HIPAA Compliant Hosting

HIPAA Compliant Server Hosting

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

Trusted By Over 15,000 Businesses

Our Clients

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

HIPAA Compliant Hosting Solutions

HIPAA Compliant Hosting by Atlantic.Net™ is SOC 2 TYPE II and SOC 3 TYPE II certified, HIPAA and HITECH audited, designed to secure and protect critical healthcare data, and electronic protected health information (ePHI) and records. Our HIPAA Hosting Solutions have been audited by a qualified independent third party auditing firm, demonstrating our commitment to providing the best IT security and top-notch compliance solutions.

Whether you're looking for comprehensive, fully managed HIPAA compliant hosting solutions for your HIPAA servers or unmanaged hosting service, we can assist you with all your HIPAA compliance hosting needs. Our high-performance Website, Database and Storage servers are available in both Dedicated and HIPAA Compliant Cloud environments and backed by our 100% uptime guarantee.

HIPAA Compliant Hosting requirements checklist

Implementing HIPAA compliance can be complicated. HIPAA compliance hosting involves piecing together server hosting solutions with security and managed services. This also means that the end solution would include a Business Associates Agreement.

We have compiled an easy, solution-oriented HIPAA web hosting requirements checklist, in accordance with the HIPAA Privacy Rule and Security Rule.

Below is an eight-part checklist of HIPAA Compliant Hosting requirements hosting providers should meet; Atlantic.Net can help provide all these components to help deliver HIPAA Compliant Server Hosting Solutions:

Why Choose Atlantic.Net

Why Choose Atlantic.Net?

Atlantic.Net has expanded and enhanced its Infrastructure as a Service (IaaS) platform in order to allow for customizations based on specific industries like the healthcare industry. Atlantic.Net combines a world-class physical offering with a world-class team of engineers and has no peers who provide a total “peace of mind” HIPAA compliant hosting solution. Depending on the weight of your traffic, potential to scale, a number of domains, and your company security needs, our dedicated consultants stand ready to evaluate your business goals to help you choose the right web hosting solutions for you.

What is HIPAA Compliant Hosting?

HIPAA compliant hosting is a web hosting solution that meets and exceeds the required physical, administrative, and technical safeguards mandated by the HIPAA regulations of 1996, including the subsequent Security Rule and Privacy Rule amendments of 2003. Managed service providers, covered entities, and relevant third parties are bound by these regulations to protect and uphold patient data integrity. As an experienced HIPAA compliant hosting partner, Atlantic.Net has an extensive history of building, managing, and maintaining a robust healthcare IT platform and HIPAA compliant cloud environment, one that is inherently secure and designed from the ground up to protect electronic patient health information (ePHI). Our customers can directly plug into this service knowing that ePHI data integrity is protected.

HIPAA Hosting Requirements

This section covers all the standard HIPAA compliant hosting requirements with enough detail for a general picture of the solutions your company needs.

Here are the eight elements you need for a HIPAA compliant hosting environment for HIPAA Web Hosting, HIPAA Database Hosting, HIPAA Storage Hosting, or other HIPAA hosting setups:

This page was updated on May 11, 2020.

HIPAA-Compliant Firewall


Essentially, you need to have firewalls fully implemented on your site. There are three basic types of firewall solutions: hardware firewalls, software firewalls, and web application firewalls (WAFs). Typically, infrastructure has a combination of hardware and software firewalls, along with solutions specifically designed for web applications, because apps create their own unique challenges and have become such a frequent target for intrusions. Making sure that technology is system-wide is one of the HIPAA compliant server requirements.

What is a firewall?

A firewall is actually a kind of broad term. It refers to a hardware or software system (i.e., physical component or an app) that is used to secure a network, via a set of rules that control the traffic that’s entering and exiting it.

The hardware/software distinction is just one way to categorize firewalls, though. As indicated in the US Department of Commerce’s NIST firewall guidelines (Special Publication 800-41), and as expanded by TechTarget, five primary types of firewalls are application-level gateways (proxies), circuit-level gateways, multilayer inspection firewalls, packet-filtering firewalls, and stateful inspection firewalls.

HIPAA-Compliant Encrypted VPN

Encrypted VPN

The VPN needs to be encrypted, and you want it to be strong. Not all VPNs are the same, so do your homework.

What is an encrypted VPN?

An encrypted VPN is a technology that essentially creates a tunnel between two devices (typically the server and the client). The data is encrypted entering the tunnel and decrypted as it exits it.

There are a couple of standard encryption protocols for VPNs other than SSL, IPsec (Internet Protocol Security), and GRE (generic routing encapsulation). GRE gives you a framework with which you’re able to package and transport via IP.

HIPAA-Compliant Offsite Backups

Offsite backups

You want to have your data backed up in an external location, such as external HIPAA data centers. This HIPAA compliant hosting requirement is a reasonable way to ensure all the EMRs are safe. Note how many of these requirements are probably already in place for your company. Very little is required additionally to the security parameters that most enterprises and many SMBs already have up and running. Again, HIPAA Compliant Hosting Services must meet this and the other HIPAA compliant hosting requirements as well.

What are offsite backups?

Offsite backups are a security tactic and disaster recovery technique that means data, and in some cases software, is being stored at a remote location from the company (frequently offsite data centers). Offsite backups are also called offsite data backups or offsite data protection – albeit, the latter really denoting the safeguards of the external environment. Offsite backups are simply a distribution or diversification method to prevent total loss of your valuable ePHI (electronic protected health information).

HIPAA-Compliant MultiFactor Authentication

Multifactor authentication

On all parts of your site (from the administrative control panel associated with the server to your CMS to the operating system running throughout the network), you need MFA ( multifactor authentication). Multifactor authentication is simple and fast to establish, similar to the other HIPAA compliant server requirements. You just go into the control panels for each of your various systems and make the configuration changes. Be aware that you need to get everyone prepared for this change so your business continuity is intact: everyone should be able to access the system throughout. You just need everyone’s phone numbers if you’re using mobile as the second point of contact. Plus, make sure they have an MFA app installed before making the transition if you are using an authenticator tool. Many of the systems you’ll see will be based on Google Authenticator, which will require everyone to have that app installed on their cell phones; though there are plenty of other brands you can choose.

What is MFA?

Multifactor authentication, which goes by MFA, is a security check that uses two different forms of authentication to confirm the identity of the user. MFA is a stronger evolution of SFA (single-factor authentication), which only authenticates in one manner, usually via a password matching the username provided.

HIPAA-Compliant Private Hosted Environment

Private Hosted Environment

You cannot have a platform that shares resources with any other entities if you want to achieve HIPAA compliant server requirements. Working with a HIPAA compliant hosting provider with experience related to properly privatizing your infrastructure obviously helps.

What is a private hosted environment?

What's meant by a private hosted environment is your servers are reserved solely for your use. That’s the key point and refers to Atlantic.Net’s Cloud Hosting (including HIPAA compliant cloud solutions) or dedicated hosting servers.

In a private hosted environment, the data is all in its own place, so it is not being shared or intermingled with the information of other apps or hosting users.

Atlantic.Net trusts and utilizes DUO for multifactor authentication solutions.

HIPAA-Compliant SSL Certificate

SSL certificates

You need a secure sockets layer (SSL) certificates established throughout your site, for any domains and subdomains hosting healthcare information or where sensitive ePHI is accessed. In other words, any parts of your site that need login credentials should always also have an SSL. Each server used for your site needs its own SSL certificate installed. Note that some companies provide certificates that can be installed on multiple or unlimited servers. Also, be aware that an EV certificate, creating a green address bar, and/or respected brand name such as Norton or GeoTrust, can help increase trust, security, and credibility for your system. Less costly certificates can be purchased from a company like Comodo, GoDaddy, etc.

What is an SSL certificate?

An SSL (secure sockets layer) certificate is software that creates encryption of data during transmission and validates ownership of the certificate to varying degrees.

Groups called certification authorities (CA’s), which typically have very high reputations for security, issue these certificates.

SSL certificates come in three main levels of validation: domain validation (DV), organization validation (OV), and extended validation (EV). All certs create https protocol and a lock icon, along with brief information available to all web users. EV is represented by the green address bar indicators in all major browsers. SAN certificates and wildcards certs are other types.


SOC 2 TYPE II and SOC 3 TYPE II Certifications

Note that Statement on Standards for Attestation Engagements (SSAE) 18, created by the American Institute of Certified Public Accountants (AICPA), is more stringent, in some ways, than HIPAA is regarding security. It’s not a requirement for HIPAA, but seeing that certification should make you feel more confident that a company meets HIPAA compliant hosting requirements.

What is SSAE 18 Certification?

SSAE 18 certification entails an official review and audit that verifies you are meeting all parameters of Statements on Standards for Attestation Engagements No. 16, a standard developed by the AICPA (American Institute of Certified Public Accountants) via its ASB (Auditing Standards Board).

This standard provides guidance on best practices through which a healthcare organizations or companies can report on their compliance control, as gauged through a formal audit.

In addition, HIPAA and HITECH Audits are also growing. Here at Atlantic.Net, our infrastructure is not only SOC 2 TYPE II and SOC 3 TYPE II certified but also fully audited for HIPAA and HITECH compliance. These audits are conducted on an annual basis through a third party independent auditor, who verify and attest to controls, checks, and balances of the infrastructure, as it relates to logical and physical controls and security.

HIPAA-Compliant BAA

Business Associate Agreement (BAA)

If you use any outside entity to assist with your EMR, including a hosting company, you must have a BAA signed with that organization. That document does not clear you of your own responsibilities related to HIPAA, but it does delineate the role that the HIPAA compliant cloud hosting company takes and ways in which they should be held liable for any breaches, etc.

What is a BAA (business associate agreement)?

A HIPAA business associate agreement is a legal contract between a HIPAA covered entity and business associate, as defined via the US Health Insurance Portability and Accountability Act of 1996. These agreements safeguard ePHI (electronic protected health information), which is the sensitive personal health data and records of patients.

Covered entities are healthcare providers, plans, and data clearinghouses, while business associates are any organization or company doing business with covered entities in a manner that involves ePHI/medical records, such as hosting companies offering HIPAA cloud services.

HIPAA-Compliant Web Server Hosting

HIPAA Web Server Hosting

Atlantic.Net HIPAA Compliant Web Site Hosting plans offer ultra-fast data processing speeds, HIPAA-compliant web hosting features, and minimal risk of data crashes. The fast loading speeds of our highly available HIPAA compliant web servers come with security safeguards, high performance, and guaranteed reliability. Faster servers mean faster websites.

HIPAA Web Hosting Features
  • Firewall for HIPAA Compliant Web Hosting
  • HIPAA-Compliant Encrypted VPN
  • HIPAA-Compliant Offsite Backups
  • SSL certificates for HIPAA Compliance
  • SOC 2 TYPE II and SOC 3 TYPE II Certifications
  • Business Associate Agreement (BAA)

Click Here for Additional Sources

HIPAA Hosting Requirements

Business Associate Agreements (BAA) are Available

SOC 2 & SOC 3

Service Organization Control

Ensures internal controls and best practices for physical security, availability, processing integrity, confidentiality, and privacy.

HIPAA Audited

HIPAA Audited

Ensures that our processes, policies, data centers, facilities, and hosting solutions comply with the latest HIPAA Audit Protocols.

HITECH Audited

HITECH Audited

Stringent testing that continues to expand to comply with HITECH Act policies and protocols.

Our Technology Partners

Technology Partners

HIPAA Hosting Features

Business Associate Agreement

Business Associate Agreement

Intrusion Detection System

Intrusion Prevention Service

Fully Managed Firewall

Fully Managed Firewall

Vulnerability Scans

Vulnerability Scans

File Integrity Monitoring

File Integrity Monitoring

Anti-Virus Protection

Anti-Malware Protection

Log Management System

Log Management System

Highly Available Bandwidth

Highly Available Bandwidth

Linux & Window Servers

Linux & Windows Servers

Encrypted Backup

Encrypted Backup

Encrypted VPN

Encrypted VPN

Encrypted Storage

Encrypted Storage

Our Data Center Certifications

Database Certifications

Dedicated to Your Success

"After months of research and years of experience with other hosting providers, we finally switched to Atlantic.Net and we couldn’t be happier. Their customer support is PHENOMENAL. They worked with us to create, customize and configure environments for each one of our clients. We look forward to working more with Atlantic.Net "

Ojash Shrestha

Ojash Shrestha

Founder & CEO of Novelty Technology

"As our reliable Healthcare IT compliance partner for the past ten years, Atlantic.Net continues to deliver advanced IT architectural design and security guidance and support to CHS. With their flexible, customized solutions and high touch approach, we look forward to continuing to grow and work with this distinguished team of professionals "

Joseph Nompleggi

Joseph Nompleggi

VP of Product Development of Complete Healthcare Solutions

Award-Winning Service

Award-Winning Service
Contact Us

Share your vision with us, and we will develop a hosting environment tailored to your needs!

Contact an advisor at 888-618-DATA (3282) or fill out the form below.

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom