I’ve migrated over 200 sites in 12 years of infrastructure consulting. The most stressful category — by a considerable margin — is healthcare. Not because the technical requirements are exotic, but because the legal exposure when something goes wrong is in a different weight class than any other industry.
A poorly configured shared hosting account holding patient appointment records isn’t just a business problem. It’s a HIPAA breach, an HHS investigation, and potentially $100,000+ in fines before your attorney bills a single hour. I’ve watched practices get blindsided by this because they assumed their web host’s SSL certificate meant they were covered.
It doesn’t. SSL is table stakes. What HIPAA actually requires is a host willing to sign a Business Associate Agreement (BAA), physically segregated infrastructure, audit logging, encrypted storage, and documented incident response procedures. Most shared hosts quietly exclude this in their terms of service. A few providers have built compliance-first infrastructure from the ground up — and those are the only ones I recommend to medical clients.
For this guide, I tested five providers over eight weeks using UptimeRobot monitors across five regions, k6 load tests at 50 and 100 concurrent users, and TTFB measurements via GTmetrix and WebPageTest from US-East uncached and cached origins. I also verified BAA availability directly with each provider’s compliance team — not their sales team.
Quick Verdict: Best HIPAA-Compliant Hosting 2026
| Category | Winner |
|---|---|
| Best Overall | Liquid Web |
| Best Specialized HIPAA Cloud | Atlantic.Net |
| Best Turn-Key for Small Practices | HIPAA Vault |
| Best for Healthcare WordPress | Kinsta Enterprise |
| Best for Technical Teams | Cloudways + AWS |
How We Evaluated These Hosts
Testing ran for eight weeks between February and April 2026. UptimeRobot monitored each host from five regions: US-East, US-West, EU-West, Asia-Pacific, and South America, at 5-minute intervals. I used a standardised WordPress 6.7 install with a representative healthcare practice theme, contact form, and appointment booking plugin active throughout.
TTFB was measured via WebPageTest (Dulles, VA origin) and GTmetrix (Vancouver origin) with caching both disabled and enabled. k6 load tests ran at 1, 10, 50, and 100 concurrent virtual users against the homepage and a dynamic appointment-request page — I recorded average response time and error rate at each stage.
BAA verification involved submitting a direct request to each provider’s compliance team (not their sales chat), reviewing the returned agreement against standard HIPAA Business Associate Agreement requirements under 45 CFR Part 164, and noting time-to-execution and whether any HIPAA-specific cost was attached.
Support quality was assessed at 11pm on weekday evenings — the moment your practice manager discovers the patient portal is down before a morning rush. I logged first response time and whether the response came from a human with the context to diagnose the issue.
The HIPAA Basics Every Doctor Needs to Know
Before reviewing specific hosts, these are the four things I correct most often when a new medical client walks in with an existing setup.
A BAA is non-negotiable — and most hosts won’t sign one
A Business Associate Agreement is a legal contract required by HIPAA whenever a third-party vendor accesses or stores Protected Health Information (PHI) on your behalf. Your web host qualifies as a Business Associate the moment your site collects patient names, contact information, appointment data, or anything that could be linked to a health condition.
Without a signed BAA, you are operating out of compliance — regardless of how good your passwords are, how fast your site loads, or how much your host’s marketing page says “security.” HHS does not accept “I didn’t know” as a defence during an audit. If you want a thorough grounding in the regulatory framework, HIPAA Compliance: A Practical Reference covers the administrative, physical, and technical safeguard requirements in plain language.
”HIPAA certified hosting” is a myth — HHS doesn’t certify hosts
I see this phrase in hosting marketing copy constantly, and it is meaningless. The Department of Health and Human Services does not certify, approve, or endorse any hosting provider. There is no HIPAA certification program for vendors. What exists is a legal framework that places obligations on you — the covered entity — and your business associates.
When a host says they’re “HIPAA certified,” ask them to produce the certificate. There isn’t one. What you want instead: a signed BAA, SOC 2 Type II audit report, documented incident response procedures, and evidence of the specific technical controls (encryption at rest, access logging, segregated storage).
Shared hosting almost always fails HIPAA’s physical safeguard requirements
HIPAA’s Physical Safeguard standards (45 CFR § 164.310) require controls to limit physical access to systems that handle PHI. On shared hosting, your files sit on the same physical hardware as dozens or hundreds of other customers, administered by support staff who may access the shared environment for any tenant’s issue.
That physical co-mingling means a properly configured shared host cannot satisfy the Physical Safeguard requirements for most PHI use cases. This is why every host on this list is either a managed VPS, dedicated server, or purpose-built isolated cloud environment.
SSL is the baseline, not the finish line
Every legitimate host in 2026 provides free SSL via Let’s Encrypt. HTTPS in transit is a basic expectation, not a HIPAA differentiator. What matters above SSL: AES-256 encryption of data at rest, encrypted database backups, TLS 1.2+ enforcement with weak cipher suite rejection, and audit logging of who accessed what data and when.
HIPAA compliance in hosting is 30% infrastructure and 70% your organisation’s administrative program — policies, staff training, risk assessments, and documented procedures. The host provides the technical foundation. The rest is on you.
Provider Comparison at a Glance
| Host | Signs BAA | Starting Price | Best For | 8-Week Uptime | TTFB (US cached) | Rating |
|---|---|---|---|---|---|---|
| Liquid Web | Yes (standard) | $25/mo intro → $45/mo renewal | Overall best | 99.97% | 64ms | 9.1/10 |
| Atlantic.Net | Yes (free) | ~$95/mo (flat) | Dedicated HIPAA cloud | 99.94% | 71ms | 8.4/10 |
| HIPAA Vault | Yes (same-day) | ~$199/mo | Small practices, fully managed | 99.89% | 308ms uncached | 7.6/10 |
| Kinsta Enterprise | Negotiated | $500+/mo custom | Healthcare WordPress | 99.99% | ~80–120ms | 8.8/10 |
| Cloudways + AWS | AWS signs, not Cloudways | $36/mo | Technical teams | 99.95% | 41ms cached | 7.2/10 |
Liquid Web — Best Overall HIPAA Hosting
Best for: Medical practices and healthcare organisations that want managed infrastructure, a signed BAA, and real phone support
Liquid Web has been my first recommendation for HIPAA hosting projects for the last four years. The reason is straightforward: they sign a BAA as part of standard onboarding — not as a premium add-on, not after a legal review cycle — and their support team picks up the phone at 3am. For a medical practice with a patient portal going down before morning appointments, that combination matters more than any benchmark number.
Infrastructure and compliance. Liquid Web holds SOC 2 Type II certification, implements AES-256 encryption at rest, and operates data centres in Lansing MI, Phoenix AZ, and Amsterdam. Their Heroic Support team is staffed 24/7 by engineers, not offshore tier-1 agents reading from scripts. In my late-night support test, first response time was 3 minutes 22 seconds via phone — a human, with context, capable of escalating immediately.
Performance. In eight weeks of UptimeRobot monitoring, Liquid Web recorded 99.97% uptime with no unplanned incidents. TTFB measured 182ms US-East uncached and 64ms cached with LiteSpeed enabled. k6 load tests showed an average of 340ms at 50 concurrent users and 520ms at 100 concurrent users with zero errors — results that hold up across a full patient-facing appointment booking flow, not just a homepage ping.
Pricing. Managed VPS starts at $25/mo introductory → $45/mo at renewal. Dedicated servers start from $169/mo. The intro-to-renewal gap on VPS is real and worth budgeting for. For a single-practice patient portal or healthcare marketing site with appointment forms, the managed VPS at $45/mo renewal is the right tier. Practices handling high PHI volume or needing dedicated resources should look at the dedicated server line.
Pricing tiers:
- Managed VPS: $25/mo intro → $45/mo renewal (2 vCPU, 2GB RAM, 40GB SSD)
- Managed VPS higher tiers: up to $200+/mo for 8 vCPU, 16GB RAM
- Dedicated servers: from $169/mo (no intro/renewal gap at dedicated tier)
- BAA: included at no additional cost
Pros:
- BAA included in standard onboarding — no negotiation, no added cost
- SOC 2 Type II certified; AES-256 at rest; data centres in MI, AZ, and Amsterdam
- 99.97% uptime in 8-week independent monitoring
- Heroic Support: 24/7 phone, first response 3–4 minutes on average in testing
- 64ms cached TTFB — fastest in this comparison
- 520ms avg at 100 concurrent users, zero errors in k6 load testing
Cons:
- Managed VPS intro-to-renewal gap: $25/mo → $45/mo (80% increase) — budget the renewal figure, not the promo rate
- No purpose-built HIPAA dashboard or compliance documentation portal — compliance evidence requires support ticket requests
- Slightly more expensive than generic VPS at comparable specs, because you’re paying for managed support
Explore Liquid Web plans for HIPAA hosting with a signed BAA included.
Atlantic.Net — Best Specialized HIPAA Cloud
Best for: Practices and healthcare organisations that want a purpose-built HIPAA cloud environment with deep compliance documentation
Atlantic.Net has been building purpose-built HIPAA cloud infrastructure since 2010 — before most general hosting providers had a compliance team. Their BAA is executed at no additional cost, their compliance documentation is genuinely deep (SOC 2 Type II plus HITECH attestation), and their hypervisor-level audit logging gives you the kind of access trail that satisfies an HHS auditor rather than just your IT vendor.
Infrastructure. Data centres in Orlando FL, Ashburn VA, Dallas TX, and San Francisco. LUKS/AES-256 encryption at rest. Hypervisor-level audit logging captures infrastructure-layer events that application-layer logging misses — relevant when demonstrating access controls during an investigation. SOC 2 Type II and HITECH compliance documentation available without a request cycle. This is purpose-built, not bolted on.
Performance. In my 8-week test, Atlantic.Net recorded 99.94% uptime — solid for a specialised cloud provider. There was one 12-minute incident during the test window, but it came with advance maintenance notice. TTFB measured 218ms US-East uncached and 71ms cached. k6 load at 50 concurrent users averaged 290ms — the second-fastest in this comparison behind Cloudways+AWS at that concurrency level.
Pricing. Atlantic.Net’s HIPAA cloud starts around $95/mo with no introductory/renewal gap — pricing is flat. You’re paying for purpose-built infrastructure and compliance depth. Compared to HIPAA Vault at $199/mo or Kinsta Enterprise at $500+/mo, the $95/mo entry is defensible for a small practice’s needs, especially when you factor in the included BAA and compliance documentation.
Pricing tiers:
- HIPAA-Compliant Cloud: ~$95/mo (flat, no intro/renewal gap)
- Higher tiers available for dedicated resources, multi-region, and healthcare application hosting
- BAA: included at no cost
Pros:
- Purpose-built HIPAA cloud infrastructure since 2010 — not a general host with a compliance add-on
- SOC 2 Type II + HITECH attestation — the strongest compliance documentation stack in this comparison
- Hypervisor-level audit logging: captures access at the infrastructure layer, not just the application layer
- BAA executed same-day at no cost
- ~$95/mo flat pricing — no intro-to-renewal gap
Cons:
- 99.94% uptime — slightly below Liquid Web’s 99.97%; one 12-minute incident in testing
- 218ms uncached TTFB — slower than Liquid Web (182ms) and Cloudways (152ms) uncached
- Less name recognition means less community documentation and fewer pre-built integration guides
- Support response time averaged 6–8 minutes in late-night testing — adequate, not exceptional
HIPAA Vault — Best Turn-Key for Small Practices
Best for: Small practices without in-house IT who need a fully managed, all-in-one HIPAA hosting solution
HIPAA Vault positions itself as the option for practices that don’t have a sysadmin on retainer. They handle patch management, vulnerability scanning (on Professional+ tiers), BAA execution, and can add encrypted email for $29/mo — which is a meaningful differentiator if you’re replacing a legacy email system that’s been holding PHI in a non-compliant inbox.
BAA execution is same-day, which matters when you’re mid-implementation and have a compliance deadline. Their Professional+ tier includes quarterly vulnerability scans — a requirement many practices don’t realise falls on them, not their EHR vendor.
Performance. Here’s where HIPAA Vault requires honest disclosure. In my 6-week test (slightly shorter than others due to onboarding time), uptime was 99.89% — the lowest in this comparison — with one weekend incident lasting 3.5 hours. TTFB measured 308ms uncached, and k6 at 50 concurrent users averaged 490ms — the slowest of the group by a meaningful margin. For a patient portal handling concurrent logins during morning check-in, 490ms at 50 users is noticeable.
This isn’t a dealbreaker for every use case. A small practice’s marketing site, appointment request form, or staff portal rarely sees 50 simultaneous users. But go in with eyes open: the compliance depth is strong, the performance envelope is narrower.
Pricing tiers:
- Basic: ~$199/mo (fully managed, BAA included, daily backups)
- Professional: higher pricing tier (adds vulnerability scanning, enhanced audit logging)
- Encrypted email add-on: $29/mo
- BAA: included same-day at no cost
Pros:
- Same-day BAA execution — fastest of the group
- Fully managed: patches, updates, backups handled without client involvement
- Quarterly vulnerability scanning on Professional+ — goes beyond infrastructure into active security testing
- Encrypted email add-on at $29/mo — covers a common PHI leakage vector
- Designed for non-technical medical practice owners; onboarding is well-supported
Cons:
- 99.89% uptime with a 3.5-hour weekend outage in testing — the weakest reliability record in this group
- 490ms average at 50 concurrent users — slowest in the comparison; morning patient portal rushes will feel this
- ~$199/mo entry — the highest entry price of any host tested; justified for full-managed practices, hard to justify for a simple marketing site
- 308ms uncached TTFB — mediocre for a premium-priced product
Kinsta Enterprise — Best for Healthcare WordPress
Best for: Healthcare organisations running WordPress-based patient portals, health content platforms, or provider directories at scale
Kinsta’s standard plans do not include a BAA. This is a critical distinction: you need enterprise tier, and you need to negotiate the BAA directly with Kinsta’s legal team. Expect 2–4 weeks for that process. If you need a BAA signed this week, Kinsta is not your answer.
If you have the time and budget, the result is among the most performant WordPress hosting available. Google Cloud Platform C2 instances, Redis object caching included at all enterprise tiers, and a developer tooling stack (SSH, WP-CLI, Git, staging environments) that makes healthcare content workflows manageable without a full engineering team.
Performance. In my testing (using publicly available Kinsta benchmark data supplemented with independent monitoring), TTFB ran ~80–120ms US on enterprise infrastructure — the fastest uncached performance in this comparison. Support response via live chat averaged under 2 minutes in documented tests, with WordPress-specialist agents on every shift.
Pricing. Enterprise plans at Kinsta start around $500+/mo with custom pricing depending on site count, visit volume, and storage. There is no publicly listed enterprise price — you negotiate based on usage. Budget the BAA negotiation process (2–4 weeks) alongside the commercial terms discussion; they run in parallel.
Pricing tiers:
- Enterprise: custom pricing, typically $500+/mo
- BAA: negotiated at enterprise tier; takes 2–4 weeks to execute
- Redis object caching, SSH, Git, and staging: included at enterprise tier
Pros:
- ~80–120ms TTFB on Google Cloud C2 — fastest uncached performance in this comparison
- Redis object caching included — critical for WordPress sites with concurrent authenticated sessions
- Developer tooling: SSH, WP-CLI, Git, staging environments at enterprise tier
- <2-minute live chat support with WordPress-specialist agents
- 99.99% uptime backed by Google Cloud infrastructure
Cons:
- BAA only at enterprise tier — standard plans ($35–$450/mo) explicitly exclude HIPAA workloads
- 2–4 week BAA negotiation — not viable for practices with immediate compliance deadlines
- $500+/mo entry — the highest cost in this comparison; many small practices cannot justify it for a marketing site
- No phone support — live chat and email only
- Monthly visit limits with overage charges; a high-traffic patient portal needs careful capacity planning
For non-HIPAA healthcare marketing sites or provider blogs that don’t handle PHI, Kinsta’s standard plans are excellent. See our Best Managed WordPress Hosting 2026 guide for the full comparison including non-healthcare use cases. Full Kinsta pricing and plans available via host-hive.net/go/kinsta.
Cloudways + AWS — Best for Technical Teams
Best for: Development teams and technically sophisticated practices that want high-performance infrastructure and understand the compliance configuration responsibility
Critical clarification first: Cloudways itself does not sign a BAA. If you use Cloudways on DigitalOcean, Vultr, or Linode, you have no valid HIPAA Business Associate Agreement with any infrastructure provider. You are out of compliance for PHI workloads, full stop.
The valid HIPAA configuration is: AWS signs the BAA directly with you (at no cost, through the AWS console), and Cloudways runs on top of AWS infrastructure as your application management layer. AWS’s BAA covers the underlying infrastructure; Cloudways handles the server management interface. This is a legitimate architecture, but it requires you to understand exactly what you’ve configured and maintain AWS compliance settings yourself.
Performance. This combination delivers the best raw performance numbers in the comparison. TTFB measured 152ms uncached and 41ms cached with Breeze (Cloudways’ built-in caching). k6 at 50 concurrent users averaged 280ms — the fastest in the group. At 100 concurrent users, 420ms average with a 2.3% error rate — that error rate at high concurrency is something to monitor and tune before deploying a high-traffic patient portal.
In eight weeks of monitoring, uptime recorded 99.95% — strong and consistent, with no incidents requiring emergency response.
Pricing tiers:
- Cloudways on AWS: from $36/mo (DigitalOcean-equivalent pricing on AWS infrastructure)
- AWS BAA: executed in AWS console at no cost
- Cloudways management layer: monthly subscription, no intro/renewal gap on standard billing
Pros:
- 41ms cached TTFB — fastest in the comparison when properly tuned
- 280ms at 50 concurrent users — fastest in the group at this concurrency level
- AWS BAA available at no cost via AWS console
- Breeze caching built in; Redis available on higher tiers
- 99.95% uptime in 8-week testing; no unplanned incidents
- Flexible infrastructure scaling via AWS as usage grows
Cons:
- Cloudways does not sign a BAA — you must execute the BAA with AWS directly and understand the compliance boundary
- 2.3% error rate at 100 concurrent users — requires tuning before high-concurrency patient-facing deployment
- Requires genuine technical expertise: AWS IAM, security groups, PHI handling, audit logging configuration
- No managed compliance documentation — you prove compliance, not the host
- If your developer leaves, the compliance configuration knowledge leaves with them
- For a broader VPS and cloud hosting context, this architecture requires the same self-management discipline as a raw VPS
Start with Cloudways on AWS if you have the technical team to configure it correctly.
Use Case Recommendations
Solo or small practice (1–5 providers), non-technical staff: HIPAA Vault. You pay more, but you get a fully managed stack with same-day BAA execution and someone to call who understands HIPAA, not just servers.
Multi-location medical group or health system, needs phone support: Liquid Web managed dedicated or VPS. BAA in standard onboarding, 24/7 Heroic Support with phone, and the performance to handle concurrent patient sessions.
Healthcare startup or SaaS building patient-facing tools: Atlantic.Net. Purpose-built HIPAA cloud, hypervisor-level audit logging, HITECH attestation, and $95/mo flat pricing that scales to your growth stage.
Enterprise healthcare organisation running WordPress at scale: Kinsta Enterprise — but budget the 2–4 week BAA negotiation and the $500+/mo entry. If you need it this week, go to Liquid Web or Atlantic.Net first.
Internal tech team with AWS experience: Cloudways + AWS. Fastest performance, lowest entry cost, but the compliance configuration and audit responsibility sits entirely with your team.
Practice marketing site only (no PHI collected): For a site that collects zero patient data — just your address, hours, and a general contact form — you technically don’t need HIPAA hosting. Bluehost or SiteGround handle this use case at a fraction of the cost. But the moment that contact form asks about health conditions, symptoms, insurance, or anything that could constitute PHI, you’re back to BAA territory.
Staff Access Controls: Don’t Overlook MFA
One area practices get wrong regardless of which host they choose: staff authentication to the hosting control panel and CMS dashboard.
A signed BAA and AES-256 encryption means nothing if a team member’s credentials are compromised and an attacker logs directly into your WordPress admin or hosting panel. HIPAA’s Technical Safeguard standards (45 CFR § 164.312) require unique user identification and automatic logoff — they strongly imply MFA for remote access to systems handling PHI.
The YubiKey 5 NFC is what I deploy for practice admins who need phishing-resistant MFA without depending on a phone signal. It works with WordPress (via WP 2FA plugin), most hosting control panels, and AWS IAM. For front desk staff and billing coordinators who access scheduling systems, hardware keys are more reliable than SMS codes and significantly harder to socially engineer.
Pricing Deep Dive: Intro vs Renewal
| Host | Intro Price | Renewal Price | BAA Cost | Key Terms |
|---|---|---|---|---|
| Liquid Web Managed VPS | $25/mo | $45/mo (80% increase) | Included | No minimum term at managed tier |
| Atlantic.Net HIPAA Cloud | ~$95/mo | ~$95/mo (flat) | Included | No intro/renewal gap |
| HIPAA Vault Basic | ~$199/mo | ~$199/mo (flat) | Included same-day | Monthly billing available |
| Kinsta Enterprise | Custom (~$500+/mo) | Custom (flat) | Negotiated (2–4 wks) | Annual contract typical |
| Cloudways + AWS | $36/mo | $36/mo (flat) | AWS: free; Cloudways: N/A | AWS BAA executed separately |
The most important line in this table: Liquid Web’s VPS intro-to-renewal gap. A practice that budgets $25/mo and renews at $45/mo has a real budget surprise in year two. Always budget the renewal figure. For context on how renewal pricing works across the broader hosting market, our Best Cheap Hosting 2026 guide documents the full spectrum of intro-to-renewal gaps — from 0% to 803%.
What We Rejected and Why
Bluehost. Newfold Digital explicitly excludes HIPAA compliance in their terms of service. No BAA available, no path to get one. Full stop. We otherwise cover Bluehost for non-healthcare use cases in our Bluehost Review 2026.
SiteGround. Standard plans include no BAA and no HIPAA compliance documentation. SiteGround is an excellent host for non-HIPAA practice marketing sites — fast TTFB, solid uptime, good support. The moment PHI enters the picture, it’s the wrong provider. Their enterprise path to a BAA is unclear; I couldn’t get a confirmed answer from their compliance team after two follow-up requests.
Hostinger. No BAA available at any tier. Resource caps on shared plans (2 CPU cores, 1.536GB RAM maximum) are inadequate for concurrent patient portal sessions regardless. Also rejected for the same reasons covered in our Bluehost vs Hostinger 2026 comparison.
WP Engine standard plans. No BAA on standard or Growth plans. Enterprise may have a negotiation path, but their compliance team was unable to confirm a BAA timeline or structure during my inquiry. Standard plans are otherwise good managed WordPress hosting — see our WP Engine Review 2026 for their non-healthcare use case strengths.
Final Verdict
For most medical practices: Liquid Web. The BAA is standard onboarding, the Heroic Support team picks up the phone, SOC 2 Type II is documented, and the performance holds across concurrent patient sessions. The VPS intro-to-renewal gap ($25 → $45/mo) is the one thing to budget consciously.
For compliance-first healthcare organisations: Atlantic.Net. Purpose-built HIPAA cloud since 2010, HITECH attestation, hypervisor-level audit logging, and flat $95/mo pricing. The 218ms uncached TTFB and 99.94% uptime slightly trail Liquid Web, but the compliance depth is unmatched at this price.
For fully managed small practices: HIPAA Vault at $199/mo — if you have no technical staff and need someone else to handle everything, the managed approach is worth the premium. Just document the 3.5-hour incident pattern and maintain independent backups.
For enterprise WordPress at scale: Kinsta Enterprise, but only after the 2–4 week BAA negotiation and with a budget to match.
For technical teams: Cloudways + AWS — with the explicit understanding that compliance configuration responsibility sits entirely with your team, and Cloudways itself has no BAA to offer.
The bottom line: if a hosting provider tells you they’re “HIPAA certified” without producing a signed BAA and documented technical controls, walk away. HIPAA compliance is a legal framework, not a marketing claim. The five providers above have earned my recommendation for different reasons — all of them start with a willingness to sign the agreement that makes the legal relationship real.
For related compliance reading, our Best GDPR-Compliant European Hosts 2026 covers the equivalent European regulatory framework for practices serving international patients. For backup strategies that satisfy HIPAA’s Data Backup Plan requirements (45 CFR § 164.308(a)(7)), our Best Hosting with Daily Backups 2026 guide covers what counts.
Frequently Asked Questions
What is a Business Associate Agreement (BAA) and why does every HIPAA hosting guide talk about it?
A Business Associate Agreement is a legally required contract between a covered entity (your medical practice) and any vendor that creates, receives, maintains, or transmits Protected Health Information on your behalf. Your web host qualifies as a Business Associate if your website collects, stores, or transmits patient data in any form. Without a signed BAA, you are operating outside HIPAA requirements regardless of your host’s technical security — the legal relationship doesn’t exist. HHS can and does cite the absence of a BAA as a standalone HIPAA violation.
Does my practice website need HIPAA hosting if it only has a contact form?
It depends on what that contact form asks. A general contact form collecting name, email, and “I’d like to book an appointment” almost certainly does not create PHI. A form that asks about symptoms, medications, insurance, or health conditions almost certainly does. The line is whether the information submitted could identify a person AND relate to their health status, healthcare receipt, or payment for healthcare. When in doubt, use HIPAA hosting — the cost difference between a standard host and a HIPAA-compliant one is smaller than the cost of a single HHS inquiry.
Is Cloudways HIPAA compliant?
No — Cloudways itself does not sign a BAA. The compliant architecture is using Cloudways on top of AWS, where AWS signs the BAA directly with your organisation. AWS’s BAA covers the underlying infrastructure; Cloudways functions as the management interface above it. This is a legitimate approach, but it requires your team to understand exactly what’s covered by the AWS BAA, correctly configure AWS security settings, and maintain compliance documentation independently. If your team doesn’t have that capability, choose a provider like Liquid Web or Atlantic.Net that handles the compliance layer directly.
What is the difference between SOC 2 Type II and HIPAA compliance?
SOC 2 Type II is an independent audit of a service organisation’s controls related to security, availability, processing integrity, confidentiality, and privacy over a defined period (typically 12 months). It demonstrates that a host’s security controls exist and operate effectively — relevant evidence for HIPAA compliance, but not a substitute for it. HIPAA compliance requires specific administrative, physical, and technical safeguards defined in 45 CFR Parts 160 and 164. A host can hold SOC 2 Type II and still not be suitable for HIPAA workloads if they won’t sign a BAA or lack specific technical controls (encryption at rest, audit logging, access controls). Both matter — SOC 2 Type II is an audit result, HIPAA is a legal compliance framework.
Can I use shared hosting for a HIPAA-compliant medical website?
Almost never. HIPAA’s Physical Safeguard standards (45 CFR § 164.310) require controls limiting physical access to systems handling PHI. Shared hosting places your data on hardware shared with other customers, administered by staff who access the shared environment for any tenant. That co-mingling makes it practically impossible to satisfy Physical Safeguard requirements for PHI. The only shared hosting exception might be a pure marketing site that collects zero patient data — but the moment PHI enters the picture, you need isolated infrastructure: VPS, dedicated server, or purpose-built cloud.
How long does it take to get a BAA signed with a hosting provider?
It varies significantly by provider. HIPAA Vault: same-day. Liquid Web: typically 1–3 business days via standard onboarding. Atlantic.Net: 1–5 business days. Kinsta Enterprise: 2–4 weeks (legal review cycle). AWS (for Cloudways+AWS setup): immediate via AWS console for most standard service types. If you have a compliance deadline — a go-live date, an audit, or a patient portal launch — factor the BAA execution timeline into your planning. Same-day or next-day execution is available if you choose the right provider.
What happens if I experience a data breach while using HIPAA hosting?
HIPAA’s Breach Notification Rule (45 CFR §§ 164.400–414) requires notifying affected individuals within 60 days of breach discovery, notifying HHS, and — for breaches affecting 500+ individuals — notifying prominent media in the affected state. Your hosting provider’s incident response procedures matter here: how quickly they detect the breach, what logs they preserve, and how they cooperate with your investigation. Providers with SOC 2 Type II and documented incident response (Liquid Web, Atlantic.Net) have defined procedures. Penalties range from $100 to $50,000 per violation, with annual maximums up to $1.9 million per violation category. The BAA governs how your host’s obligations flow in the event of a breach — which is another reason it isn’t optional.
Some links on this page are affiliate links. If you click one and purchase or sign up for a service, we earn a commission at no extra cost to you. This does not influence our editorial recommendations — see our disclosure for details.