Atlantic.Net Blog

BAA Red Flags: What Should Your HIPAA-Compliant Hosting Company Be Willing to Accommodate?

Richard Bailey
by Atlantic.Net (111 posts) under HIPAA Compliant Hosting

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a complex set of privacy and security regulations created to protect all types of electronic health information. HIPAA clarifies what information should be protected and who should be allowed to see that information.

The U.S. Department of Health and Human Services enforces the regulations. The rules of HIPAA compliance bind all healthcare entities and business associates in the United States, and all are subject to enforceable privacy laws.

Protecting the privacy and security of patient data is a critical part of HIPAA compliance. But even organizations that take all the necessary precautions can sometimes run into trouble. Some of the most common red flags can indicate a potential future HIPAA violation.

This article will help you to identify specific areas of concern, and we will learn what your HIPAA-compliant hosting company must do to remain compliant.

HIPAA Compliance: Does It Appear That Something Is Off with Your Hosting Provider?

It is now standard for any healthcare organization to use electronic files to store, transmit, and securely unify healthcare data. For example, prescription data, diagnostic tests, test results, and other clinical data are stored, processed, and incorporated into electronic files.

Failing to implement HIPAA compliance measures can cause an organization to be at risk of violating HIPAA. As a result, healthcare providers choose to outsource core IT services to HIPAA hosting companies to solve the many complexities of adhering to the physical, administrative, and technical safeguards of HIPAA compliance.

Choosing the best HIPAA hosting company is essential to avoid breaching regulations and to reduce the risk of exposing protected health information. However, not all hosting providers are the same. Here are some of the common mistakes made.

  • Lack of Employee Training: The hosting providers must have a team of highly trained experts that understand the rules and complexities of HIPAA compliance. Engineers must be security cleared and understand the rules of working in environments that process Protected Health Information. In addition, employees must understand basic concepts of the Security and Privacy rules and what constitutes a compliance breach.
  • Poor Security Measures: The hosting provider must follow security best practices and ensure HIPAA compliance. The physical security of the hosting provider must be robust and follow administrative controls. Choosing a hosting provider with proven accreditations will guarantee PHI security. Look for a business partner who is HIPAA compliance audited and has HITECH accreditation, SOC2, and SOC3 certification.
  • Failure to Sign a Business Associate Agreement: Failing to enter a BAA with a hosting provider correctly is a common HIPAA violation. The BAA is a joint responsibility of the Business Associate and the Covered Entity. A BAA is often tedious, dense, and technical, but it’s essential from a legal and business perspective. It documents the requirements to uphold the integrity of PHI and includes details regarding service agreements.
  • Improper Disposal of PHI: There are strict rules governing the destruction of PHI. There are times when PHI must be deleted, for example, when data retention periods expire, and the data must be removed. From the business associate’s perspective, they are responsible for the secure shredding of electronic equipment such as failed hard drives, broken servers, and various forms of digital media. In addition, HIPAA requires the certified destruction of protected health information.
  • No Additional BAA with Subcontractors (BASA): Many suppliers are not directly given PHI to perform duties on behalf of the covered entity, but ePHI still passes through their systems and databases. The process is known as the chain of custody, and all business associates must sign a Business Associate Subcontractor Agreement wherever there are PHI touchpoints. This is a tricky process to get right because many subcontractors do not require a BAA, and a scatter-gunning BAA is equally frowned upon.

What You Should Expect from Your Hosting Provider

Outsourcing healthcare IT systems to a HIPAA hosting provider solves many of the headaches in achieving HIPAA compliance. Atlantic.Net has over 28 years of experience providing first-class IT solutions. As a result, we excel in HIPAA compliance hosting, and many small, medium, and large healthcare organizations trust us daily to uphold the integrity of PHI and provide class-leading cloud services.

Here are some of the ways Atlantic.Net can help protect your Healthcare IT systems:

  • Data and Network Encryption: Encrypt any ePHI to meet NIST cryptographic standards at rest and any time it is transmitted over an external network.
  • Web Application Firewall: Protect against 0-day exploits with a robust WAF.
  • Upgrades and Patching Hardware: As a hosting provider, Atlantic.Net manage all the underlying hardware, patching and upgrading regularly.
  • Control Access: Each user is assigned a centrally-controlled unique username, password, and multi-factor authentication to access the systems.
  • Manage Risk: Undertake a risk assessment at regular intervals and implement measures to reduce risks.
  • Backups: We provide a robust and tested backup system
  • Disaster Recovery: We provide the technical solution to ensure that systems containing PHI are available 100% of the time.
  • Business Associate Agreement: Atlantic.Net can sign the BAA.

Want to Know More?

Do you need an infrastructure that can protect your organization’s health data? At Atlantic.Net, whatever your technical requirements, we can offer a top-grade HIPAA-Compliant Hosting solution. Get a HIPAA-Compliant Server Cost from one of our experts.

Get a free consultation today!

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award
Inc 500
Global Infosec 2021
28 Year logo
Ehla Badges 2021 Winner
Made In USA

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


Recent Posts

How to Set Up Kubernetes Cluster Using Minikube on Arch Linux
How to Install Jenkins on Arch Linux
Which Compliance Standards Require an IPS?
Install Netdata Monitoring Tool on Arch Linux
How to Install Vue.js on Arch Linux

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2008 Lookout Dr,

Garland, Texas 75044

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom