Choosing HIPAA-Compliant Web Hosting

Any web hosting provider that stores or processes ePHI on your behalf is a Business Associate under HIPAA and must sign a BAA before you deploy healthcare applications on their platform. Operating without a BAA where ePHI is involved is a direct HIPAA violation, regardless of how secure the host's infrastructure actually is.

When evaluating a hosting provider, your first question should be: Will you sign a HIPAA Business Associate Agreement? Many providers — especially budget shared hosting providers — will not, or will offer a BAA only on higher-tier enterprise plans. If a provider will not sign a BAA, you cannot legally use them for HIPAA-covered applications.

Several major cloud and managed hosting providers offer HIPAA BAAs and documented compliance programs:

• Amazon Web Services (AWS) — BAA available for covered services; HIPAA Eligible Services list published by AWS
• Microsoft Azure — BAA available; Azure Health Data Services specifically designed for healthcare
• Google Cloud Platform — BAA available for covered products; not all GCP services are covered
• Liquid Web — managed WordPress hosting with HIPAA BAA available
• Nexcess — HIPAA-compliant managed hosting plans
• WP Engine — HIPAA plan with BAA for WordPress sites

Note that even with these providers, not every service they offer is covered under their BAA. Always verify that the specific services you use (databases, object storage, CDN, etc.) are covered in the BAA.

Beyond the BAA, HIPAA-compliant hosting must provide infrastructure security controls that support your compliance program:

• Physical security: Data centers with card-controlled or biometric access, 24/7 security, CCTV, and environmental controls (fire suppression, climate control, redundant power)
• Network security: DDoS protection, network segmentation, intrusion detection and prevention systems
• Access controls: Role-based access to servers and management interfaces, MFA for administrative access, audit logs of all administrative actions
• Encryption: Encryption of data at rest on storage volumes; TLS in transit; key management controls
• Availability: Redundant storage with automated failover; backup systems tested regularly; documented SLAs

The type of hosting architecture matters for HIPAA compliance:

Shared hosting (multiple customers on the same server) is generally inappropriate for HIPAA-covered applications. Resource and sometimes file-system isolation is limited, and most shared hosting providers will not sign BAAs.

VPS (Virtual Private Server) hosting provides better isolation. Some providers offer BAAs for VPS plans and can be appropriate for smaller healthcare applications with limited ePHI.

Dedicated server or cloud hosting (AWS, Azure, GCP) provide the strongest isolation and are the most common choices for HIPAA-compliant web applications. Cloud infrastructure also offers the most mature compliance documentation and certifications.

A critical and often misunderstood point: a HIPAA-compliant hosting provider does not make your application HIPAA compliant. The hosting provider is responsible for the security of the underlying infrastructure. You are responsible for everything built on top of it — your application code, database configuration, access controls, encryption implementation, and user management.

AWS famously calls this the Shared Responsibility Model: AWS secures the cloud infrastructure; you secure what you build in the cloud. A misconfigured S3 bucket containing patient data is your violation, not AWS's, even if AWS has a BAA and all the right certifications.