Why standard web hosting is not suitable for protected health information

Web and mobile applications are a key differentiator between healthcare providers in a highly competitive industry — customers want to be able to access their healthcare records, prescriptions, and associated data in the way that is most convenient to them. Healthcare providers who aren’t online are falling behind.

In the rush to build online services, it may be tempting to take shortcuts where protected health information (PHI) hosting is concerned. After all, a standard web hosting provider is perfectly capable of storing and serving healthcare data.

But most web hosting and server hosting providers aren’t capable of offering services that comply with the Health Insurance Portability and Accountability Act (HIPAA) — in fact, they aren’t even capable of providing a platform on which a skilled developer could build HIPAA-compliant applications and services.

The risk of being non-compliant with HIPAA should not be taken lightly. Non-compliance fines are large enough to damage the viability of healthcare businesses, and for the worst breaches healthcare professionals and administrators might be jailed.

There are seven fundamental requirements for HIPAA compliance:

  • Transport encryption,
  • Storage encryption
  • Backups,
  • Authorization,
  • Data integrity,
  • Data disposal,
  • A HIPAA Business Association agreement with third-party vendors.

A HIPAA-compliant hosting provider doesn’t automatically make an application or website compliant, but it does provide a solid foundation on which to build HIPAA-compliant services.

The authorization requirement of HIPAA stipulates that only authorized individuals are able to access PHI and that access is via audited access controls. That means no one should be able to access the data without permission, either over the network or from inside the data center. Most hosting providers do not have sufficient network or physical security to be compliant, and, without the necessary security, there is no way for an application that stores or processes PHI to be compliant.

Healthcare data must be stored in such a way that guarantees it hasn’t been tampered with or altered. The best way to protect data from tampering is to encrypt it, and encryption at rest isn’t a service the majority of web hosts are able to provide. Encryption can be managed at the application layer, but whole disk encryption is safer, reduces complexity, and should be a standard part of any HIPAA-compliant hosting plan.

When a company stores or processes Protected Health Information, it has two options: to build and manage a HIPAA-compliant hosting platform, or to use HIPAA-compliant hosting provided by a third party vendor like Liquid Web. The first option is expensive, complex, and not a core competence of most healthcare businesses.

The more economical, efficient, and secure option is to use a third-party host with HIPAA expertise. Only an expert and experienced HIPAA-compliant hosting provider is able to provide a trustworthy HIPAA Business Associate Agreement — and without such an agreement, a healthcare provider’s websites and applications can’t be HIPAA-compliant.

HIPAA-compliant hosting may look superficially similar to standard web hosting, but under-the-hood a huge amount of work goes into building a secure, reliable platform that empowers healthcare professionals to build the HIPAA-compliant services their customers expect.