Best HIPAA Compliant Hosting of 2019
We analyze the top 16 HIPAA/HITECH certified hosting solution providers to bring you our recommendations.
Do you need HIPAA compliant hosting? This article provides an overview of HIPAA compliance, outlines the requirements for a web host to obtain HIPAA certification status, and gives recommendations for key RFP items you should look for when selecting a provider. We also compare the top HIPAA/HITECH certified hosting solutions compliant with guidelines for 2019, providing our #1 recommended solution. It’s time to secure your healthcare data!
All businesses and organizations that process, store, or transmit electronic protected health information (ePHI or PHI) are required to comply with strict requirements for electronic healthcare transactions and access to data listed in the Health Insurance Portability and Accountability Act of 1996, or more commonly known as HIPAA (also sometimes incorrectly referred to as HIPPA).
Those who fail to comply can receive fines ranging from $100 to $50,000 per violation (or per record), and the maximum penalty for each violation is $1.5 million per year. The Department of Health and Human Services has received around 200,000 privacy rule complains since Congress updated HIPAA’s Security Rule in 2003.
There would very likely be much fewer privacy rule complains if more businesses and organizations that process, store, or transmit ePHI were aware of the availability of high-quality, affordable HIPAA compliant hosting. In this article, we introduce the top 16 best HIPAA compliant hosting service providers and describe what each of them has to offer so that you can avoid serious legal penalties and irreparable damage to your reputation.
The Health Insurance Portability and Accountability Act of 1996 modernized the data flow of healthcare information and specified how electronic health information should be protected from fraud and theft.
“The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information,” states the Department of Health and Human Services on its website.
HHS published the HIPAA Privacy Rule and the HIPAA Security Rule to fulfill the requirement, with the former establishing national standards for the protection of certain health information and the latter outlining national security standards to protect health data transmitted, maintained, received, or created electronically. This specifically extends to hosting, as most PHI is stored online or in a web-accessible database as ePHI.
For a web hosting company to be HIPAA compliant, it must limit facility access to only authorized personnel, have policies about access to workstations and electronic media, implement various technical safeguards to prevent access to electronic protected health data, keep records of activity on hardware and software, have a disaster recovery plan, and provide sufficient network infrastructure security, among other things.
While there are more in-depth requirements a hosting provider must meet to obtain HIPAA certification, the main mandates can be summarized by the following:
It goes without saying that complying with HIPAA is far from easy, so it’s no wonder that many web hosting companies don’t even bother trying. Such web hosting companies should be strictly avoided by everyone who processes, stores, or transmits electronic protected health information in favor of HIPAA compliant hosting services, such as those listed below in this article.
The mandate to research, audit, select and migrate to a HIPAA compliant web host can be daunting, especially given the strict HSS enforcement and steep fines and penalties for violating privacy and security regulations for ePHI data. However, with the right understand of the compliance regulations and your specific business needs, there are a number of first-class hosting solutions with pre-configured HIPAA plans, as well as the ability to build a custom solution to meet your organization’s specific requirements.
When selecting a HIPAA compliant hosting provider, the essential items of your RFP should contain the following:
1) Business Associate Agreement (BAA):
A BAA is essential HIPAA documentation. Your BAA is an agreement between your healthcare business and the Cloud Service Provider (Business Associate). The BAA will describe the role of the hosting provider and it’s responsibilities to ensure HIPAA compliance specifics are met under their domain. This includes the security, safeguards and access limitations of ePHI under the Business Associate. Additionally the HHS has specifics guidelines for this BAA document, such as the requirement of the Business Associate to provide its internal security practices, company records and financial books, if audited. This document is very helpful for overall management of your HIPAA compliant program and will streamline third party auditors when certifying HIPAA compliance. (For more on BAA, see the Business Associate Contract — Sample Business Associate Agreement Provisions as published by HHS here.)
2) Service Level Agreement (SLA):
Review operational SLA for specific elements such as disaster recovery, network uptime, and technical support response time. One you agree to the design of a HIPAA hosting solution, you’ll want a deployment SLA in place to ensure timely provisioning. Just remember, a BAA covers the security aspects, and a SLA covers the network infrastructure segment. Both are essential to a successful HIPAA hosting strategy.
3) Security Practices & Risk Mitigation:
HIPAA complaint data protection encompasses everything from physical security to network infrastructure security. It is also essential to ensure proper backup management is in place so your ePHI is always available, no matter what technological, geological, or other force majeure may arise. When vetting HIPAA hosts, look for specifics on physical access restrictions and surveillance policies, firewalls, VPN, DES or AES data encryption, intrusion detection, network monitoring. hardened servers, brute force detection, and DDoS/DoS prevention.
4) Technical Support Offering:
When searching for a HIPAA compliant hosting solution, most healthcare businesses will have a plethora of questions regarding everything from front-end email communications to back-office applications. It is essential to select a hosting provider that has in-house HIPAA experts, available 24/7, 365.
5) Data Center Locations:
There is no specific guideline in the HHS HIPAA rules that regulate where ePHI data is stored and served from. However, the lack of geo-specific requirements do not mean you should pick any HIPAA compliant server regardless of location. In-geo data residency for ePHI may ease the burden of data security, business continuity, and disaster recovery. Additionally, data centers within the United States will often hold similar regulatory compliance as your healthcare business, beyond that of HIPAA rules. While not required, we would argue that data residency does matter, especially when dealing with ePHI.
Based on our audits, our recommended HIPAA certified hosting provider is LiquidWeb pre-configured HIPAA Package for Linux or Windows (starting at $299.00/month).
LiquidWeb has single and multiple server plans, as well as custom HIPAA hosting solutions. Their HIPAA complaint hosting solution meets the RFP requirements by providing:
Learn more about LiquidWeb HIPAA hosting here, or read on for a full analysis of the top HIPAA/HITECH certified hosting solutions compliant with guidelines for 2019 as outlined below.
We analyze the top 16 HIPAA/HITECH certified hosting solution providers to bring you our recommendations.
Liquid Web is by far our favorite HIPAA compliant web hosting provider, offering fully managed web hosting at affordable prices, with 100 percent uptime guarantees, and with customer support provided by trained professionals who understand everything there is to know about web hosting.
While many other web hosting providers merely claim to be HIPAA compliant without having anything to show for it, Liquid Web has completed a rigorous independent audit to prove that it really meets all HIPAA requirements.
Our continued focus on exceeding compliance expectations means our clients can be assured that we have the physical and technical safeguards in place and our processes, policies, and network security are all focused on protecting our customer’s data with the highest standards,” says Carrie Wheeler, Chief Operating Officer of Liquid Web.
Liquid Web customers can choose between two pre-configured HIPAA hosting plans: Single Server HIPAA Hosting and Multiple Server HIPAA Hosting. Single Server HIPAA Hosting includes a single dedicated server for web and database use, and it starts at $299. Multiple Server HIPAA Hosting includes one or more web servers with a separate database server, and it starts at $788.
If neither of the two pre-configured HIPAA hosting plans meet your web hosting criteria, you can get in touch with Liquid Web and let it help you pick the perfect hosting plan for your needs, from dedicated servers to cloud VPS hosting to managed WordPress. Liquid Web can even migrate your site, store, or application to its servers, making HIPAA compliant hosting as accessible as it can be.
Liquid Web has been around for more than 20 years, serving customers in over 130 countries and employing around 500 hosting professionals. The company’s bread and butter is simple self-managed hosting for businesses and organizations with mission-critical sites, stores, and applications. You would be hard-pressed to find any other hosting company that offers a 59-second support guarantee, 24 hours-a-day and 365 days a year, so its no wonder that Liquid Web is an industry leader in customer service.
In summary, Liquid Web is the best HIPAA compliant web hosting provider, offering two pre-configured HIPAA hosting plans. The company is characterized by its high-performance services and exceptional customer support, and it’s the ideal partner for all businesses and organizations with mission-critical sites, stores, and applications that can’t afford to ignore HIPAA compliance and must adhere to the stringent security and privacy regulations for handling Protected Health Information (PHI).
If Liquid Web Single Server or Multi-Server hosting offerings do not check all the boxes on your RFP for a HIPAA compliant web hosting solution, then consider vetting the following 15 service providers below. They have been analyzed individually, each meeting the strict criteria for inclusion on this HIPAA compliant vendor list. They provide enterprise-level compliant hosting with robust feature-sets necessary to meet most RFP to protect and secure your EPHI data. This list is ranked in order of our recommendation, based on the selection criteria, requirements, and data disclosed by each service provider.
Amazon Web Services (AWS) is an on-demand cloud computing platform that offers compute power, database storage, content delivery, and other functionality you would expect from a web hosting service. AWS is used by some of the largest companies in the world, including Netflix, Quora, NDTV, GoIbibo, Dropbox, and many others, so there’s no reason to doubt its reliability.
There’s also no reason to doubt its security because AWS aligns its HIPAA risk management program with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. AWS signs a HIPAA business associate addendum (BAA) with its customers to ensure that AWS appropriately safeguards protected health information.
What we really like about AWS is its pay-as-you-go pricing approach. Instead of paying a fixed monthly fee regardless of how much resources you really use, AWS lets you pay only for the services you actually use and only for the amount of time you use them. Should you ever decide to completely stop using AWS, you won’t have to deal with any additional costs or termination fees, which is great if flexibility matters to you.
Rackspace is a trusted web hosting company that has been around since 1998, offering a comprehensive selection of digital services and solutions designed to meet the needs of all industries, including healthcare.
The company offers multiple cloud platforms to choose, including a multi-tenant public cloud with pay-as-you-grow scalability, single-tenant private cloud for maximum security, hybrid cloud that makes it possible to connect public clouds, private clouds, and traditional dedicated servers for individual applications, and multi-cloud that relies on cloud providers such as Amazon or Microsoft.
However, it doesn’t really matter which cloud platform you choose because Rackspace is all about flexibility and scalability. You can easily migrate to the cloud of your choice and rest assured knowing that the company’s signature Fanatical Support will guide you along the way.
Rackspace offers HIPAA-ready hosting solutions in its private cloud environment, which is HITRUST CSF-certified to guarantee that it complies with HIPAA. In addition to providing security and privacy standards for handling PHI, Rackspace specialists are ready to help businesses and organizations design a hosting approach that addresses their needs in the most cost-effective way.
Azure is Microsoft’s cloud computing platform that provides software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). It was first released in 2010, and it has since then become a major AWS competitor, offering over 600 services encompassing everything from web hosting to storage to data management to messaging to machine learning and much more.
Just like AWS, Azure for Health Cloud lets you pay only for the resources you really use and cancel at any time without any additional costs or termination fees. If you’re migrating from a competing cloud computing platform, you will be pleased to know that Azure offers price matching on comparable services, allowing you to combine discounts and pricing offers to reduce your cloud costs. What’s more, you can try it for free for the first 30 days to see what it’s all about.
Azure has been audited by accredited independent auditors for the Microsoft ISO/IEC 27001 certification, which formally specifies the management system for information security, and the platform is also covered by FedRAMP assessments.
Last year, Microsoft released automation for HIPAA/HITRUST compliance to help companies and organizations build and launch compliant cloud-powered applications and services. Called the Azure Security and Compliance Blueprint, this unique turn-key solution provides excellent deployment efficiency, helping health organizations all over the world leverage the cloud to improve their outcomes.
There are many compelling cloud solutions today, but most of them leave at least one or two things to be desired. Hostway|HOSTING layers its managed services atop AWS and Azure cloud infrastructures to provide unparalleled support and visibility while achieving full PCI/DSS, HIPAA/HITECH, and SOC 2/3 compliance across every type of platform.
The Hostway|HOSTING Healthcare Cloud has been designed specifically to meet the needs of healthcare providers that want to streamline their decision-making, improve workflows, and promote data sharing across and beyond the healthcare industry.
Hostway|HOSTING employs a team of dedicated information security and cloud compliance experts who are certified to manage and monitor customers’ cloud hosting environments. Thanks to them, Hostway|HOSTING can offer 100 percent audit assurance, having successfully completed more than 400 customer security assessments.
Hostway|HOSTING has a very concise Business Associate Agreement (BAA) that clearly describes the company’s responsibilities when it comes to safeguarding protected health information. Prices start at $250 a month for the Explorer level of Hostway|HOSTING managed services, which includes 24 x 7 x 365 monitoring and support, pre-built monitoring dashboards, fully managed infrastructure, co-administration of OS, file system backup monitoring and management, firewall management, malware protection, and guaranteed availability, just to name a few features.
Founded in 1994, Atlantic.Net is a leading web hosting company with data centers in San Francisco, Orlando, Dallas, Ashburn, Toronto, New York, and London. The company has built a reputation for excellence, and its continuous desire to improve the quality of its services has allowed it to become s SOC 2 TYPE II and SOC 3 TYPE II certified, HIPAA and HITECH audited.
To deliver a HIPAA compliant hosting solution, Atlantic.Net provides a firewall, encrypted VPN, offsite backups, multifactor authentication, private hosted environment, SSL certificates, SSAE 18 certificates, and business associate agreement (BAA). Prices start at $385 a month for a HIPAA compliant dedicated server, but you can also sign up for Atlantic.Net’s cloud hosting, which starts at just $8 a month.
OVH is a great example of a family-founded company that has become incredibly successful by sticking to its core values and offering a customer-centric approach that so many other web hosting companies lack. At the time of writing this article, OVH has 27 data centers in 19 countries, and it uses them to host well over 300,000 servers.
The large portfolio of web hosting services by OVH includes bare metal servers, hosted private cloud, public cloud services, VPS servers, and even shared messaging and mailboxes. If you’re looking for HIPAA compliant hosting, OVH can deliver it via its vCloud Air hosted private cloud software-defined data center built on the latest generation of Intel hardware and the VMware technology stack. An independent third party examined vCloud Air against applicable controls of HIPAA, and it passed with flying colors.
It’s very difficult to meet all HIPAA requirements and provide secure HIPAA compliant server hosting, which is why many web hosting companies don’t even attempt it—but not Colocation America. This reliable colocation hosting provider with data centers in Los Angeles was established in 2000 with a vision to deliver a trusted colocation hosting service at a competitive price.
To comply with HIPAA, Colocation America provides the following HIPAA data security measures: SSL certificates and HTTPS, AES encryption, virtual or dedicated private firewall services, remote VPN access, disaster recovery, and dedicated IP addresses. It also maintains redundant, isolated, and secure database and web servers with high connection speeds, 100 percent uptime guarantee, and unparalleled 24/7 customer support.
Armor is a cloud security company that also provides secure hosting services that make it easy to meet HIPAA/HITRUST, PCI DSS, and GDPR cloud compliance requirements. The company was founded in 2009 as Firehost, starting as the first Totally Secure cloud company. In 2015, Firehost became Armor, and the same year also saw the release of Armor’s managed security solution for all hosting environments, called Armor Anywhere.
To simplify HIPAA compliance, Armor offers a broad range of Health Information Trust Alliance Common Security Framework (HITRUST CSF) certified solutions and provides 24/7/365 hands-on support. You can get in touch with Armor via phone numbers or online chat and ticketing service, and the company also maintains an active social media presence, posting service updates and announcing new features.
Think of Truevault as an online safe for personally identifiable information. This HIPAA, GDPR, and CCPA-compliant cloud hosting solution provides a secure application programming interface (API) that allows healthcare providers and everyone else who needs to meet HIPAA Physical and Technical Safeguards and GDPR data requirements with a secure way how to store personally identifiable information.
The best way how to get started with Truevault is to request a demo or talk to the company’s technical sales team. Truevault offers three plans that cover startups, medium and large businesses, as well as global enterprises. To help you implement its solution, Truevault organizes implementation workshops, which are basically 1-on-1 video calls with platform architects.
HIPAA Vault (formerly VMRacks) offers managed HIPAA compliant cloud solutions to simplify HIPAA compliance. The company launched in 1997 with the mission of providing world-class customer-service, impeccable technical support, and affordable data security. Today, HIPAA Vault proudly serves large enterprise-level clients such as Deloitte, but its services are ideal even for startups.
The cheapest HIPAA hosting plan from HIPAA Vault costs $349 a month, and it includes 50 GB of disk space, 11 GB of RAM, 3 TB of bandwidth, and 3 CPU cores. A tier above it is the company’s $499 a month plan, which includes 500 GB of disk space, 15 GB of RAM, 3 TB of bandwidth, and 4 cores. HIPAA Vault also offers HIPAA compliant managed WordPress hosting, FTP hosting, email, and file vault.
For customers in the healthcare industry or anyone who must comply with the HIPAA or HITECH Act security standards, Connectria offers HIPAA compliant hosting solutions that include both its own compliant clouds as well as leading public clouds such as AWS and Azure. Connectria has been independently audited, and the company gladly enters into a Business Associate Agreement (BAA) with all of its customers.
The story of Connectria started over 20 years ago, and the company has since then managed to empower customers around the world with its industry-leading hosting solutions, exceptional 24×7 support, and 100 percent satisfaction guarantee. If you would like to learn more about its services, we recommend you contact Connectria directly using the contact form on its website.
With its recent acquisition of OnRamp, LightEdge has become the leader in compliant cloud solutions. The company provides the flexibility, security, and control needed to meet HIPAA’s stringent compliance requirements by offering a full stack of best-in-class IT services built on top of its purpose-built data centers and industry-leading infrastructure.
LightEdge’s compliance and security process includes risk assessment, security controls, security policies, managed security solutions, and security audit support. Prices are available upon request, and you can get in touch with the company by filling out its contact form or giving it a call at (515) 471-1000.
Previously known as Catalyze, Datica brings healthcare to the cloud by offering a whole family of powerful solutions that include Cloud Compliance Management System, Compliant Managed Integration, Compliant Kubernetes Service, and Compliant Platform as a Service.
Together, the different parts of the Datica family of services help companies and organizations build and deploy digital health applications on a compliant hosted platform that removes the stress and frustration of complex healthcare data integration problems. You can ask Datica representatives to reach out to you to answer your questions and give you pricing, which is also a great way how to experience the dedication and expertise of the company’s customer support staff.
Aptible describes itself as a secure, private cloud deployment platform that’s built from the ground up to automate HIPAA compliance. Essentially, Aptible helps companies and organizations pass information security audits by offering a framework-agnostic container hosting platform that can be easily used to launch a new app or migrate an existing project.
Unlike many other compliance tools, Enclave doesn’t limit developer access to critical resources and security, allowing companies and organizations to maintain the agility they need to remain competitive. No fixed pricing plans are available because Aptible offers fully customized plans to all of its customers to meet their requirements without any compromises.
On Feb. 28, 2018, Internap Corporation (INAP) acquired SingleHop LLC for $132 million in cash.
The integration of SingleHop into INAP has taken some time, but in early 2019 the transition was completed, as the SingleHop website, login portals, and admin are now assimilated into INAP.
INAP was founded in 1996 in Seattle, Washington. The company went public in 1999 with their IPO (NASDAQ: INAP). They are now headquartered in Reston, Virginia.
Since going public INAP has been expanding through an acquisition strategy. Listed in chronological order are INAP’s aquisitions:
Today, INAP provides performance-driven data center and cloud solutions for their clients, who range from fortune 500 companies to tech startups.
SingleHop was headquartered in Chicago, with data centers in the United States and Europe. It provided managed hosting to more than 4,000 clients in 114 countries and also offered dedicated and cloud hosting. The company was founded in 2006 by Zak Boca and Dan Ushman. SingleHop was a leading provider of HIPAA compliant web hosting, offering comprehensive managed hosting solutions via its powerful automation platform backed by certified technicians and a comprehensive Business Associate Agreement (BAA).
SingleHop was a longstanding company on our top HIPAA compliant web host list, making it onto this recommended list for several years running. SingeHop’s had an excellent BAA for all HIPAA-compliant environments, which covered the entire infrastructure and evenly distributed the liability. Part of the BAA included audit trails and comprehensive reporting on any security incidents.
Another reason we liked SingleHop was their partnership with AlertLogic™, a compliance leader. Their security compliance services integrated into your platform, auditing for compliance across PCI DSS, GDPR, HIPAA, SOC 2 and SOX requirements. The marriage was made perfect by integrating hosting and managed services to cover both the operational side of the network infrastructure and the regulatory expertise.
Perhaps our favorite features of SingleHop was that all new clients could schedule a free, 30-minute HIPAA compliance review to find out how much they would have to pay if they decided to go with SingleHop’s HIPAA compliant hosting. The call was not purely sales but was led by SingleHop technicians who had a deep understanding of what goes into creating HIPAA compliant environments and how to follow all the requirements and best practices that go into preventing access to electronic protected health data. We hope IMAP restores this feature if-and-when they re-launch a dedicated HIPAA compliant hosting offering.
Unfortunately, however, INAP doesn’t place the priority on HIPAA compliance and HITEC certification that SingleHop did, at least currently. We will closely monitor the INAP offering and audit their HIPAA compliant hosting package if-and-when they re-release the original SingleHop platform. But for now, post-acquisition and platform absorption, we have moved INAP (SingleHop) to the last spot on our top recommended HIPAA compliant web hosts, pending future updates.
GoDaddy is not only one of the largest domain registrars and web hosting companies in the world but it’s also a provider of HIPAA compliant email. GoDaddy’s HIPAA compliant email offering is made possible by Microsoft Office 365, which is also why you need at least one Business Premium Office 365 account and agree to the Office 365 Business Associate Agreement to use it.
Liquid Web might be best known for its cloud-powered dedicated servers, but the company’s application hosting solutions deserve your attention as well because they make it extremely easy to launch and manage HIPAA compliant applications. Liquid Web’s application hosting features proactive monitoring, 100 percent network and power uptime guarantees, and it’s backed by Linux and Windows certified customer support technicians.
What’s so great about Liquid Web is that its pre-configured HIPAA compliant plans allow customers to run separate database servers for mission-critical databases. With a dedicated database server, a business can prevent costly downtime by ensuring that its databases remain available all the time. A separate database server also makes it easier to manage large-scale upgrades and implement security patches, among other things.
Liquid Web makes it very easy to upload site files to cloud sites via FTP in a HIPAA compliant manner. All you have to do is log into your Cloud Sites account, click on the website where you’ll be uploading your content, and create an FTP user. For more information on uploading files to cloud sites using FTP, visit this section of Liquid Web’s knowledge base.
At this point, it shouldn’t surprise you anymore to see Liquid Web selected as our favorite HIPAA compliant web hosting provider. Liquid Web’s managed WordPress hosting platform makes hosting simple by offering a bullet-proof infrastructure with no traffic limits, real-time uptime monitoring, automatic daily backups, full server access, and around the clock customer support.
After reviewing countless HIPAA compliant web hosting services, the verdict is clear: Liquid Web is by far the best HIPAA compliant web hosting service, offering excellent customer support provided by trained professionals, 100 percent uptime guarantee, and high performance—all at prices that even startups and budget-conscientious businesses and organizations can afford.
1. ^ https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/numbers-glance/index.html
2. ^ https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
3. ^ https://www.liquidweb.com/blog/third-party-confirms-liquid-web-meets-hipaahitech-requirements/
As if HIPAA compliant hosting wasn’t difficult enough, there are a plethora of security and compliance standards to adhere to beyond that. We explore SAS 70, SSAE 16, SSAE 18, SOC 1, SOC 2, SOC 3 in an article explaining the difference between these various compliance standards. Read more: https://webhostingprof.com/hipaa-compliant-hosting/sas70-ssae16-ssae18-soc1-soc2-soc3-difference/
In compliance with the FTC’s Endorsement Guides, we must disclose that WebHostingProf.com has a relationship with Liquid Web, LLC, and receives a small commission when clients are referred to the Liquid Web® HIPAA compliant hosting platform. In full disclosure we have also been approached by representatives from Atlantic.Net, and are currently evaluating their platform before further endorsement is made. The owners of WebHostingProf.com have been clients of Liquid Web for many years prior to this website being established, or this HIPAA hosting review written and published. We have personally referred dozens of clients to the Liquid Web® hosting platform prior to an affiliate relationship being formed. We stand by our endorsements and can say with certainty that LiquidWeb has remained in our top 3 most recommended manged hosting providers for our consulting business clients for over a decade, regardless of any affiliate relationship or commission structure.
If you have any questions regarding this article, these endorsements, or our content, please contact us.