Skip to content

How can I check if a hosting provider is 100% HIPAA compliant?

HIPAA compliance is a shared responsibility between a customer and a hosting ( cloud service provider ) company. Right now there is NO certification program approved by the US Department of Health and Human Services (HHS) through which a hosting company or a cloud service provider acting as a business associate could demonstrate compliance with HIPAA and the HITECH Act.

However, hosting companies map their security frameworks and standards with the guidelines of HIPAA and HITECH Act to demonstrate if they are compliant and also to support customers who are subject to HIPAA compliance, a hosting provider will enter into BAAs ( business associate agreements ) with its covered entity and business associate customers to ensure physical, technical, and offers a HIPAA BAA as part of their offerings.

In terms of certificates, The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 specifically addresses IT-related requirements for HIPAA compliance, expands HIPAA’s scope, and establishes penalties for violations. So a HITECH certification is the gold standard for ensuring your hosting fully complies with the letter of the law. HITRUST, another certification sometimes highlighted by providers, is not a law but rather a business organization that aims to help companies with broader compliance goals. HITRUST covers HIPAA/HITECH’s security rule but is not a guarantee of full HIPAA compliance

For example : Google cloud platform states the following on their HIPAA compliance information page

It is important to note that there is no certification recognized by the US HHS for HIPAA compliance and that complying with HIPAA is a shared responsibility between the customer and Google. Specifically, HIPAA demands compliance with the Security Rule, the Privacy Rule, and the Breach Notification Rule. Google Cloud Platform supports HIPAA compliance (within the scope of a Business Associate Agreement) but ultimately customers are responsible for evaluating their own HIPAA compliance.

Here is a list of some of the top HIPAA compliant web hosting providers for your review

Leave a Reply

Your email address will not be published.