HIPAA-Compliant Web Hosting: Questions to Ask When Looking for a Provider

If your organization deals with electronic protected health information (ePHI), it needs to be using a HIPAA-compliant web hosting provider to keep its data safe and comply with HIPAA regulations. This applies to both healthcare providers and any business associates that are involved in processing, storing, or transmitting data.

Finding the right provider can be a complex process. The regulations themselves can seem vague, and it’s hard to know which security practices are important for keeping the information protected and your business safe from HIPAA violations.

To make the arduous process of finding the right provider a little bit easier, here’s a list of the questions that your organization should ask potential web hosting providers.

Is the Provider Actually HIPAA-compliant?

The first question you need to ask is whether the provider provides a HIPAA-compliant infrastructure for your web sites. Many of the most common hosting providers, such as Bluehost and DreamHost, aren’t compliant with the regulations. Ask this question first to make sure that you don’t waste your time with those that can’t meet your needs.

You also need to make sure that the provider is willing to sign a business associate agreement (BAA) with your organization, because these are required by law for any third-party involved in processing your ePHI.

Which Platforms Are Supported?

It’s important to make sure that the service provider is compatible with the CMS that you use. If your organization already has a WordPress, Joomla, or Drupal site, you want to make sure that your new provider can accommodate it so that you don’t have to redo your website.

Which Security Practices Are in Place & How Does the Provider Meet HIPAA Regulations?

Don’t take a potential provider’s word for granted when it says that it’s HIPAA compliant. Find out what it actually offers and how it meets the regulations. Some of the key questions to ask are:

  • Does it offer SSL/TLS for your site?         
  • How are the firewalls configured?         
  • Which security tools do they offer?         
  • What kind of server monitoring is in place?
  • Do they provide any automated server attack remediation systems?
  • Which access control measures are used?
  • Are servers shared with other businesses or do you get your own dedicated server?
  • Are backups included?
  • Does it offer full-disk encryption?
  • Does the service include intrusion detection systems and anti-virus scanning?         
  • How is ePHI disposed of when it is no longer needed?
  • What disaster recovery plans are in place? There may be a variety of options to meet a variety of needs.
  • How are server operations staff, who may come into contact with your PHI, managed and trained to be sure that the organization maintains HIPAA compliance?


What Does the Provider Take Care of & What Are Your Organization’s Responsibilities?

Before your organization enters into an agreement with a web hosting provider, it’s important to understand which party is responsible for what. A good web host should take care of patch management, securing the server environment, and server monitoring, while your organization will generally be responsible for the security and compliance of its website and any applications it may have.

It’s important to find out ahead of time, and make sure that each party’s scope of responsibility are clearly defined and documented.

What Kind of Security Audits Are in Place?

Even if a provider says that it uses industry best practices, it doesn’t necessarily mean that it’s compliant and secure. It’s important for the provider’s systems to be audited frequently to make sure that its organization processes, and technology are actually effective.

A good provider should undertake risk analyses, penetration tests, and HIPAA reviews. On top of its own internal reviews, it should also engage third-party auditors to make sure that its systems are truly secure and compliant.

Finding the Right HIPAA-compliant Web Hosting Provider for Your Organization

Finding a suitable HIPAA-compliant web hosting provider can be a challenging process, but these questions should help point you in the right direction. If you’re still struggling to find a provider, consider a HIPAA specialist like LuxSci, which has nearly 20 years of experience in providing secure and compliant services.|

This is a guest post written on behalf of LuxSci.