What Are Compliant Hosting Services? A Plain-English Guide
Compliant hosting services are hosting environments that are configured, documented, and contractually backed to meet a specific regulatory framework or security standard, such as HIPAA, PCI DSS, SOC 2, or HITRUST. The word "compliant" never stands alone. It always points to a named standard, and each standard assigns different obligations to the hosting provider and to you. For healthcare organizations, that standard is HIPAA, and the contractual piece is a Business Associate Agreement (BAA) required under 45 CFR § 164.308(b) and § 164.504(e).
TL;DR: Quick answer
- "Compliant hosting" always refers to a named framework; HIPAA, PCI DSS, SOC 2, and HITRUST each set different requirements, and a host can meet one without meeting the others.
- For HIPAA, a host that touches electronic protected health information (ePHI) is a Business Associate under 45 CFR § 160.103 and must sign a BAA before any PHI is stored or transmitted.
- Compliance is shared: the host secures infrastructure, but the customer still owns risk analysis under 45 CFR § 164.308(a)(1)(ii)(A), user access decisions, and application-level safeguards.
- No official "HIPAA certification" exists; HHS does not certify hosts. SOC 2 Type II and HITRUST CSF are third-party attestations, not HIPAA certifications.
- HIPAA penalties are real money: as of January 28, 2026, civil penalties range from $145 to $73,011 per violation in Tier 1, with a top tier reaching $2,190,294.
What does "compliant hosting" actually mean?
Compliance is never generic. Each framework defines specific controls for how data must be protected, who is accountable, and what documentation must exist. A provider that calls itself "secure and compliant" without naming a standard has told you nothing you can act on. The right questions are: compliant with what, proven how, and covered by which contract.
For a medical or dental practice, a therapy group, or a healthcare SaaS company, the framework that matters is HIPAA. The HIPAA Security Rule sets administrative safeguards (45 CFR § 164.308), physical safeguards (§ 164.310), and technical safeguards (§ 164.312) for any system that stores, processes, or transmits ePHI. A hosting provider that handles ePHI on your behalf meets the definition of a Business Associate in 45 CFR § 160.103, which means the provider must sign a BAA and implement Security Rule safeguards itself.
Which compliance frameworks apply to hosting, and to whom?
| Framework | Who it applies to | What it covers in hosting |
|---|---|---|
| HIPAA | US Covered Entities (providers, health plans, clearinghouses) and their Business Associates | ePHI safeguards under 45 CFR §§ 164.308, 164.310, 164.312; a signed BAA; breach notification under §§ 164.400-414 |
| PCI DSS | Any organization that stores, processes, or transmits payment card data | Cardholder data environment segmentation, encryption, vulnerability management; enforced by card networks, not government |
| SOC 2 | Service organizations of any kind | An auditor's attestation that the provider's security controls operated effectively over a period (Type II); useful evidence, not a law |
| HITRUST CSF | Mostly healthcare vendors | A certifiable framework that maps to HIPAA and other standards; a strong signal, but not a government certification |
| GDPR | Organizations handling personal data of people in the EU | Data processing agreements, data residency, and processor obligations |
One important distinction: HIPAA has no official certification program. HHS does not certify hosting providers, software, or anyone else. A host claiming to be "HIPAA certified" is misstating how the law works. The accurate claims are "HIPAA-eligible infrastructure," "BAA-covered services," or "supports HIPAA compliance," ideally backed by independent attestations such as SOC 2 Type II or HITRUST CSF.
What does the host owe you, and what stays your responsibility?
Compliant hosting splits obligations between provider and customer. A genuine HIPAA hosting provider should deliver:
- A signed BAA before any ePHI touches its systems, as required by 45 CFR § 164.308(b).
- Encryption at rest, addressing 45 CFR § 164.312(a)(2)(iv), and encryption in transit under § 164.312(e)(1) and (e)(2)(ii).
- Audit controls that record activity in systems containing ePHI, per § 164.312(b).
- Access management supporting unique user identification (§ 164.312(a)(2)(i)) and automatic logoff (§ 164.312(a)(2)(iii)).
- Backups and contingency support aligned with the contingency plan standard in § 164.308(a)(7).
- Breach notification commitments so you can meet the 60-day individual notification deadline in § 164.404.
What the host cannot do for you: conduct your risk analysis under § 164.308(a)(1)(ii)(A), decide which staff get access to which records, train your workforce, write your policies, or retain your compliance documentation for the six years required by § 164.316(b)(2)(i). Every cloud and hosting arrangement works on a shared responsibility model. AWS describes this explicitly, and the same logic applies to managed hosts. Our guide to HIPAA hosting security measures breaks down each control in detail, and who needs HIPAA-compliant hosting covers whether the rules apply to your organization at all.
How do you verify a provider's compliance claims?
- Name the standard. Ask which framework the claim covers. "We are compliant" is not an answer; "we sign BAAs and hold a current SOC 2 Type II report" is.
- Get the BAA first. For healthcare workloads, confirm the provider signs a BAA before you share any PHI, and read what services the BAA actually covers. On AWS, for example, the BAA covers only the more than 150 services on the HIPAA Eligible Services Reference; PHI in a non-eligible service is outside the agreement.
- Request evidence. SOC 2 Type II reports, HITRUST certifications, and penetration test summaries are reasonable asks under NDA.
- Map responsibilities in writing. Ask for a responsibility matrix showing which Security Rule safeguards the host implements and which remain yours.
- Check breach terms. The BAA should obligate the host to report security incidents to you quickly enough that you can meet HIPAA's notification deadlines under §§ 164.404-408.
The stakes justify the diligence. Under the penalty amounts effective January 28, 2026 (45 CFR § 102.3), HHS OCR can impose civil penalties from $145 per violation for unknowing violations up to $2,190,294 for willful neglect that goes uncorrected. Our breakdown of HIPAA violation fines and penalties covers the full tier structure.
Frequently asked questions
What does compliant hosting mean?
Hosting that is configured, documented, and contractually backed to meet a specific named framework such as HIPAA, PCI DSS, SOC 2, or HITRUST. The framework defines the requirements; "compliant" by itself means nothing.
Is HIPAA hosting the same as PCI-compliant hosting?
No. HIPAA protects health information and requires a BAA under 45 CFR § 164.504(e); PCI DSS protects payment card data and is enforced contractually by card networks. A host can meet one, both, or neither. For the PCI side in depth, see PCI compliant hosting.
Can a hosting provider be HIPAA certified?
No. HHS offers no HIPAA certification for hosts or software. Providers can sign BAAs, implement Security Rule safeguards, and hold third-party attestations such as SOC 2 Type II or HITRUST CSF, but "HIPAA certified" is not an accurate claim.
Does using a compliant host make my organization compliant?
No. The host covers infrastructure safeguards under its BAA, but you remain responsible for risk analysis (45 CFR § 164.308(a)(1)(ii)(A)), workforce training, access decisions, and application configuration.
How much does compliant hosting cost?
HIPAA-grade hosting typically costs more than general hosting because of the BAA, isolation, logging, and managed security involved. See our 2026 HIPAA hosting cost guide for current figures.
Where to go from here
If your workload involves patient or client health data, start with our complete guide to HIPAA-compliant hosting. When you want a provider that signs the BAA and configures the Security Rule safeguards for you, hipaacomplianthosting.com offers managed HIPAA-compliant WordPress hosting; managed HIPAA hosting is our business, so weigh that disclosure as you compare options.
This article is general information, not legal advice. Consult qualified counsel and base your safeguards on a documented risk analysis. Reviewed June 2026.
Sources
- 45 CFR Part 164, Subpart C (Security Rule): ecfr.gov
- HHS: The HIPAA Security Rule
- HHS: Covered Entities and Business Associates
- AWS: HIPAA Eligible Services Reference
- Federal Register: Annual civil monetary penalty inflation adjustment (Jan. 28, 2026)