HIPAA Compliance

I was curious as to whether or not Vultr has HIPAA compliant web servers available. The business I work for has several clients that need the security because they store sensitive info.


  • HIPAA compliance is the responsibility of the Health Care Provider/Organization in question. While we have no specific HIPAA compliance requirements as an Online Service Provider, our facilities/infrastructure can certainly provide services to any organization looking to achieve said compliance and/or certification (self-service model requires the organization to support itself/ensure everything is configured properly and secured).
  • How would we be able to make sure your system is HIPAA compliant with hosting? This is the guide my boss must follow to make sure his company is HIPAA compliant https://www.atlantic.net/blog/hipaa-compliant-hosting-requirements-easy-solution-oriented-checklist/

    Also, how could we insure that our system is HIPAA compliant, is there any guide for that?
  • @austinkregel

    From a quick glance at the link you provided, these are something you do on your own in order to make it HIPAA complaint. The server itself is pretty much irrelevant. You'll need to configure the firewall on the server, add two-factor authentication using some sort of third party application such as Authy, create and configure an offsite backup, add SSL, etc yourself, not the hosting provider or the server.

    So in other words, the server/VPS itself will be configured in the default configuration for the OS you chose. It is then up to you to make sure the VPS is in compliance of HIPAA.

    This is all that I've gathered. If I'm totally wrong, then ignore everything I said, haha.
  • I suppose the main thing to check is if virtual machines are allowed in the first place.
  • This is completely bringing a thread back from the dead but HIPAA will *NOT* certify anything on a shared environment in case anyone else was wondering. The client must physically own the machines and the datacenter must have HIPAA compliance (physical security, etc) as well. We just went through the process where I work.

    The private hosted environment was stated on the page linked by @austinkregel :

    "Private Hosted Environment — You cannot share resources with any other entities if you want to achieve HIPAA compliant server requirements. Working with a hosting provider with experience related to properly privatizing your infrastructure obviously helps."
  • What about using Dedicated Instances or the recently released Bare Metal server? Neither of these seem to share resources according to the product pages.
Sign In or Register to comment.