Question regarding HIPAA compliance


#1

I am considering implementing a hosted medical application on DreamHost. I know what my responsibilities are regarding privacy and security. Part of my application’s compliance with the HIPAA Security Rule involves providing high availability and a level of physical security that satisfies the HIPAA Security Rule. I can’t find anything on the DreamHost site that addresses whether their datacenter is HIPAA compliant - including willingness to sign a Business Associate Agreement; developing, documenting and following administrative procedures for their staff; maintaining physical access logs; reviewing and updating security periodically; and performing and documenting Risk Analysis and Risk Management. Any feedback from other customers regarding your experience with DreamHost would be appreciated.


#2

Our hosting environment is not HIPAA compliant. Among other reasons, this is because HIPAA compliance is incompatible with shared and VPS hosting environments. It would also require that we take what amounts to a “hands off” approach to our customers’ servers and data. This would prevent us from providing many of the managed services that we offer today, including our “hands-on” support.

I would suggest that you look for a hosting company that specializes in HIPAA hosting — most “general-purpose” web hosts, including DreamHost, choose to focus on aspects of security other than HIPAA compliance.