Skip to main content

HIPAA Compliant Server: Requirements and Options in 2026

By Joseph Abear ·
HIPAA Compliant Server

Last updated: July 3, 2026

A HIPAA compliant server is a physical or virtual machine that stores, processes, or transmits electronic protected health information (ePHI) under a signed Business Associate Agreement (BAA), with the HIPAA Security Rule safeguards configured on the machine itself. That means encryption at rest and in transit, named user accounts with least privilege, automatic logoff, audit logging, and tested encrypted backups, all required by 45 CFR § 164.312. No server is compliant out of the box. The hardware and the operating system are just materials. The BAA and the configuration are what make a HIPAA compliant server, whether it is a dedicated machine, a virtual private server (VPS), or a cloud instance. This guide covers the requirements, the server types, and the mistakes that fail audits.

TL;DR: Quick answer

  • A HIPAA compliant server needs two things: a signed BAA with whoever operates it, under 45 CFR § 164.308(b), and the technical safeguards at 45 CFR § 164.312 configured on the machine.

  • The core controls are AES-256 encryption at rest, TLS 1.2 or higher in transit, unique user IDs, automatic logoff, audit logging, and encrypted backups you have actually restored.

  • Dedicated servers, VPS instances, and cloud servers can all be made compliant. Dense shared hosting cannot, because it lacks isolation.

  • Cloud servers like Amazon EC2 are HIPAA eligible, not compliant by default. You or a managed host must do the configuration.

  • A compliant server does not make your organization compliant. Policies, training, and a risk analysis under 45 CFR § 164.308(a)(1)(ii)(A) stay your job.

What makes a server HIPAA compliant?

HIPAA never names servers. It regulates ePHI, and the Security Rule applies to any system that touches it. So a HIPAA compliant server is defined by what is wrapped around the machine, not the machine itself. Two layers matter. The first is legal: whoever runs the server for you maintains ePHI on your behalf, which makes them a Business Associate under 45 CFR § 160.103, and § 164.308(b) requires a signed BAA before any patient data lands on the box. The second is technical: the safeguards at § 164.312, configured and documented. A hardened server with no BAA is a violation. A signed BAA over an unhardened server is too. Both layers have to be present, which is the same two-part rule that governs the whole stack in our complete guide to HIPAA-compliant hosting.

HIPAA compliant server requirements, mapped to the rule

HIPAA Server Requirements

Here is what the Security Rule requires on the machine, control by control.

Requirement

Citation

On the server

Encryption at rest

§ 164.312(a)(2)(iv)

Disks, databases, and snapshots encrypted, commonly AES-256

Encryption in transit

§ 164.312(e)(1)

TLS 1.2 or higher on every connection; no plain HTTP or FTP

Unique user IDs

§ 164.312(a)(2)(i)

Named accounts, least privilege, no shared root login

Automatic logoff

§ 164.312(a)(2)(iii)

Idle SSH and admin sessions time out

Audit controls

§ 164.312(b)

Logins, changes, and ePHI access logged and reviewed

Integrity

§ 164.312(c)(1)

File integrity monitoring, checksummed backups

Backups and recovery

§ 164.308(a)(7)

Encrypted automatic backups with a tested restore

Two notes on the fine print. Encryption is an "addressable" specification under § 164.306(d), which means you implement it or document an equal alternative. For a server holding ePHI, no credible alternative exists, so treat it as required. And documentation, including logs and backup tests, must be kept for six years under § 164.316(b)(2)(i). The full control checklist for the whole environment is in our HIPAA hosting security measures guide.

Which server types can be HIPAA compliant?

HIPAA Server Types
  • Dedicated server. A physical machine that is all yours. Isolation is built in, which simplifies the risk analysis. You still configure every safeguard, or pay a managed host to.

  • Virtual private server (VPS). A virtual slice of a machine with reserved resources. Compliant when the provider signs a BAA and the isolation between tenants is real. Ask how tenants are separated.

  • Cloud server. An instance like Amazon EC2. HIPAA eligible under the AWS BAA, but the shared responsibility model leaves OS hardening, access, and logging to you. The details are in is AWS HIPAA compliant, and the wider model in HIPAA compliant cloud hosting.

  • Database server. The machine where most ePHI comes to rest, and the highest-value target on the stack. It has its own hardening rules, covered in HIPAA compliant database hosting.

  • File transfer server. A HIPAA compliant SFTP server moves files over an encrypted channel with named logins and transfer logs. Plain FTP can never qualify, because it sends data and passwords unencrypted.

  • On-premises server. A machine in your office can be compliant, but you take on the physical safeguards at 45 CFR § 164.310 too: facility access, media disposal, and theft protection that data centers handle for you.

What cannot be compliant is dense shared hosting, where hundreds of unrelated sites share one machine with no meaningful isolation and no BAA. The price is attractive. The architecture is disqualifying.

The mistakes that fail a server audit

HIPAA Server Audit Mistakes
  • A public database port. The database listens only on a private network. Only the application reaches it.

  • Shared or default logins. Every admin has a named account, and the default root password is long gone.

  • TLS on the website but not inside. Encryption in transit covers server-to-database and server-to-backup connections too, not just the browser.

  • Logs nobody reads. § 164.312(b) expects review, not just collection.

  • An untested restore. A backup you have never restored is a hope, not a recovery plan.

  • Patching that waits. An unpatched OS or web server is the most common way a hardened machine quietly stops being hardened.

Build the server yourself or rent it managed?

You have the same two paths as everywhere in HIPAA hosting. Configure and operate the machine yourself, which gives full control and makes every safeguard on the table above your recurring job. Or use a managed host that delivers the server already hardened, with the BAA, monitoring, patching, and backups included. Teams with security engineers often prefer control. Practices and product teams without them usually get to a defensible setup faster on the managed path.

If you would rather rent the server already compliant

The gap between a stock server and a HIPAA compliant server is weeks of configuration and a permanent upkeep duty. Our managed HIPAA cloud hosting provisions single-tenant AWS servers that arrive with the BAA signed, encryption at rest and in transit, a web application firewall, six-year audit logging, and tested encrypted backups. That is a HIPAA compliant server as a monthly service from HIPAA compliant hosting built for healthcare. We sell this, so weigh that as a disclosure. If you want a straight read on whether your current machine passes the table above, tell us what you are running.

Frequently asked questions

What are the HIPAA compliant server requirements?

A signed BAA with the operator under 45 CFR § 164.308(b), plus the technical safeguards at § 164.312: encryption at rest and in transit, unique user accounts with least privilege, automatic logoff, audit logging, integrity controls, and encrypted backups with a tested restore.

Is a cloud server HIPAA compliant?

It can be. Instances like Amazon EC2 are HIPAA eligible under the provider's BAA, but not compliant by default. You or a managed host must harden the OS, configure encryption and access control, and turn on logging under the shared responsibility model.

Do I need a dedicated server for HIPAA?

No. HIPAA requires isolation and safeguards, not specific hardware. A dedicated server, a properly isolated VPS, and a single-tenant cloud server can all qualify. Dense shared hosting cannot, because tenants are not meaningfully separated.

Can a web server be HIPAA compliant?

Yes. A HIPAA compliant web server serves pages over TLS 1.2 or higher, runs under a BAA, keeps access logs, and never stores form submissions or uploads unencrypted. The same § 164.312 safeguards apply to it as to any machine touching ePHI.

Does a HIPAA compliant server make my organization compliant?

No. The server covers the infrastructure layer. Your risk analysis under 45 CFR § 164.308(a)(1)(ii)(A), workforce training, access decisions, and vendor BAAs remain your responsibility.

Recap: HIPAA compliant server

To recap, a HIPAA compliant server is a machine under a signed BAA with the § 164.312 safeguards configured: encryption at rest and in transit, named accounts, automatic logoff, audit logging, integrity controls, and tested backups. Dedicated, VPS, and cloud servers can all get there. Shared hosting cannot. The hardware is the easy part. The BAA, the configuration, and the upkeep are what you are really buying, whether you build it or rent it managed.

This article is general information, not legal advice. Confirm your obligations with qualified counsel and base your safeguards on a documented risk analysis. The December 2024 Security Rule NPRM is not final as of July 2026. Reviewed July 2026.

Sources