Selecting a HIPAA compliant hosting service can seem overwhelming, with literally hundreds of companies online claiming to be fully compliant with HIPAA. As a developer whose product contains personal health data, if you’re doing business in the US, you must work with a hosting vendor that is fully compliant with HIPAA, the major US law that protects the privacy and security of health data.
Most importantly, developers who deploy health-related apps must become HIPAA compliant themselves. And some hosting vendors will help facilitate your own HIPAA compliance in various ways, while others do not. This is a critical distinction, as the vendor you choose can help make your own HIPAA compliance far easier — if they are set up to do so.
So just what is a HIPAA compliant host, and what constitutes HIPAA compliant web hosting?
Since the recent changes to HIPAA in the HITECH Act, as of 2013, web hosting vendors who store, transmit, or receive health data are considered “Business Associates” (BAs) under HIPAA. While hosting firms don’t create new health data, if they process, transmit and receive “protected health information”, or “PHI” as HIPAA defines it, they are a BA under HIPAA and must become HIPAA compliant. Because a hosting company’s customer sites contain or process PHI, the hosting company, including its servers, databases, and all other system elements, must become HIPAA compliant. This means that HIPAA compliant hosts, like other HIPAA Business Associates, must satisfy all of HIPAA’s compliance requirements.
For a vendor to truthfully claim that they deliver HIPAA compliant web hosting, they must have implemented everything the HIPAA Rules and Regulations require. The vendor must also be able to document their compliance to third parties, such as customers like you, or the HIPAA enforcement agency, the HHS Office for Civil Rights (OCR).
So what are the compliance obligations for HIPAA compliant hosts? HIPAA compliance requirements fall into three broad categories, referred to as Administrative, Physical and Technical Safeguards.
- Administrative Safeguards — include risk assessment; specific policies and procedures; workforce training; emergency and disaster response plans; login monitoring; protection from malware; and password management.
- Physical Safeguards — include appropriate data backup and storage; media disposal and re-use processes; physical security for facilities and infrastructure; and contingency operations options.
- Technical Safeguards — include unique user IDs; automatic logoffs; encryption and decryption (for data in motion and at rest); authentication for PHI; audit controls; emergency access procedures; and data integrity controls.
There are hundreds of hosting companies on the Internet claiming to be HIPAA compliant, but not all of them offer truly HIPAA compliant web hosting. It takes extra work, time and financial resources to implement full HIPAA compliance, and many vendors cut corners to save money and time.
One of the things that separates HIPAA compliant hosting from non-compliant hosts is a vendor’s willingness to sign a so-called Business Associate Agreement (BAA). BAAs are a specific type of legal contract that HIPAA Regulations require to be in place between parties who receive, process, or exchange PHI. Many specific terms in BAAs are required, while other terms are sometimes added to or deleted. HIPAA permits this, as long the additions or deletions do not violate HIPAA’s general prohibitions or requirements.
When you’re shopping for a HIPAA compliant host, be aware that fully compliant vendors should understand terms like “Business Associate Agreement” or “BAA”, and they should be willing to sign BA Agreements with their customers. Don’t hesitate to ask vendors for evidence of their HIPAA compliance.
Vendors should be willing to share copies of their HIPAA-required policies and other documents that show that they have complied. If a vendor refuses to share their compliance documentation or sign a BAA with you, they may not be fully compliant with HIPAA, and you should look for another, truly compliant HIPAA hosting vendor.
Find out how each vendor helps facilitate your own HIPAA compliance, as their customer. Do they provide HIPAA policy templates for your use? Do they provide reliable guidance and advice on compliance? Do they understand Breach Notification? How familiar with HIPAA and its requirements are they really? Most hosting providers fall short on HIPAA knowledge and compliance extras, so it pays to shop around carefully.
Most important of all, understand that your own HIPAA compliance, for your company or app, will depend in part on the full HIPAA compliance of your hosting company. The health data in your apps and systems will flow through their systems. Be sure you understand exactly what kinds of HIPAA compliance benefits come with each vendor’s offerings. And finally, be sure your hosting vendor is fully compliant, so you can be as well.
Was this article helpful? Check out Tip #2 on HIPAA compliant databases, or subscribe below to get tips delivered straight to your inbox.