Guide, HIPAA hosting explained

HIPAA Compliance Guide for hosting PHI

What HIPAA actually requires from your hosting, in plain terms. The administrative, physical, and technical safeguards, the truth about "HIPAA certified", how a Business Associate Agreement works, and a checklist to evaluate any provider before you host protected health information.

See HIPAA compliant hosting Start free trial

Certifications and controls

SOC 2 certified ISO 27001 certified HIPAA-eligible infrastructure GDPR compliant
Trustpilot 4.6/5 G2 G2 4.8/5 Trusted by Bosch and Atos

What HIPAA asks of your hosting

HIPAA is a US federal law enforced by the Department of Health and Human Services. Its Security Rule sets the safeguards that must protect electronic protected health information (ePHI). Hosting is only one layer of the picture: the infrastructure has to support those safeguards, while your application, policies, and staff cover the rest. That split is the single most important thing to understand before you host PHI.

In one line: a provider can give you HIPAA-eligible infrastructure and a Business Associate Agreement, but no provider makes your application "HIPAA compliant" by itself. Compliance is always shared. Looking for the offering instead of the theory? See our HIPAA compliant hosting page.

The three categories of safeguards

HIPAA groups its requirements into three families. Knowing who owns each one keeps audits calm.

Administrative safeguards

Risk analysis, workforce training, access management policies, and an incident response plan. These are mostly owned by you, the covered entity or business associate, not the host.

Physical safeguards

Facility access controls, device and media handling, and data-center security. Elestio covers this through SOC 2 and ISO 27001 certified data centers with strict physical access control.

Technical safeguards

Access control, encryption, audit controls, integrity, and transmission security. This layer is shared: the infrastructure provides the controls, your application configures and uses them.

What a Business Associate Agreement is

When a hosting provider handles ePHI on your behalf, HIPAA treats it as a business associate. A Business Associate Agreement (BAA) is the contract that documents each party's obligations: how PHI is safeguarded, breach notification duties, and permitted uses. It does not, on its own, make anything compliant. It defines the boundary of responsibility so both sides know exactly what they own.

A HIPAA hosting checklist

Five questions to ask any provider before hosting protected health information.

Is PHI encrypted end to end?

Encryption in transit (TLS 1.3) and at rest on dedicated volumes should be the default, not an add-on you configure yourself.

Is the infrastructure isolated?

Single-tenant, dedicated VMs avoid the shared-hardware risk. Ask whether workloads are truly isolated or co-located.

Are there audit logs and monitoring?

You need to demonstrate who accessed what. Access and service logging plus 24/7 monitoring are table stakes for an audit.

Are backups encrypted and recoverable?

Automated encrypted backups with point-in-time recovery cover the availability and contingency requirements of the rule.

Is a BAA available, with clear scope?

A provider that offers a BAA for eligible deployments and states the shared-responsibility split is being honest with you.

Can you control data residency?

Pinning PHI to a chosen region, including EU-only providers, lets you combine HIPAA-eligible controls with GDPR needs.

From guide to deployment

When you are ready, run PHI workloads on HIPAA-eligible, fully managed infrastructure. Free trial, no credit card.

HIPAA compliant hosting GDPR compliant hosting

Reviews

Trusted by 10,000+ Developers Worldwide

Real reviews from real users on Trustpilot.

Frequently Asked Questions

  • Is there such a thing as HIPAA certification?

    No. There is no official HIPAA certification issued by any government body or accredited authority. A provider can offer HIPAA-eligible infrastructure, third-party certifications such as SOC 2 and ISO 27001, and a Business Associate Agreement, but "HIPAA certified" is not a real status. HIPAA compliance is a shared responsibility between the provider and the covered entity or business associate.

  • What are the HIPAA Security Rule safeguards?

    The Security Rule groups requirements into administrative safeguards (risk analysis, training, policies), physical safeguards (facility and device security), and technical safeguards (access control, encryption, audit controls, integrity, transmission security). Hosting mainly supports the physical and technical layers, while the administrative layer stays with your organisation.

  • Do I need a Business Associate Agreement (BAA)?

    If a vendor handles protected health information on your behalf, HIPAA generally requires a BAA with that vendor. Elestio can discuss a BAA for eligible healthcare deployments. The BAA documents each side's obligations; it does not by itself make an application compliant.

  • Does HIPAA require encryption?

    Encryption is an addressable specification under the Security Rule, meaning it must be implemented where reasonable and appropriate, or a documented equivalent used. In practice, encrypting ePHI in transit and at rest is the expected standard, and Elestio applies it by default on dedicated volumes.

  • Is cloud hosting allowed for PHI under HIPAA?

    Yes. Cloud and managed hosting are permitted for PHI as long as the required safeguards are in place and a BAA is signed with the provider acting as a business associate. The key is HIPAA-eligible infrastructure plus a clear shared-responsibility model.

  • How is HIPAA different from GDPR?

    HIPAA is a US law focused on protected health information, while GDPR is an EU regulation covering all personal data of EU residents. They can overlap for healthcare data serving EU patients. You can pin deployments to EU-owned providers to address GDPR while using HIPAA-eligible controls. See our GDPR compliant hosting page.

Put the guide into practice

HIPAA-eligible managed hosting from $11/mo. Free trial, no credit card required.

See HIPAA compliant hosting