HIPAA Compliant Hosting Is More Complicated Than You Think

Originally published October 3, 2019. Updated May 2026.

Blog
|

Armor Team

Achieving HIPAA compliance is more than choosing a host. It means choosing a partner who can help you secure your environment, your application, and your business.

That distinction is where most HIPAA-hosting decisions go wrong. Organizations sign with a provider that markets itself as HIPAA-compliant, assume the rest is handled, and then run into the parts of compliance the host was never going to do. All of that is still yours:

  • application layer

  • access controls
  • workforce training
  • documented risk analysis
  • incident response policy

The mindset shift is the part most teams miss. HIPAA compliance is a way of organizing the entire business around protecting ePHI, not a procurement checkbox.

The Requirements

The Three Categories of HIPAA Safeguards

To handle PHI compliantly, your application and overall environment have to satisfy a long list of requirements.

Technical

  • Encryption of all data at rest and in transit, including messages
  • Audit logs that record who accessed patient data and when
  • Automatic log-off of external devices and idle sessions
  • Access controls and unique user identification

Physical

  • Access controls on facilities housing PHI
  • Workstation and mobile device policies
  • A current inventory of hardware and software handling ePHI
  • Physical security of the servers themselves

Administrative

  • Documented risk assessments and a risk management policy
  • Workforce training on data security
  • A tested contingency plan covering backup, disaster recovery, and emergency–mode operation
  • Documented incident response and reporting procedures
  • A signed Business Associate Agreement with every party that touches your ePHI
Shared Responsibility

Where the Provider Stops and You Begin

Hosting compliance is divided between provider and customer. Where exactly the line sits depends on the hosting model, and not understanding it is the most common reason organizations end up out of compliance after deployment.

The provider is responsible for the safeguards on the infrastructure they operate:

  • Physical security of the data center
  • Hypervisor and host patching
  • Network controls within their environment
  • The encryption capabilities of the storage and transit layers they provide
  • The audit log infrastructure that captures activity at their level

A signed Business Associate Agreement formalizes that accountability and is required of any host that handles PHI.

The customer is responsible for the safeguards on what they put on top:

  • Application-level access controls
  • User provisioning and deprovisioning
  • Workforce training
  • The risk analysis covering their workflows
  • BAAs with their own subcontractors
  • The incident response policy that covers their organization

Signing a BAA does not transfer your compliance obligations to the provider. It only documents theirs.

This is why two organizations using the same compliant host can have very different compliance postures. The host’s controls are identical. What’s different is everything above the host.

Shared Responsibility Diagram - AEC and Armor Agent

The diagram above shows the responsibility for Armor Enterprise Cloud and Armor Agent. The shape of the split is similar across credible HIPAA hosting providers. What changes between providers is how much of the customer column they help with through managed services.

The Ceiling Problem

HIPAA Compliance Does Not Mean Complete Security

Compliance with HIPAA is not the same thing as security. The enforcement model is largely complaint-driven, which means an organization can be out of compliance for months or years and not know it until something goes wrong. There are also other regulations governing data security, such as PCI DSS for payment data, state privacy laws, and sector-specific requirements that HIPAA compliance alone does not satisfy.

HITRUST CSF is the next step beyond HIPAA.

HITRUST maps controls across HIPAA, NIST, ISO, PCI, and others into a single audited framework. Certification requires third-party validation against hundreds of specific controls and re-validation on a defined cadence. A HITRUST CSF–certified provider has been inspected in detail.

For organizations that need a higher and verifiable security bar, or that need to demonstrate that bar to customers, partners, or regulators, HITRUST is the next step beyond HIPAA. We’ve covered the specifics of HITRUST certification in a separate piece.

Armor is HITRUST CSF certified. We’ve also helped many of our customers achieve their own HITRUST certification.

Whether you stop at HIPAA or pursue HITRUST, the point is the same. Protecting PHI is what’s required of you, and the consequences of failing are real. Fines have grown more aggressive since the HITECH Act, and a breach affecting PHI is one of the most expensive incident categories in any industry, with healthcare leading for 14 consecutive years.

HIPAA is not a maximum security bar. It is a minimum one.

Provider Evaluation

What to Ask a HIPAA-Compliant Hosting Provider

To handle PHI compliantly, your application and overall environment have to satisfy a long list of requirements.

Will they sign a BAA, and what’s in it?
Read it before you sign. Look at the liability cap, the breach notification timeline, the indemnification clauses, and what subcontractors are covered. A BAA with a 24-hour notification clause is materially different from one with 60 days.

What’s their HITRUST CSF or SOC 2 Type II status?
A current HITRUST CSF certification means a provider’s controls have been independently validated against a healthcare-specific framework. SOC 2 Type II means an auditor has confirmed the controls are operating effectively over time, not just designed correctly on paper. Ask for the report. Armor maintains both.

Do they offer active threat detection and response, or just monitoring?
When something goes wrong, you need to know how fast they’ll respond, who responds, and what they do. Vague answers are a red flag.

What’s their incident response SLA?
When something goes wrong, you need to know how fast they’ll respond, who responds, and what they do. Vague answers are a red flag.

Can they provide audit-ready documentation on demand?
When your auditor asks for control mappings, evidence, or attestations, your hosting provider should produce them within days, not months.

Do they have healthcare references at your scale?
A provider that hosts a 200-bed hospital is solving different problems than one hosting a 50-person digital health startup. Ask for references with similar profiles.

Armor Enterprise Cloud (AEC)

A hardened private cloud built for regulated workloads by Armor, a HITRUST CSF certified company. AEC ships with 600+ built-in security controls plus workload protection, 24/7 SOC monitoring, cloud-native SIEM, compliance management, and cyber insurance, with automated mapping to top compliance standards.

See AEC for HIPAA workloads

Your Options

The Comparison Across Approaches

To handle PHI compliantly, your application and overall environment have to satisfy a long list of requirements.

Public cloud has become the default starting point for new healthcare deployments. AWS, Azure, and GCP all operate HIPAA-eligible services and act as Business Associates for those services. AWS notably archived its single reference architecture for HIPAA workloads and now points customers to the HIPAA Eligible Services Reference, an acknowledgment that there isn’t one architecture, only a list of building blocks you assemble yourself.

The real question for most teams is not “which cloud”, but “how much management do we want layered on top of it.”

Self-Managed on Public Cloud

Build it yourself on AWS, Azure, or GCP. Configure encryption, IAM, network segmentation, audit logging, and monitoring against HIPAA requirements. Stand up your own threat detection and response. Hyperscaler support helps with the platform, not with your specific HIPAA configuration, that’s on you. This works for organizations with a mature security team and a clear reason to operate at the hyperscaler level. It is the most flexible option and the lowest infrastructure markup, with the highest operational burden on your team.

Managed HIPAA Hosting Providers

A category of specialist providers who wrap managed services and BAAs around the hyperscalers, or operate their own compliant private cloud. They handle the infrastructure configuration and a defined slice of compliance work for you. Armor Enterprise Cloud sits in this category. Armor is HITRUST CSF certified, and AEC bundles workload protection, 24/7 SOC monitoring, SIEM, compliance management, and cyber insurance into the service, not as separate add-ons.

Point Security or Compliance Tools Layered on Your Existing Cloud

Tools in this category, including cloud workload protection platforms, CSPM tools, and agent-based monitoring products, give you visibility and notifications on whatever cloud you already run. They do not give you a hardened environment, an active response team, or remediation. You assemble the rest yourself.

How Armor Compares

Capability Self-Managed Public Cloud Cloud Security or CSPM Tool Managed HIPAA Hosting Armor Enterprise Cloud
HIPAA-eligible infrastructure
Signed BAA
HITRUST CSF certified provider varies
Built-in security controls mapped to compliance standards varies ✓ (600+)
Continuous compliance monitoring varies
24/7 SOC monitoring varies
Active incident remediation varies
Incident investigation and forensics varies
Cyber insurance coverage included
Hardened, ready-to-deploy environment varies

The capability most often missing from “managed HIPAA hosting” offerings is the one that matters when something goes wrong. 
Active remediation by a human team is what separates an environment that meets HIPAA on paper from an environment that survives an attempted breach.

Talk to a HIPAA Compliance Expert

The parts of HIPAA compliance most likely to fail an audit are the ones your hosting provider can’t do for you. If you’re evaluating HIPAA-compliant hosting, or auditing the environment you have today, Armor’s team can walk you through where your current posture sits across HIPAA, threat detection, and the rest of your security program and where the gaps are.

Schedule a Cyber Resilience Assessment

About Armor

Armor is a global leader in cloud-native managed detection and response. Trusted by over 1,700 organizations across 40 countries, Armor delivers cybersecurity, compliance consulting, and 24/7 managed defense built for transparency, speed, and results. By combining human expertise with AI-driven precision, Armor safeguards critical environments to outpace evolving threats and build lasting resilience. For more information visit our website, follow us on LinkedIn, or request a free Cyber Resilience assessment.

This Site Uses Cookies

We use cookies to enhance browsing and personalize your experience. By continuing you are consenting to the use of cookies. You may opt out of cookie usage but certain site features may be unavailable.

Accept Opt-Out