Top HIPAA-Compliant Hosting Services Reviewed
Disclosure: When you purchase a product or service through our links, we may earn a commission. Learn More…
If you’re researching HIPAA-compliant hosting services, chances are you’re either in the healthcare field or serving clients who are. If you are already in the healthcare space, you don’t need any introduction to HIPAA, so feel free to skip the next section. For those of you who are not fully sure of what types of special requirements the Health Insurance Portablility and Accountability Act (HIPAA) adds to digital services like web hosting, read on.
What Is HIPAA and HITECH?
HIPAA is a federal law passed in 1996 aimed at making healthcare “portable,” so workers can keep their insurance coverage if they change or lose their jobs. Most pertinent for this article, the law has a Privacy Rule section, which regulates the intentional use and disclosure of protected health information (PHI) by “covered entities” – healthcare providers and organizations – and a Security Rule section, which applies to the unintentional use and disclosure of PHI. These regulations include how the data is stored, processed, and transmitted. In addition to applying to covered entities, HIPAA also applies to their business associates. So if you have clients in healthcare organizations and you are assisting them with the handling of PHI, you are a business associate and must be HIPAA compliant.
The Health Information Technology for Economic and Clinical Health (HITECH) Act was incorporated into HIPAA in 2013. It further defined the privacy and security required for ePHI, and toughened the penalties for business associates who fail at HIPAA compliance. Because these penalties can include a fine of $1.5 million per violation category per year, it is crucial to be sure you are using HIPAA-compliant services when necessary. Since web hosting involves the storing and transmitting of data, your web hosting service must be HIPAA compliant if handling PHI.
HIPAA-Compliant Hosting: What Are You Paying For?
We’ll talk about specific web hosting providers in a minute, but first let’s outline what makes a hosting service be able to claim HIPAA compliance. When you see what goes on behind the scenes to be verified as HIPAA compliant, you’ll begin to understand why this level of hosting costs so much more than standard hosting.
- Physical Access: Access to the hosting provider’s facility must have appropriate security with such items as restricted parking, guards, id checks, logs, closed circuit TV, and more. Access to the data center portion of the facility must have even more restrictive access, only allowing those with the appropriate credentials. The servers, cables, and related equipment must also be secured. And power redundancies are built in to prevent interruptions.
- Logical Access: The data itself must be protected in multiple ways. Firewalls, separation between customer environments, access logging, virus protection, and high levels of encryptions are all involved in protecting ePHI data.
- Network Access: Intrusion prevention, firewall redundancy, VPN tunnels and dual factor authentication are included in securing the network.
- Managed Hosting: Continuous backups, monitoring, recovery plans, cyber insurance coverage and tech support are typically included. And notably, those hosting service providers that are HIPAA compliant will sign a Business Associate Agreement that clearly spells out their responsibilities in handling ePHI.
The top HIPAA-compliant hosting service providers also go through rigorous third-party audits to ensure they remain HIPAA/HITECH compliant.
Best HIPAA-Compliant Hosting Services
We looked at numerous HIPAA-compliant hosting services, examined their offerings, and are presenting the best here so you can move forward with confidence. If you don’t already have a domain for your project, read our recommendations for where to purchase your domain.
1. Liquid Web
When it comes to HIPAA-compliant hosting, Liquid Web easily comes out on top. They offer fully managed hosting with some of the best customer support that’s available, 24 hours a day, 7 days a week. In fact, their prompt and professional tech support is easily the most-appreciated attribute named by Liquid Web customers. With over 20 years of service and over 32,000 customers in more than 150 countries, Liquid Web has a proven track record of meeting the needs of its business customers.
Liquid Web service reps will help you determine what products and services you need for your applications. Regarding HIPAA-compliant hosting, they offer single-server HIPAA hosting for both web and database use, or multiple-server HIPAA hosting for those that require a separate database server from the web server. Uptime for Liquid Web servers is an incredible 99.999%, so you won’t need to worry about not having data and systems available at critical times for your business. And while these two HIPAA-compliant hosting options are pre-configured options, Liquid Web service reps are also available to work with you to customize a solution that works for your specific situation.
How do you know that Liquid Web hosting is truly HIPAA-compliant? They’ve been audited by an independent third party who validated their solutions as complying with HIPAA/HITECH security and privacy guidelines, including administrative, physical and technical safeguard measures. Liquid Web will of course provide you with a Business Associate Agreement, partnering with you for the safety and security of ePHI.
Databank is another provider of HIPAA-compliant hosting. Like Liquid Web, Databank has excellent physical security, tight data protection and network access control. They also have 24/7 tech support, as well as providing a customer portal with access to all the help, analytics, and audit-ready documentation you’ll need.
Where Databank stands out is the level of compliance control management they are prepared to take on. While some other service providers will only take on up to 20% of HIPAA-compliance control management, Databank is able to take on up to 80%. So if you are looking for a partner that will install, calibrate, configure, monitor, and operate your solution, Databank is for you. As with all of our selections, Databank will sign a Business Associate Agreement. And they are of course HIPAA/HITECH compliant, and their top-tier data centers are audited annually to ensure compliance.
Amazon Web Services (AWS) is a huge name in cloud services. They are a subsidiary of powerhouse Amazon, but have been themselves in business nearly fifteen years at this point. They’re committed to using and developing emerging technologies, so you won’t need to worry about using a service that becomes outdated after a relatively short time. In addition, there’s the AWS Marketplace that has healthcare-related software available for instant use.
One of the major benefits of using AWS is the security they provide. Besides serving many of the largest healthcare organizations, AWS also serves the military and global banks, so you can be confident that they are up to the task of providing HIPAA compliance when it comes to data security. In addition HIPAA compliance, AWS supports hundreds of other certifications, laws, and frameworks.
Given that sizable organizations are using AWS as their HIPAA-compliant hosting service, is AWS also worthwhile for smaller businesses? The answer to that question is maybe. While it’s true that AWS does a stellar job with data security and functionality, the system can be hard to learn, and their customer service leaves something to be desired. Fortunately they have a partner network (APN) that includes technology and consulting partners that can manage the tough stuff for you. Once such partner that we recommend is Cloudways.
Cloudways is a managed hosting provider that, like Liquid Web, has an outstanding reputation for customer service. They have extensive experience working with AWS, and simplify your life by managing the technical details and providing you with one invoice that includes both the cost of AWS and Cloudways management. This reduces your need to have a technical expert on staff. And they use a pay-as-you-go model, so you only pay for what you actually use.
If you are considering using AWS directly, you may want to watch this presentation by Pat Combes, AWS Healthcare Technical Lead, and hear the latest on AWS HIPAA-Eligible Services.
Another HIPAA-compliant hosting service that’s been around for a long time is Atlantic.Net. For over 25 years they’ve been providing IT solutions for business. Their HIPAA-compliant hosting is SOC 2 TYPE II and SOC 3 TYPE II certified, and HIPAA/HITECH audited. Atlantic.Net offers SSL certificates, firewalls, encrypted VPN, offsite backups, multifactor authentication, and private hosted environment.
Atlantic.Net boasts 24/7 support and has a 100% uptime guarantee. They also will sign a Business Associate Agreement which delineates their role, including ways they can be held liable for any breaches of security. They work to distance themselves from other HIPAA-compliant hosting services by offering ultra-fast data processing speeds resulting in fast websites, while still maintaining top security safeguards and guaranteed reliability.
One other bonus with Atlantic.Net is their offer of a free trial. You get to try out their fully audited HIPAA platform free of charge to see if what they provide will work for your particular situation. Not bad, considering the normal cost of HIPAA-compliant hosting.
LightEdge was founded in 1996, so it’s another long-time player in the high-tech communications space. In 2018, LightEdge acquired OnRamp, another internet services business that began in the mid-nineties. Now operating together as LightEdge, this company has decades of experience providing network services and managed hosting for thousands of businesses.
Why choose LightEdge? As are the other business we highlight, LightEdge is annually audited by independent third-party firms and has been certified as being HIPAA and HITECH compliant. They provide the same 24/7 tech support as the other options listed here. LightEdge offers Secure Private Clouds, which incorporate industry-best practices to protect sensitive data deployed and managed on dedicated hardware with virtualization software. They will work with you to customize the level of products and support your organization needs. They also provide support for any HIPAA-related third-party audits you may have, helping you to gather necessary evidence and documentation. LightEdge develops a customized Business Associate Agreement with each customer to detail each party’s responsibility to protect ePHI, and how they will work cooperatively with you to maintain HIPAA compliance.
LightEdge is a solid choice for a HIPAA-compliant hosting service. As their marketing material says, “LightEdge has one of the strongest compliance and security solutions portfolios on the market. [We] operate seven enterprise-class data centers to deploy cloud computing, colocation, disaster recovery, and managed services all wrapped in 24/7/365 expert support.”
Since you can only select one of the options we’ve presented, we suggest you start with Liquid Web. With the highest reported customer satisfaction rating, Liquid Web provides the confidence of having a HIPAA-compliant hosting partner that will walk with you every step of the way. Their 59-second response time promise (by phone or chat) ensures you won’t be stuck on hold or playing phone tag with someone to resolve your issue. And there’s no required contract or hidden fees to worry about. They’ve got some of the best guarantees in the industry, so you can have peace of mind working with Liquid Web as your HIPAA-compliant hosting provider.