Skip to main content

Who Needs HIPAA Compliant Hosting? A Decision Framework by Role

By Joseph Abear ·
Who needs HIPAA compliant hosting title graphic with a server stack icon on a dark teal background.

You need HIPAA-compliant hosting if your website or application stores, processes, or transmits electronic protected health information (ePHI) and you are a covered entity or business associate as defined in 45 CFR § 160.103. That covers healthcare providers who bill electronically, health plans, clearinghouses, and the vendors who handle patient data for them: healthtech SaaS companies, billing services, telehealth platforms, and agencies. The hosting itself must sit under a signed Business Associate Agreement (BAA) per 45 CFR § 164.504(e), because a host that maintains ePHI is a business associate. Choosing HIPAA compliant hosting that includes that BAA is the baseline. The hard part is not the rule; it is recognizing when your specific site is in scope.

TL;DR: Quick answer

  • HIPAA reaches covered entities (providers transmitting electronically, health plans, clearinghouses) and business associates under 45 CFR § 160.103; both need BAA-covered hosting for any system holding ePHI.
  • A hosting provider that maintains ePHI is itself a business associate, so hosting PHI without a host BAA is a violation under §§ 164.308(b) and 164.504(e).
  • Marketing sites become in-scope the moment an appointment or intake form collects health details; the page does not need to be a patient portal to carry ePHI.
  • OCR's risk analysis enforcement initiative produced settlements into 2026, including six-figure amounts from small entities, for failing the risk analysis requirement at 45 CFR § 164.308(a)(1)(ii)(A).
  • If no PHI ever touches the site or its notifications, standard hosting is generally fine; map data flows before buying either way.

Covered entities: providers, plans, and clearinghouses

A healthcare provider becomes a covered entity by transmitting health information electronically in connection with a standard transaction, usually insurance billing. That includes hospitals and group practices, and also solo clinicians: a therapist whose website intake form feeds an insurance-billing practice, a naturopathic doctor whose biller files electronic claims, a dental office, a home health agency. Health plans and clearinghouses are covered by definition. For any of these, a website that collects, displays, or stores patient information is an ePHI system that belongs in the risk analysis required by 45 CFR § 164.308(a)(1)(ii)(A) and on infrastructure with technical safeguards under § 164.312: encryption in transit and at rest, access controls, audit logging. For a practice-specific view of what to look for, see our guide to medical website hosting.

Business associates: SaaS, billing, telehealth, and agencies

A business associate creates, receives, maintains, or transmits PHI on behalf of a covered entity. Since the 2013 Omnibus Rule, business associates carry direct liability for Security Rule failures, and HHS OCR settles enforcement actions with them regularly; its risk analysis initiative reached software vendors and even an accounting firm through 2026. In hosting terms:

  • Healthtech SaaS. Scheduling tools, EHR add-ons, remote monitoring dashboards, AI scribes. If provider customers put patient data in your product, you need HIPAA-eligible infrastructure under a BAA with your cloud provider, plus BAAs with your customers.
  • Billing and revenue cycle companies. Claims data is PHI end to end.
  • Telehealth platforms. Session metadata, intake, and recordings are all ePHI. See HIPAA compliant telehealth.
  • Marketing and web agencies. An agency that builds or administers sites storing patient submissions, or that receives form data for a provider client, is a business associate. Most agencies discover this after the fact; our guide to HIPAA compliance for marketing agencies covers the scenarios.

Subcontractors inherit the obligation: a business associate's hosting vendor needs its own BAA, all the way down the chain.

Edge cases that surprise people

  • The "brochure site" with an appointment form. A five-page marketing site for a clinic is out of scope until the contact form invites "tell us about your symptoms." Then submissions are ePHI, and the form pipeline, database, and notification emails all need safeguards.
  • Telehealth landing pages. A campaign page that collects condition-specific signups ("get treatment for anxiety today" plus name and phone) is collecting health information in a treatment-seeking context.
  • Tracking pixels. After AHA v. HHS (N.D. Tex., June 2024), an IP address plus an unauthenticated page visit is not automatically PHI, but analytics or ad pixels that capture form contents or authenticated portal activity still create exposure.
  • International companies serving US patients. HIPAA follows the data, not the server's flag. A Canadian or European company acting as a business associate for a US covered entity has HIPAA obligations regardless of where it hosts; see HIPAA for non-US sites serving US patients.
  • Wellness businesses outside HIPAA. Most coaches and cash-only practitioners are not covered entities, but they can be business associates by contract, and state laws like Washington's My Health My Data Act regulate consumer health data anyway.

A four-question decision test

  1. Does identifying information plus health information ever enter your site or app? Include free-text form fields, chat widgets, uploads, and quiz funnels, not just portals.
  2. Are you a covered entity, or are you handling that data for one? If neither, HIPAA hosting is not required; check state law instead.
  3. Does the data rest on or pass through your hosting stack? Form entries in the site database, email notifications through the server, and backups all count.
  4. Can your current host sign a BAA and document the § 164.312 safeguards? Most consumer shared hosting cannot. If the answer to the first three is yes and this one is no, you have a missing-BAA violation waiting to be found.

Answering yes to questions 1 through 3 means you need BAA-covered hosting. What that involves and costs is covered in our HIPAA-compliant hosting guide and the 2026 cost breakdown. Note that no host can make you "HIPAA certified"; no such certification exists. A host provides BAA-covered, compliance-ready infrastructure, and your policies, training, and risk analysis complete the picture.

Who does not need HIPAA hosting?

A site that never touches PHI: a purely informational practice site whose only contact path is a phone number, a medical device company site with no patient data, a health blog. Over-buying compliance infrastructure for a site with no ePHI wastes money; under-buying for a site with one leaky intake form creates liability that 2026 penalty tiers price at $145 to $73,011 per violation even at the lowest culpability level (45 CFR § 102.3). The honest data-flow map, written down, is the deliverable either way; it doubles as the start of the risk analysis OCR asks for first.

Frequently asked questions

Does a small clinic website need HIPAA hosting?

Yes, if any form, chat, or upload on it collects patient information and the clinic is a covered entity. A phone-number-only brochure site generally does not.

Is regular shared hosting ever acceptable for a healthcare site?

Only when the site holds no ePHI at all. Once PHI lands in the database or mail queue, the host must sign a BAA and provide the § 164.312 safeguards, which consumer shared hosting typically will not do. Mainstream consumer hosts rarely qualify; for one common example, see our breakdown of whether GoDaddy is HIPAA compliant.

My SaaS only stores data for one doctor's office. Do I still need this?

Yes. Business associate status does not have a size threshold, and OCR has settled with small vendors. You need a BAA with the practice and HIPAA-eligible hosting under a BAA of your own.

Does AWS count as HIPAA-compliant hosting?

AWS offers a BAA and HIPAA-eligible services, but configuration, hardening, and the application layer remain your responsibility. See our breakdown of whether AWS is HIPAA compliant.

What happens if I host PHI without a BAA?

The missing BAA is itself a violation under 45 CFR §§ 164.308(b) and 164.504(e), separate from any breach, and it is one of the first documents OCR requests in an investigation.

Where to go from here

If the decision test put you in scope, map your data flows, then evaluate hosts against the BAA and safeguard criteria in the pillar guide, and compare your options against our roundup of the best HIPAA compliant hosting providers. We are a HIPAA-compliant hosting provider offering managed HIPAA cloud hosting on AWS with the BAA included; that is our own service, so hold it to the same checklist you would apply to anyone else, or ask us whether your setup actually needs it. Sometimes the honest answer is no.

This article is general information, not legal advice. Whether HIPAA applies to you is fact-specific; confirm your status with qualified counsel and base safeguards on a documented risk analysis. Reviewed June 2026.

Sources

  • 45 CFR § 160.103, covered entity and business associate definitions: ecfr.gov
  • 45 CFR § 164.504(e), business associate contracts: ecfr.gov
  • 45 CFR § 164.312, technical safeguards: ecfr.gov
  • HHS OCR, covered entities and business associates: hhs.gov
  • HHS OCR, guidance on HIPAA and cloud computing: hhs.gov
  • AWS, HIPAA compliance program: aws.amazon.com
← Back to all posts