HIPAA Compliant Hosting Security Checklist

Posted by Rebecca Santorios on January 7, 2016

Choosing a datacenter designed specifically for HIPAA compliant hosting is the fast track to compliance for your IT system. But how can you know you're choosing a compliant provider? Pouring over hundreds of pages of HIPAA regulations and figuring out how they relate to your specific situation can be daunting. Add the technical guidelines and you can quickly become overwhelmed, especially if you don't have a well-staffed IT and compliance team in-house. You need a way to manage this complexity.

A true HIPAA compliant hosting provider will have a full-time technical staff and a full-time compliance staff to implement and maintain critical health IT systems. It's impossible to distill all of their tasks into just a page of requirements, but there are some critical items that you should look for.


Let's walk through the HIPAA security standard and identify some of the must-have services to look for from a HIPAA compliant hosting provider.

Administrative safeguards

Required by § 164.308 of the HIPAA regulations. Your provider should be able to offer you all of the following:

  • Documented risk assessment
  • Access reports
  • Training records to ensure all members of its workforce have been trained to maintain HIPAA compliance
  • Security incident procedures
  • Periodic review of plans and procedures

Physical safeguards

A visit to your provider's data center is the best way to make sure they have all of the controls required by § 164.310. Look for:

  • Three tiered facility access controls
  • Access card control for doors
  • Video surveillance
  • Escorted client access
  • Maintenance records

Technical safeguards

A HIPAA compliant hosting provider will be able to tell you at length how they satisfy § 164.312 of the security rule. Some fundamentals:

  • Access control
  • Data Encryption
  • Fully managed intrusion detection system with 24/7 monitoring
  • Dedicated firewalls
  • Virus protection

Organizational requirements

The focus of § 164.314 is squarely on Business Associate Agreements. A HIPAA compliant hosting provider will be willing to sign a BAA and will understand what they must contain.

Policies and procedures and documentation requirements

One of the quickest ways to weed out non-compliant providers: check to see how well they meet the requirements of § 164.316.

  • Documented policies and procedures detailing how the security rules are met
  • Procedures must be readily available for inspection
  • Procedures must be subject to periodic review

Contingency/disaster recovery plans

These are emphasized throughout the regulations. Make sure your provider puts specific plans in place for your system.

Data Backup

Another security basic. Find out what the backup and restore plans will be for your system, and how data will be protected to avoid a breach

It takes years of experience to know how to fully implement all of the necessary controls for HIPAA compliant hosting. There are very few datacenters who can really do it all.

ByteGrid was built for HIPAA compliant hosting from the ground up. You get all of these services, and more, out of the box.

Contact us today to partner with the leader in HIPAA compliant hosting.