Choosing a HIPAA Hosting Provider: Five Questions You Should Be Asking

Posted by George Sturgis on January 7, 2016

Managed hosting makes good business sense. But if you're subject to HIPAA regulations, it's only cost effective if you find the right HIPAA hosting provider. A strong partner will save you money with an efficient, robust solution - but choosing the wrong provider can lead to hefty fines and irreparable damage to your reputation.

Make sure your HIPAA hosting partner can give the right answers to these five questions.

1. How much HIPAA hosting experience do you have?

It takes years of experience to learn how to identify and implement the right security controls, and even more to fully understand the nuances of regulatory compliance. Regulated companies are recognizing the benefits of a third party hosting, and there are plenty of businesses who wish to capture that market. Yet very few of these have expertise to actually achieve compliance.

Find out about the company's history with HIPAA hosting solutions. Your HIPAA hosting provider should have a strong track record of service to the regulated marketplace.

2. When your last HIPAA audit and what was were the results?

A solid HIPAA hosting provider will minimally have been audited within the last year. If it hasn't been recently audited (or if it never has), you have no way of knowing how well they can really meet your needs. For Healthcare related data hosting, ask your provider if they have been certified by the Electronic Healthcare Network Accreditation Commission (EHNAC). EHNAC is an independent, federally recognized, standards development organization designed to improve transactional quality, operational efficiency and data security in healthcare. An EHNAC certification ensures regulatory compliance with HIPAA HITECH has been achieved.

A successful audit gives a strong indication that the company has the required controls to protect your ePHI. Look for a partner with a history of clean third-party audits.

3. How will you ensure the confidentiality, integrity and availability of my ePHI?

Pay close attention to the answer you get here. A compliant HIPAA hosting provider will be able to readily explain what administrative, physical and technical safeguards they can provide to protect your data - but they should also respond with questions to you.

The HIPAA Security Rule clearly states that your solution should be based on your specific business - in full consideration of its size, capabilities, and the complexity and operational impact of specific security measures. An experienced provider will know this - and won't try to give a blanket answer to this question.

They'll also know that your solution must be based on your risk assessment. Ask whether your partner has an experienced compliance team to prepare one.

4. What procedures do you have in place and how are they documented?

HIPAA regulations require written policies and procedures that satisfy specific requirements of the privacy and security rules. Your HIPAA hosting provider should already have these in place, as well as training records for their personnel.

Good documentation does more than support you in an audit - it also makes good business sense. This is your way of making sure that your partner understands your needs, and can give you a detailed accounting of how they are protecting your data.

5. Will you sign a Business Associate Agreement (BAA)?

The only acceptable answer to this question is "Yes", but there are more things to look for than an affirmative response. Make sure that your HIPAA hosting provider understands the regulatory requirements for a BAA, including the new requirements introduced with the Omnibus Rule last year.

Your partner should work with you to make sure your agreement satisfies these rules. This document protects you, too - it defines how your data will be secured, how your partner will ensure that any of their subcontractors comply with HIPAA requirements, and how they would respond to a breach - as required by the new regulations.

Protect your business by partnering with a proven provider. ByteGrid specializes in compliant HIPAA hosting. Let our team of experts make sure you get the right solution for your business.