What is HIPAA Hosting?

hipaa hosting

HIPAA hosting refers to website, application or data storage and hosting services that comply with the physical safeguard requirements of the HIPAA Security Rule. HIPAA hosting is an important part of the requirements needed for application developers to ensure HIPAA compliance of their solutions.


Does Using HIPAA Hosting Make My Application HIPAA Compliant?

The short answer is no. HIPAA hosting alone does not make you HIPAA compliant.

HIPAA compliance is determined by the adherence to the privacy and security rules outlined by HIPAA. HIPAA hosting only addresses one aspect of those requirements. Hosting your application in a HIPAA compliant hosting environment such as Amazon AWS or Firehost does not make your application HIPAA compliant as they only address the physical safeguard requirements of the HIPAA security rule.

You are still required to meet the Technical and Administrative specifications of the HIPAA Security Rule in order to be compliant. TrueVault manages both the Technical and Physical safeguard requirements for your app, saving you the additional development time and resources of building them yourself for HIPAA compliant web hosting.

What Data Should Be Stored in HIPAA Compliant Hosting Environments?

hipaa compliant hosting environment

Not all of your mHealth, eHealth or wearable application data needs to exist in a HIPAA hosting environment. But any protected health information (PHI) requires HIPAA file storage. Protected health information is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a healthcare service.


PHI includes:

  • Medical records
  • Billing information
  • Health insurance information
  • Any individually identifiable health information

PHI includes images such as x-rays, MRIs, test results, doctor's notes, patient communication and more. If your healthcare application is managing any of these data types, you want to ensure that it is kept within a HIPAA compliant web hosting environment.

Sometimes digital copies of protected health information is called ePHI and refers to all individually identifiable health information that is created, maintained, or transmitted electronically.

What Makes a Hosting Environment HIPAA Compliant?

HIPAA compliant hosting providers typically provide two main aspects of HIPAA compliance:

  1. They sign a Business Associate Agreement with you, which is required by service providers managing and handling HIPAA protected information.
  2. They address many of the Physical Safeguard requirements of the HIPAA Security Rule including the following.

(See below for the distinction between required and addressable HIPAA hosting requirements.)

  • Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
  • Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
  • Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
  • Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).
  • Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.
  • Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
  • PHI Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
  • Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
  • Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
  • Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.

Required vs. Addressable HIPAA Implementation Specifications

Many of the implementation specifications above are listed as addressable. HIPAA hosting required implementation specifications must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; the choice must be documented. It is important to remember that an addressable implementation specification is not optional.

Most HIPAA hosting companies should implement the addressable specifications as they are best practice data security features any way.

Make your application HIPAA compliant today. You can be up and running with TrueVault's healthcare API in minutes, with no credit card needed.

Skip the red tape and head straight to developing amazing new solutions for the healthcare industry with TrueVault.