HIPAA compliant email hosting services.

3. GoDaddy.com (£6.74 per user/mo)

BEST FOR – Affordable and easy to use, professional HIPAA Compliant Email Hosting

Godaddy offers two HIPAA compliant hosting packages as follows:

• Microsoft Office 365
• Business Premium

You’ll need to activate your mailbox and agree to the Office 365 Business Associate Agreement to take advantage of HIPAA email hosting from Godaddy. The HIPAA email hosting from GoDaddy is easy to use, there is no front-facing difference to their HIPAA email hosting – the only alteration (that you don’t see or feel) is that there are strong encryption, security and privacy features running in the background. 

GoDaddy HIPAA Email Hosting Plans & Pricing 

All of the email plans from GoDaddy offer 1TB secure storage

• Online Essentials – £6.74 per user/mo
• Business Premium – £9.32 per user/mo,  can be installed on up to 5 devices
• Advanced Security – £13.28 per user/mo, includes business apps – however, these apps would all have to be checked and approved for HIPAA compliance. 

Click Here To Visit Godaddy

Pros

• Cheap
• Easy to use
• Setup in minutes
• Professional email name
• Spam filtering
• HIPAA-compliance features with premium plans
• 99.9% uptime guaranteed
• Fast & Secure

Cons

• Need to pay for each individual user

PRO TIP: Remember to sign the BAA to activate your HIPAA compliant email hosting. 

4. Amazon Web Services (AWS) (Free++)

Best for – Cheap, SEO-friendly PHP Hosting

If you’re looking to host with a renowned cloud hosting platform, then Amazon Web Services (AWS) could be for you. AWS use the common HITRUST Security Framework to ensure that their services comply with HIPAA and HITECH legislation. AWS is great as you can get up and running for free and scale to mammoth proportions. 

If you are not technically minded, the AWS will be extremely complicated. In fact, I’ve known seasoned developers who struggle with setting up services inside AWS. They have so many settings and unique names for things, the whole process of getting your cloud hosting off the ground with AWS can be daunting. For this reason, you could find an AWS expert or partner to create your cloud server account for you. Again make sure that you’ve signed a BAA with AWS to ensure that you are HIPAA compliant.

Click Here To Amazon

5. Rackspace (contact for pricing)

BEST FOR –  Amazing customer support & HIPAA-Ready Solutions for Healthcare

Texas-born Rackspace has been around since the internet was officially unveiled and available to the public. Founded in 1996, Rackspace is now the trusted host for half of the Fortune 100 fastest growing companies in the US. More importantly, Rackspace offers end-to-end HIPAA compliance and are experts in the space.

Like LiquidWeb, Rackspace takes their customer so seriously, they’ve trademarked the signature name “Fanatical Support™” – and they use Net Promoter to track customer satisfaction. Rackspace is available 24/7/365 via phone, email, and chat. No matter what kind of hosting you need, you’ll find it with Rackspace. They offer public, private, hybrid, and multi-cloud services. Again you need to give them a call to get a quote. 

Click Here To Visit Rackspace

6. OVH

BEST FOR – Blazingly fast and secure HIPAA cloud hosting in the US

OVH is a massive worldwide host based in Roubaix, France. They have 27 data centers located in  19 countries all around the world. This is great news if you are looking for fast servers, because the closer they are to your physical location, the quicker they’ll load. 

OVH has a whopping 300,000 servers across all of its data centers. OVH has invested in next-gen tech so that they can deliver blazingly fast and secure services. Unfortunately, if you’re looking for HIPAA compliant hosting you’ll need to opt for one of their US servers as they are the only ones that  have been certified by HIPAA.

The OVH hosting package – vCloud Air is the package you want to look out or if you’re on the hunt for HIPAA compliant cloud hosts. OVH states that the following products and servers have been tested for HIPAA compliance. 

Products:

• Dedicated Servers
• Hosted Private Cloud
• Public Cloud Services

US data centers:

• Vint Hill, Virginia (East Coast)
• Hillsboro, Oregon (West Coast)

Click Here To Visit OVH

7. Atlantic.Net

BEST FOR – Security-conscious, easy to use HIPAA hosting

Another company that has been around since the dawn of the internet (1994) is Atlantic.net. Founded by university students in Orlando Florida, Atlandtic.net has come a long way.  All of the servers from Atlantic.net, whether cloud, website or databases have been independently audited. Again they offer a brilliant 100% uptime guarantee, which is essential for mission-critical sensitive data. One thing that Atlantic.net excels at is making its solutions simple and easy to use. 

Atlantic.net uses an encrypted VPN to tunnel your information through save channels as well as multi-factor authentication, SSL certificates for added security. Atlantic.net has servers all over the world, specifically in the US and UK. 

Click Here To Atlantic

8. Inap (Tailored plans)

BEST FOR – Innovative hosting

Inap, previously known as “SingleHop” is a hosting provider that has grown rapidly since its beginnings, as a shared server host in 2006. Inap is a US hosting provider that focuses on automation and innovation.  What is a bit odd is that they require you to contact them to set up your hosting, which seems a bit slow and not automatic? 

Inap partners with the leading compliance experts AlertLogic so that they can deliver unparalleled security and HIPAA compliance. 

If you want to use Inap for your HIPAA compliant hosting, then you’ll need to “hop” over (pardon the pun) and have a 30-minute review to ascertain your business needs. Inap offers users an account management features and lots of security features like DDoS protection.

Click Here To Inap

9. Colocation America (£62.70 per month)

BEST FOR – Cost-effective, US HIPAA  bare-server or hybrid cloud servers

Colocation America offer secure dedicated servers that comply with all of the HIPAA requirements, and they passed their recent Audit.  The features they use for this include a dedicated firewall, diligent monitoring, encryption, and a disaster recovery plan. Colocation America has 22 data centers, also offers a  nice 100% uptime guarantee.

Colocation America focuses on providing storage, hardware and connectivity over a robust infrastructure. You have the choice of leasing a full bare-metal server or using their hybrid cloud solutions that include AWS, Microsoft Azure, and Google Cloud Platform.

Click Here To Colocation America

Who Needs to Comply with HIPAA?

Not everyone that works in healthcare is required to comply with HIPAA. Below is a list of the healthcare bodies that must comply with HIPAA:

• Doctors
• Clinics
• Hospitals
• Psychologists
• Chiropractors
• Nursing Homes
• Pharmacies
• Dentists
• Health Insurance Companies
• Company Health Plans
• Medicare and Medicaid

The Bottom Line

The fines for HIPAA are extortionate, per violation or record it’s £79 to £39,679. The maximum penalty is £1.2 million per year for each violation. So making sure you are fully covered, if you work as a healthcare professional is essential. When you think about the possible fines, the cost for hosting seems like a tiny amount, for you to pay for your peace of mind.