What is HIPAA Compliant Web Hosting?

But what determines if a web hosting service is HIPAA compliant? HIPAA compliant web hosting really comes down to two things; are there measures in place to keep PHI private and secure; and will the web hosting provider sign a business associate agreement?

HIPAA Compliant Web Hosting Security Requirements

The HIPAA Security Rule requires the confidentiality, integrity, and availability of protected health information (PHI). As such, there are minimum security measures that a web hosting service must offer to be considered HIPAA compliant.

HIPAA compliant web hosting services provide:

• Encryption: although encryption is not specifically mandated by the HIPAA Security Rule, it might as well be. The Rule states, “The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.” § 164.312(e)(2)(ii)
• User authentication: one of the required HIPAA technical safeguards, the Rule states that entities must, “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.” § 164.312(d)
• Access controls: HIPAA compliant web hosting providers must, “Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.” § 164.312(a)(1)
• Audit logs: it is required to, “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” § 164.312(b)
• Offsite data backup: to prevent loss of ePHI, the Security Rule also requires entities to, “Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.” § 164.308(a)(7)

Need more information regarding HIPAA security standards, click here.

Business Associate Agreements

Under HIPAA, web hosting providers are considered business associates when working with healthcare clients. Since a large part of HIPAA regulates how PHI is used and disclosed, healthcare businesses must have a signed business associate agreement (BAA) with their web hosting provider. A BAA must be secured before the website is live and able to accept patient information. HIPAA compliant web hosting services will generally have a BAA available to healthcare clients upon request. Providers that are unwilling or unable to sign a BAA are not HIPAA compliant web hosting providers.

Ensuring HIPAA Compliant Use

One of the most important factors in whether or not a technology can be considered HIPAA compliant comes down to how it is utilized. 

As such, before implementing any new technology, organizations must:

• Amend their HIPAA policies and procedures. To account for changes in business operations that result from adopting new technologies.
• Train employees that will use the new technology on how to do so appropriately. Each time policies and procedures are amended, it is important to make concerned parties aware of how this affects patient privacy and security.