If you work with private health information in any form, you need to keep it protected. That means using HIPAA compliant hosting and/or email.
This will ensure your patient data is stored and transferred securely, and only authorized professionals can access it.
If you don’t comply with HIPAA, you can face fines ranging from hundreds of thousands to millions of dollars.
But do you need a full HIPAA-compliant web host, or just a HIPAA compliant email service? And if you do need a host, which one should you choose?
I’ve researched dozens of popular hosts to find the ones that have HIPAA compliance certification, and see if you can really trust them. I’ll walk you through your options so you can determine which one is best for you.
What is HIPAA Compliant Hosting?
Do you have a healthcare-related website? If someone just told you that you need HIPAA hosting but you’re not sure what that means, let me quickly summarize what you need to know.
In the United States, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 defines how any healthcare entity that handles personal health information (PHI) must protect it.
You also might have heard mentions of HITECH, which was a 2010 act that extended HIPAA to apply to electronic personal health information (ePHI).
While the rules leave some leeway for the actual implementation, the bare minimum expectations for healthcare professions are to:
- Ensure the confidentiality and integrity of any PHI or ePHI they receive, send, or store.
- Be proactive in identifying security threats and preventing them.
- Ensure that their workforce complies with security policies.
In reality, these standards typically result in the following types of security measures:
|Security Measure||What’s Required|
|Risk Analysis and Management||Risk analysis to determine privacy and security risks, complete with documentation, and appropriate implementation of security measures.|
|Administrative Safeguards||Security training for staff, security personnel, and security policies. These must be evaluated to ensure they are used and effective.|
|Physical Safeguards||Secure facilities and workstations to prevent unauthorized access.|
|Technical Safeguards||Access, audit, and integrity controls that make sure no unauthorized users can access private data.|
That’s a lot of work for storing data, which is why it makes sense to find a hosting company that will do it for you.
Why You Need HIPAA Hosting
A HIPAA certified host takes those security measures and puts them into place for you.
Typically, that will consist of a set of policies and infrastructure for:
- Securing physical servers: All data in your hosting account (i.e. on your website) is stored on servers. These need to be secured from physical theft.
- Securing stored data: A combination of security measures implemented on your host’s servers that protect against malware, hackers, and other threats.
- Securing data transfer: When personal data is sent anywhere, the connection needs to be encrypted end-to-end.
- Reporting data breaches: If data is breached, the severity and event information must be logged and reported.
There’s a lot more that goes into being a HIPAA compliant host, but those are the main points.
You don’t need to personally understand or review every aspect yourself – that’s what you’re paying a hosting company to do.
Do You Really Need HIPAA Hosting?
HIPAA hosting is expensive, so you want to make sure that you actually need it before signing up for it.
You only need a HIPAA compliant server if you’re storing, transferring, or reading personal data on or from it.
If it’s all anonymous medical data, you’re not subject to the same HIPAA or HITECH regulations, and don’t need HIPAA hosting.
In addition, if you’re not storing any information, and only ever transfer it through email, you can specifically find HIPAA certified email services. These are much cheaper than a full hosting plan.
The Best HIPAA Compliant Web Hosts
Web hosts that want to become HIPAA compliant have to meet some steep security requirements. It shouldn’t be surprising that not many hosts are willing to make this commitment just to become certified. So, you don’t have a ton of options.
The good news is that the hosts that are HIPAA compliant are top notch. They already take security seriously in the first place.
Liquid Web – HIPAA and HITECH Certified
Liquid Web is known for a few things.
First, it doesn’t offer any “cheap” hosting plans – only managed, high-performance hosting.
Second, the Liquid Web support team is amazing. The staff is all trained in-house, and will go the extra mile whenever you have questions or problems. Some support agents are even trained to be HIPAA specialists.
Liquid Web has created hosting packages specifically designed to be HIPAA and HITECH compliant. A third-party audit from UHY LLP (an accounting firm) confirmed these claims.
I won’t go over everything that makes Liquid Web my top choice – or the top choice of many reviewers. Instead, let’s take a look at some of its HIPAA security features:
- Administrative, physical, and technical safeguards (the type that HIPAA requires)
- 24/7/365 on-site support and security personnel
- Uninterruptible power supplies (your site will always be up)
- Continuous backups to ensure no data loss
- Constant security scans and proactive measures
- Fully owned data centers with locked cabinets (not shared with other companies who could access)
Atlantic.net – A Reputable Host With a Focus on HIPAA Hosting
Based in the U.K., Atlantic.net has made HIPAA hosting one of its top focuses. It’s highlighted on its website, with plenty of different hosting options available (e.g., WordPress, cloud, dedicated, etc.) that are all HIPAA compliant.
All of Atlantic’s HIPAA hosting offerings have been audited to make sure they meet both HIPAA and HITECH standards. To learn more, read our expert review.
It seems to me that Atlantic is doing everything right for medical professionals:
- Backups and data storage are encrypted
- Constant vulnerability scans
- Fully managed firewalls and intrusion prevention services
- Offsite backups
- Multi-factor authorization to prevent unauthorized access
- Business associate agreement (a record that basically says Atlantic is responsible for server security and proper data management)
Rackspace – HIPAA Hosting for Enterprises
Founded in 1999, Rackspace specializes in managed hosting at the enterprise level, and has built up a solid reputation.
Many large companies like Delmar and Wyndham use Rackspace for hosting.
While it’s not as highlighted as it is on Liquid Web or Atlantic, Rackspace does offer HIPAA hosting, and it gets decent reviews.
Rackspace is HITRUST certified. When you request a quote, the company creates a custom hosting plan for you.
If you choose this plan, your hosting will come with:
- Regular reviews to make sure you’re still compliant
- 24/7/365 monitoring for security threats
- Full server protection service (i.e., firewalls, virus and malware scanning, log analysis, etc.)
- Regular data backups
- Two-factor authentication support
Rackspace’s staff will work with you to understand your specific situation and help you stay compliant.
If you just need HIPAA-compliant email, Rackspace also offers Microsoft Exchange email hosting. This email service offers sufficient encryption and tools to support HIPAA compliance. Microsoft also offers a Business Associate Agreement that covers this service, which is required by HIPAA.
I’d recommend choosing the Exchange Online 2 plan for the tools and security necessary for HIPAA compliance. However, you will need to configure it correctly and ensure every user follows proper HIPAA procedures – Microsoft Exchange is not HIPAA-compliant out of the box.
Which HIPAA Host Is Best for You?
I don’t think you can go wrong with any of these three options. They all offer high-quality hosting, and are all HIPAA certified.
But for hosting, I don’t think you can go wrong with any of the three options. They all offer high-quality hosting, and are all HIPAA certified.
You can be confident that any one of these hosts will take care of their end of the agreement.
Still, one might be better than the other in different situations:
- In general, Liquid Web is my top recommendation. Its prices are fairly competitive, and its support team will help clear up any remaining confusion about HIPAA hosting.
- If you’re based in the U.K. and would like a host that’s also based locally, Atlantic.net is your best bet.
- Rackspace also offers email hosting that can be made HIPAA compliant, if this is all you need.
Since all these hosts require you to request a quote for HIPAA compliant hosting, you can always get a quote from all three and see which one is the best fit for your specific needs.