When looking for a HIPAA Compliant Host, it is important that you find one that will integrate well with (and essentially be an extension of) your team. The hosting provider will know your objectives clearly and will strive to meet them.
In contrast, a non-HIPAA compliant host generally only cares that the network is up and running; the rest is up to you. They won’t be motivated to help secure your site outside the sale of an SSL certificate or to sell you a dedicated server.
The non-HIPAA host simply will treat you like any other client with non-sensitive data; having protected health information (PHI) changes everything.
So what should a HIPAA host that acts as an extension of your team do for you?
1. Look for a web host that will sign a Business Associate Agreement (BAA).
The BAA ensures the web host understands the liability they are taking on when they host your sensitive data. They can’t shrug it off and treat your website like the others they host without PHI.
2. Find a HIPAA Compliant Web Host that has a Compliance Officer or a CISSP on staff.
The CISSP is the industry-recognized certification for a security expert. The Certified Information Systems Security Professional (CISSP) works daily to ensure the environment that your website is hosted in meets the security guidelines of HIPAA and is personally vested in making sure that your data is protected.
3. Look for a web host that has more than one data center.
One data center hosts your main site and the second one is used to house your offsite backups. If your project has the funding, the host should be able to create copies of your main servers and host them in a disaster recovery/business continuity scenario, standing by and to be used in case the primary data center is unreachable.
4. Check to see if your potential web host will monitor more than just pinging your website and uptime.
They should be interested in monitoring whatever are the critical applications for your web presence. Are they monitoring the database application, the server load, swap space, disk utilization, web addresses, etc?
These four items aren’t the only things to look for in a HIPAA Compliant Web Host, but it is certainly a solid starting point.
Talk to the staff that will be supporting your web presence. Don’t just talk to the client’s relationship manager or the sales manager; ask to talk to the person at the helpdesk or a network engineer.
Your sensitive data is important and should be kept safe from authorized access; the decision you make in selecting a web hosting company that will take your data seriously is paramount to ensuring your website has the best chances of escaping a compromise.