All businesses should have a website, and this is especially true for healthcare organizations. In addition to serving as a go-to resource for general information, a good website can improve operations by offering a seamless way for patients to submit forms, access results, and communicate with providers.
However, maintaining a website is more complex than creating a visually appealing interface with easy-to-navigate features. Covered entities also need to ensure that their website is compliant with HIPAA. Since a website is typically the first point of contact for patients, it is crucial for these platforms to safeguard electronic protected health information (ePHI).
Read on to learn more about web hosting providers and HIPAA compliance, some important best practices to keep top-of-mind, and a breakdown of safe choices for healthcare providers to consider.
SEE ALSO: HIPAA compliant email
Web hosting providers and HIPAA compliance
Website hosting providers that access, store, or record ePHI are considered business associates. When covered entities work with business associates, a business associate agreement (BAA) must be signed by both parties. This is a written document that affirms the business associate's understanding and acceptance of the HIPAA Privacy Rule and the obligations to protect PHI.
Here are some security measures you can take to steer clear of HIPAA violations when setting up your website:
- Understand what type of information qualifies as PHI
- Ensure that all connections are encrypted via HTTPS or TLS
- Offer a secure contact form to send messages from your website
- Use a dedicated server that you can control, which restricts access to external parties
- Avoid shared hosting or other configurations that allow entities to access your website and data
- Sign a BAA with your web hosting provider
Let’s explore some web hosting companies that can be configured to meet HIPAA guidelines.
As a seasoned provider of cloud computing and hosting services, Atlantic.net has over 15,000 business clients in more than 100 countries and actively works with healthcare organizations. Credibility aside, covered entities must determine if Atlantic.net is HIPAA compliant.
Atlantic.net specializes in providing HIPAA compliant hosting solutions to “protect critical health data, ePHI, and records.” The company holds SOC 2 Type II and SOC 3 Type II certifications and has been independently audited for compliance and security. Atlantic.net also provides a BAA, vowing to “adhere and uphold the requirements of HIPAA legislation.”
The company’s HIPAA web hosting solutions come with a range of compliance-oriented features including a firewall, encrypted VPN, offsite backups, multi-factor authentication, and an intrusion prevention service.
Atlantic.net can be HIPAA compliant.
Formstack is a workspace productivity platform that helps customers streamline and simplify digital processes without using code. Looking beyond its benefits, is Formstack HIPAA compliant?
The company offers HIPAA compliant forms, documents, and electronic signature solutions to reduce risks when collecting and managing patient information. All of these products have passed a security audit with a third-party compliance assessment service. Additionally, Formstack provides a standard BAA and is willing to evaluate custom requests.
Formstack’s HIPAA compliant tools are equipped with various security features including encryption of data at rest and in transit, audit-logging, and user-level permissions. The company also uses “the highest levels of form security” by implementing 256-bit SSL, password protection, and invisible reCAPTCHA.
With a signed BAA, Formstack can be HIPAA compliant.
HIPAA Vault offers a range of hosting and cloud solutions that are specifically designed for the healthcare industry. Given the company’s name, it’s clear that HIPAA Vault puts HIPAA compliance at the forefront of its operations.
HIPAA Vault signs a BAA for every client and its solutions have received the HIPAA Seal of Compliance. All hosting plans come with fully managed services, which involve advanced configurations and ongoing system monitoring to help organizations stay up-to-date with HIPAA compliance and security standards.
Complete with extensive access control measures, HIPAA Vault’s state-of-the-art data centers are a key element of its services. Additional security features include offsite backups, vulnerability scans, a web application firewall, and a host intrusion detection system.
HIPAA Vault can be HIPAA compliant.
With over 45,000 customers around the world, Liquid Web provides managed hosting solutions for mission-critical websites and applications. While the platform may be popular, covered entities still need to consider if Liquid Web is HIPAA compliant.
Liquid Web’s HIPAA compliant hosting solutions are designed to protect clients by “verifying that all data is secured to industry standards.” The company is willing to sign a BAA for these services and a third-party audit has confirmed that Liquid Web meets HIPAA and HITECH requirements.
Liquid Web secures healthcare data through multiple methods including offsite backups, advanced administrative controls, and extensive physical safeguards. Clients can also choose to purchase a hosting plan with data encryption at rest.
Liquid Web can be configured to achieve HIPAA compliance.
Serving over 2,500 healthcare organizations, Rackspace’s cloud, data, application, and security solutions are built to help improve business outcomes and boost efficiency. But is Rackspace HIPAA compliant?
In the company’s Healthcare Solutions for Providers whitepaper, Rackspace states that “the BAA is an essential element for healthcare organizations pursuing a HIPAA compliance audit” and confirms that a BAA is offered for all of its dedicated hosting services.
Rackspace’s hosting environment has obtained various HITRUST and HITRUST CSF certifications to “provide comprehensive protection for sensitive information and help customers exceed data privacy regulations.” Rackspace also utilizes SSL encryption as an additional security measure.
Rackspace can be made HIPAA compliant with a signed BAA.
Are most website hosts HIPAA compliant?
While the web hosts in this guide are well-positioned to meet HIPAA requirements, that is not always the case. In fact, we reviewed some of the most popular web hosting companies and found that the majority are not HIPAA compliant. Therefore, it is crucial to vet all potential web hosts carefully. Failing to conduct your due diligence can result in costly fines and other corrective action. It’s also important to note that a signed BAA does not guarantee that a web host is doing anything special to comply with HIPAA requirements.
Ultimately, it is the covered entity’s responsibility to take precautions and ensure that all additional configurations are made to ensure that ePHI is protected and not unintentionally collected or exposed.
Website and email hosting go hand in hand
Choosing a HIPAA compliant web host is one piece of the puzzle, but it’s also important for healthcare providers to make stronger email security a priority. Designed to integrate with your existing email platform such as Google Workspace or Microsoft 365, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message.
This eliminates the time and stress of deciding which emails to encrypt and allows your patients to receive your messages right in their inbox without having to navigate any additional passwords or portals. Paubox Email Suite’s Plus and Premium plan levels also come with innovative inbound email security tools that deliver extra protection from potential threats.