Who is required to follow HIPAA?

Only certain businesses within the healthcare industry require  HIPAA compliance. Only covered entities and business associates are required to be HIPAA compliant.

HIPAA-covered entities include health plans, clearinghouses, and certain health care providers.

Health plans include:

  • Health insurance companies
  • HMOs, or health maintenance organizations
  • Employer-sponsored health plans
  • Government programs that pay for health care, like Medicare, Medicaid, and military and veterans’ health programs


Clearinghouses include organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other healthcare organizations.

Healthcare Providers

Providers who submit HIPAA transactions, like claims, electronically are covered. These providers include, but are not limited to:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing homes
  • Pharmacies

The Centers For Medicare and Medicaid have a helpful tool that can be used to help determine if you are a covered entity.

If a covered entity engages with business associates, then there must be business associate agreements in place. A business associates agreement identifies what exactly the business associate is doing for the covered entity and will ensure HIPAA compliance for that business associate.

If you fall under one of these categories, the onus is on you to ensure that you and your business become HIPAA compliant. Rest assured, a big part of managing that compliance is taken care of with HIPAA-compliant managed services, which you can expect as part of your HIPAA compliant hosting solutions package.

Check out our HIPAA Dedicated Servers in New York

What is a HIPAA compliant server?

HIPAA compliant hosting is on a dedicated server that adheres to the strict technical requirements outlined in the legislation to store electronic medical records safely. HIPAA compliant server requirements include complete encryption of patient data, user authentication, and other aspects which we will describe in detail below.

HIPAA compliant hosting must be in a private hosted environment. Creating HIPAA-compliant environments means that a public cloud or hybrid servers may not be used. A dedicated server or private cloud are the best options with respect to hosting providers.

What is Protected Health Information PHI?

Protected Health Information PHI (aka Electronic Protected Health Information EPHI) provides patients with an array of rights with respect to their health (or patient) data.

To achieve HIPAA-compliant hosting, it’s important to understand what data must be maintained to these high standards. Electronic patient health information can be defined as individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations.

This includes:

  • diagnoses
  • treatment information
  • medical test results, and
  • prescription information

 When this information can be tied to an individual, it is protected under HIPAA.

How is HIPAA compliance achieved?

HIPAA contains a series of both privacy and security rules. When the legislation was developed, and subsequently amended lawmakers ensured that the HIPAA security rules outlined exactly how compliance may be achieved. A covered entity may either follow the standard, or they must document why the standard was not followed.

A covered entity should review the security specifications completely and follow the 5 main components of the process required to become HIPAA compliant.

The 5 main components of HIPAA Planning

A HIPAA-compliant hosting provider will work with you to ensure that your records are HIPAA-compliant, using these five components:

  • Assess current security, risks, and gaps.
  • Develop an implementation plan
  • Implement solutions
  • Document decisions
  • Reassess periodically

 Book your free consultation with a knowledgeable Server Deployment rep today.

What are 3 key elements of HIPAA?

The three key elements of HIPAA-compliant hosting security include administrative safeguards, physical safeguards, and technical safeguards. Each of these processes begins with a risk analysis.

HIPAA Risk Analysis

When reviewing all of the HIPAA-compliant security requirements and recommendations with your HIPAA-compliant hosting providers, it is critical to perform a risk analysis. This process allows your organization to determine what risks exist and how best to address them. It can be described as:

  • The process of identifying potential security risks, and
  • Determining the probability of occurrence and magnitude of risks.

 Sanction Policy

Another requirement of the security policies to become HIPAA compliant is a sanction policy within the organization. An organization must “Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.” This would apply to business associates as well.

 1) Administrative Safeguards

The first element of compliance with the HIPAA security rule is administrative safeguards. The Security Rules outlined administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information PHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

Reviewing Activity Logs

An organization must Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Designate A Security Official

A security official in the organization must be designated who is responsible for the development and implementation of the policies and procedures required for the entity. This is similar to the requirements to designate a privacy officer, and this could be the same person in small organizations.

Workforce Security

The organization must identify which members require access to the health information PHI and restrict access to only the information required. Members of the organization who don’t need access to this data must be restricted from accessing it, and once an employee is terminated there must be procedures to revoke access promptly.

As well, there must be authorization and supervision of workforce members who access health data. For example, it should be logged when a workforce member attempts to access health data outside of their permitted scope.

Security Awareness and Training

Security awareness and training programs must be designed and implemented with all organization staff, including management. This requirement also outlines that an organization must conduct:

  • Security Reminders
  • Protection from Malicious Software
  • Log-in for HIPAA compliance  Monitoring
  • Password Management


Other Administrative Safeguards

Other administrative safeguards required to maintain a HIPAA compliant server hosting include:

  • Security Incident Procedures
  • Contingency Planning
  • Backup Planning
  • Disaster Recovery Planning
  • Emergency Mode Operation Planning
  • Testing and Revision Procedures
  • Applications and Data Criticality Analysis
  • Evaluation

 2) Physical Safeguards

Facility Access Controls

These standards are designed to implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed. It involves:

  • Contingency Operations
  • Facility Security Plan
  • Access Control and Validation Procedures
  • Maintenance Records

Workstation Use and Security

This standard refers to how workstations or servers are physically protected from access and intrusion. An organization should review the risks and assess whether any physical locking or other security is required to protect workstations.

As well, policies must be developed and enforced which outline proper workstation use and what activities are appropriate on a business workstation.

Device and Media Controls

Policies must be developed surrounding:

  • Media use and re-use
  • Data backup and storage
  • Records of responsibility and accountability
  • Media disposal

 Book your free consultation with a knowledgeable Server Deployment rep today.

3) Technical Safeguards

The third element of HIPAA compliance on the security side is a technical safeguard. The HIPAA legislation was designed to be technology agnostic in that no specific technical solutions are recommended. As technology evolves, the legislation acknowledges that there may be multiple solutions to any of these recommendations.

Access Control

  • Unique User Identification
  • Emergency Access Procedure
  • Automatic Logoff
  • Encryption and Decryption


Audit Controls

Audit controls involve using hardware, software, and/or procedural mechanisms that record and examine activity in information systems. As a HIPAA compliant solutions provider, we must offer HIPAA compliance monitoring.

These systems should be monitored and reviewed based on the risks particular to the organization. In particular, it should be noted what audits are in place if a security violation occurred. Does the organization have the appropriate audit record in place to track down the source?


Data integrity procedures include steps taken to protect protected electronic medical records from improper alteration or destruction. This could be something similar to checksum calculations or digital signatures on files. A HIPAA disaster recovery plan is a critical element of contingency planning and outlines the responsibilities and steps taken when a failure event occurs.

Person or Entity Authentication

HIPAA compliant hosting providers must have mechanisms in place to verify that a person or entity seeking access to electronically protected health information is the one claimed. This could be a password, PIN, or two-step verification.

Transmission Security

Finally, your HIPAA-compliant hosting partner must ensure that health data being transmitted is sent in a secure fashion. This involves a variety of mechanisms where HIPAA-compliant data centers must conduct data integrity checks, and determine what other mechanisms may protect data in transit.

Example Safeguards

As previously mentioned, HIPAA-compliant hosting is unique to the size of your organization and your particular risks. There is no out-of-the-box hosting solution that can achieve full compliance for you without significant investment on your part to maintain compliance. Some examples of hosting safeguards include:

  • SSL certificates on all domains and subdomains
  • An encrypted VPN inside your office and between all servers
  • A robust firewall on all servers
  • Offsite backups which are also HIPAA compliant
  • A private cloud environment
  • Data center SOC 2 TYPE II and SOC 3 TYPE II Certifications

Useful HIPAA Resources

The HHS.gov website is the site for the U.S. Department of Health & Human Services and contains extensive documentation on understanding the standards required for HIPAA-compliant servers. More information on the topic may be found here.

Deploy A HIPAA Server

As you can see, deploying HIPAA compliant server hosting involves a significant amount of time and expense for covered entities and business associates. ServerMania offers a large variety of managed services from HIPAA compliant cloud solutions to dedicated servers in their New York data center and Montreal data center.

Book your free consultation with one of ServerMania’s expert Server Deployment reps who will help you navigate your way around the HIPAA regulations.