What Third Party Audits Tell You about a HIPAA Hosting Provider

Posted by Rebecca Santorios on January 7, 2016


ByteGrid was one of the first datacenters to recognize the need for dedicated compliant hosting services. We know that it takes more than encryption to build systems that truly serve these customers’ needs. We built our state-of-the-art datacenter for HIPAA compliance from the ground up.

Many datacenters claim to be HIPAA compliant, and will cite a ‘third party audit’ as proof. But what does this actually mean? What assurance does it really give you that the hosting provider meets regulatory requirements? In this blog, we’ll take a look at what third party audits can, and can’t tell you about a potential HIPAA hosting partner.

Who conducted the audit?

This is really the first place to start. If the audit wasn’t carried out by a recognized accrediting body, then the audit itself doesn’t carry much value.   When you’re evaluating a potential IT partner, you should expect that they’ve been audited, many times, but you must find out who carried out the assessments.

EHNAC is a federally recognized standards organization that rigorously assesses datacenters that claim HIPAA compliance. EHNAC is run and staffed by veteran healthcare industry subject matter experts from the public and private sectors. Their stated mission is to, “Promote accreditation in the healthcare industry to achieve quality and trust in healthcare information exchange through adoption and implementation of standards.” In short, EHNAC is a reliable auditor.

What did the audit cover?

You might see some advertisements for IT providers that claim their third-party audit proves that they’re “100 % HIPAA compliant.” Try to unpack that, though, and you might find the claim isn’t all that you’d expect. After all, HIPAA compliance doesn’t start and end with your encryption mechanism. It requires companywide procedures and training, among many other requirements.

How can you know whether the audit had sufficient depth and scope to be meaningful? Perhaps it was so high level that virtually any company could pass. For example, the auditor may have asked whether the datacenter restricted access electronic protected health information, but failed to dig in to the details to make sure their controls were really adequate. A HIPAA compliant hosting provider should be able to provide detailed information about their audit’s scope and results.

Many companies will share their audit reports upon request, with appropriate confidentiality agreements in place, so that you can evaluate how well the audit covers your requirements. EHNAC makes this even easier: you can find the requirements for HIPAA compliant datacenters on their website. EHNAC’s comprehensive assessment of HIPAA hosting providers covers every aspect of an organization, top to bottom, physical and logical, from equipment to personnel. Take a look at their requirements and you’ll recognize that an EHNAC accreditation is a true measure of HIPAA compliance.

ByteGrid was the first datacenter to achieve EHNAC accreditation. We’ve painstakingly assessed our systems against regulatory requirements, and designed our processes to be fully compliant. This means we have irrefutable, documented evidence that we’re implementing robust safeguards for the data we house. We build

Partner with ByteGrid and experience the benefit of compliant cloud hosting for yourself.