Whether you're looking for a comprehensive managed hosting solution for your HIPAA servers or an unmanaged hosting service, we can assist you with all your HIPAA compliance hosting needs. Our high-performance Website, Database and Storage servers are available in both Dedicated and Cloud environments and backed by our 100% uptime guarantee.
HIPAA Compliant Hosting requirements checklist
Implementing HIPAA compliance can be complicated. HIPAA compliance hosting it involves piecing together server hosting with security and managed services. This also means that the end solution would include a Business Associates Agreement.
We have compiled an easy, solution-oriented HIPAA web hosting requirements checklist, in accordance with the HIPAA Privacy Rule and Security Rule.
Below is an eight-part checklist of HIPAA Compliant Hosting requirements and Atlantic.Net can help provide all these components to help deliver a HIPAA Compliant Server Hosting Solution:
Atlantic.Net has expanded and enhanced its Infrastructure as a Service (IaaS) platform in order to allow for customizations based on specific industries. Atlantic.Net combines a world-class physical offering with a world-class team of engineers and has no peers who provide a total “peace of mind” solution. Depending on the weight of your traffic, potential to scale, number of domains, and your security needs, our dedicated consultants stand ready to evaluate your business goals to help you choose the right web hosting solution for you.
HIPAA Hosting Requirements
This section covers all the standard HIPAA requirements with enough detail for a general picture of what you need.
Here are the eight elements you need for a HIPAA compliant hosting environment for HIPAA Web Hosting, HIPAA Database Hosting, HIPAA Storage Hosting, or other HIPAA hosting setups:
This page was updated on September 10, 2019.
Firewall
Essentially, you need to have firewalls fully implemented on your site. There are three basic types of firewalls: hardware firewalls, software firewalls, and web application firewalls (WAFs). Typically, an infrastructure has a combination of hardware and software firewalls, along with ones specifically designed for web applications, because apps create their own unique challenges and have become such a frequent target for intrusions. Making sure that technology is system-wide is one of the HIPAA compliant server requirements.
What is a firewall?
Firewall is actually a kind of broad term. It refers to a hardware or software system (i.e., physical component or an app) that is used to secure a network, via a set of rules that control the traffic that’s entering and exiting it.
\
The hardware/software distinction is just one way to categorize firewalls, though. As indicated in the US Department of Commerce’s NIST firewall guidelines (Special Publication 800-41), and as expanded by TechTarget, five primary types of firewalls are application-level gateways (proxies), circuit-level gateways, multilayer inspection firewalls, packet-filtering firewalls, and stateful inspection firewalls.
Encrypted VPN
The VPN needs to be encrypted, and you want it to be strong. Not all VPNs are the same, so do your homework.
What is an encrypted VPN?
An encrypted VPN is technology that essentially creates a tunnel between two devices (typically the server and the client). The data is encrypted entering the tunnel and decrypted as it exits it.
There are a couple of standard encryption protocols for VPNs other than SSL, IPsec (Internet Protocol Security) and GRE (generic routing encapsulation). GRE gives you a framework with which you’re able to package and transport via IP.
Offsite backups
You want to have your data backed up in an external location. This requirement is a reasonable
way to ensure all the EMRs are safe. Note how many of these requirements are probably already in
place for your company. Very little is required additionally to the security parameters that
most enterprises and many SMBs already have up and running. Again, HIPAA Compliant Hosting
Services must meet this and the other HIPAA compliant hosting requirements as well.
What are offsite backups?
Offsite backups are a security tactic and disaster recovery technique that means data, and in some cases software, is being stored at a remote location from the company. Offsite backups are also called offsite data backups or offsite data protection – albeit, the latter really denoting the safeguards of the external environment. Offsite backups are simply a distribution or diversification method to prevent total loss of your valuable ePHI (electronic protected health information).
Multifactor authentication
On all parts of your site (from the administrative control panel associated with the server to
your CMS to the operating system running throughout the network), you need MFA ( multifactor
authentication). Multifactor authentication is simple and fast to establish, similar to the
other HIPAA compliant server requirements. You just go into the control panels for each of your
various systems and make the configuration changes. Be aware that you need to get everyone
prepared for this change so your business continuity is intact: everyone should be able to
access the system throughout. You just need everyone’s phone numbers if you’re using mobile as
the second point of contact. Plus, make sure they have an MFA app installed before making the
transition if you are using an authenticator tool. Many of the systems you’ll see will be based on
Google Authenticator
, which will require everyone to have that app installed on their cell phones; though there are
plenty of other brands
you can choose.
What is MFA?
Multifactor authentication, which goes by MFA, is a security check that uses two different forms of authentication to confirm the identity of the user. MFA is a stronger evolution of SFA (single-factor authentication), which only authenticates in one manner, usually via a password matching the username provided.
Private Hosted Environment
You cannot have a platform that shares resources with any other entities if you want to achieve HIPAA compliant server requirements. Working with a hosting provider with experience related to properly privatizing your infrastructure obviously helps.
What is a private hosted environment?
What's meant by a private hosted environment is your servers are reserved solely for your use. That’s the key point and refers to Atlantic.Net’s Cloud Hosting or dedicated hosting servers.
In a private hosted environment, the data is all in its own place, so it is not being shared or intermingled with the information of other apps or hosting users.
Atlantic.Net trusts and utilizes DUO for Multifactor authentication.
SSL certificates
You need secure sockets layer (SSL) certificates established throughout your site, for any
domains and subdomains on which sensitive information is accessed. In other words, any parts of
your site that need login credentials should always also have an SSL. Each server used for your
site needs its own SSL certificate installed. Note that some companies provide certificates that
can be installed on multiple or unlimited servers. Also, be aware that an EV certificate,
creating a green address bar, and/or respected brand name such as Norton or GeoTrust, can help
increase trust and credibility for your system. Less costly certificates can be purchased from
Comodo, GoDaddy, etc.
What is an SSL certificate?
An SSL (secure sockets layer) certificate is software that creates encryption of data
during transmission and validates ownership of the certificate to varying degrees.
Groups called certification authorities (CA’s), which typically have very high reputations
for security, issue these certificates.
SSL certificates come in three main levels of validation: domain validation (DV),
organization validation (OV), and extended validation (EV). All certs create https
protocol and a lock icon, along with brief information available to all web users. EV is
represented by the green address bar indicators in all major browsers. SAN certificates
and wildcards certs are other types.
SOC 2 TYPE II and SOC 3 TYPE II Certifications
Note that Statement on Standards for Attestation Engagements (SSAE) 18, created by the
American Institute of Certified Public Accountants (AICPA)
, is more stringent, in some ways, than HIPAA is regarding security.
It’s not a requirement for HIPAA, but seeing that certification should make you feel more
confident that a company meets HIPAA compliant hosting requirements.
What is SSAE 18 Certification?
SSAE 18 certification entails an official review and audit that verifies you are meeting
all parameters of
Statements on Standards for Attestation Engagements
No. 16, a standard developed by the AICPA (American Institute of Certified Public
Accountants) via its ASB (Auditing Standards Board).
This standard provides guidance on best practices through which organizations can report
on their compliance control, as gauged through a formal audit.
In addition, HIPAA and HITECH Audits are also growing. Here at Atlantic.Net, our
infrastructure is not only SOC 2 TYPE II and SOC 3 TYPE II certified but also fully
audited for HIPAA and HITECH compliance. These audits are conducted on an annual basis
through a third party independent auditor, who verify and attest to controls, checks and
balances of the infrastructure, as it relates to logical and physical controls and security.
Business Associate Agreement (BAA)
If you use any outside entity to assist with your EMR,
including a hosting company, you must have a BAA signed with that organization.
That document does not clear you of your own responsibilities related to HIPAA, but it does
delineate the role that the hosting company takes and ways in which they should be held liable
for any breaches, etc.
What is a BAA (business associate agreement)?
A HIPAA business associate agreement is a legal contract between a HIPAA covered entity
and business associate, as defined via the US Health Insurance Portability and
Accountability Act of 1996. These agreements safeguard ePHI (electronic protected health
information), which is the sensitive personal data and records of patients.
Covered entities are healthcare providers, plans, and data clearinghouses, while business
associates are any organization doing business with covered entities in a manner that
involves ePHI.
HIPAA Web Server Hosting
Atlantic.Net HIPAA Web Server Hosting offers ultra-fast data processing speeds,
HIPAA-compliant web hosting features and minimal risk of data crashes. The fast loading
speeds of our highly available servers come with security safeguards, high performance, and
guaranteed reliability. Faster servers mean faster websites.
Ensures internal controls and best practices for physical security, availability,
processing integrity, confidentiality, and privacy.
HIPAA Audited
Ensures that our processes, policies, facilities, and hosting solutions comply with the latest
HIPAA Audit Protocols.
HITECH Audited
Stringent testing that continues to expand to comply with HITECH Act policies and protocols.
Our Technology Partners
HIPAA Hosting Features
Business Associate Agreement
Intrusion Prevention Service
Fully Managed Firewall
Vulnerability Scans
File Integrity Monitoring
Anti-Malware Protection
Log Management System
Highly Available Bandwidth
Linux & Windows Servers
Encrypted Backup
Encrypted VPN
Encrypted Storage
Our Data Center Certifications
Dedicated to Your Success
– Jason Coleman
VP of Information Technology, Orlando Magic
"After evaluating a range of managed hosting options to support our data operations, we chose
Atlantic.Net because of their superior infrastructure and extensive technical knowledge."
- Erin Chapple
General Manager for Windows Server, Microsoft Corp.
"Atlantic.Net’s support for Windows Server Containers in their cloud platform brings additional
choice and options for our joint customers in search of flexible and innovative cloud services."
Share your vision with us, and we will develop a hosting environment tailored to your needs!
Contact an advisor at 888-618-DATA (3282) or fill out the form below.
We use cookies for advertising, social media and analytics purposes. To learn more about our use of cookies, please visit our Privacy Policy. You can update your cookie settings at any time.
Privacy Overview
We use cookies for advertising, social media and analytics purposes. Read about how we use cookies in our updated Privacy Policy.
If you continue to use this site, you consent to our use of cookies and our Privacy Policy.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
3rd Party Cookies
This website uses analytics software to collect anonymous information such as the number of visitors to the site and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
