The phrase "HIPAA-compliant hosting" gets thrown around by hosting providers as if it were a certification you can buy, like an SSL certificate. It isn't. HIPAA compliance is a shared responsibility between the covered entity (the clinic, hospital, or health-tech company) and its business associates (including the hosting provider), and it rests on administrative, physical, and technical safeguards working together \x2014 not on a single server SKU. That said, the choice of infrastructure absolutely matters: a shared hosting plan where you don't control the OS, patching schedule, or who else's data sits on the same disk makes real HIPAA safeguards nearly impossible to implement or prove. A dedicated server gives you the isolation and control that HIPAA's Security Rule actually expects.

What HIPAA Actually Requires From Your Infrastructure

HIPAA's Security Rule breaks safeguards into three categories, and a dedicated server directly supports the technical safeguards column:

  • Administrative safeguards \x2014 your organization's policies: risk assessments, workforce training, incident response plans. No server can do this for you.
  • Physical safeguards \x2014 controlled data center access, visitor logs, and hardware disposal procedures. This is where your hosting provider's data center matters: ask for SOC 2 Type II or ISO 27001 attestation covering physical access controls.
  • Technical safeguards \x2014 encryption at rest and in transit, unique user authentication, automatic logoff, audit logging, and access controls. This is where server configuration does the heavy lifting.

Critically, you need a signed Business Associate Agreement (BAA) with any vendor that could touch electronic protected health information (ePHI), including your hosting provider. If a provider won't sign a BAA, they cannot legally host ePHI for you, full stop \x2014 no amount of server configuration fixes that gap.

Why Dedicated (Not Shared or Multi-Tenant Cloud) for ePHI

Shared hosting and many budget cloud VPS products pool multiple customers on the same physical hardware with the provider managing the hypervisor, patching schedule, and often having broad administrative access to guest instances. That is workable for a marketing site; it is a much harder sell for ePHI because HIPAA auditors specifically look for evidence that you controlled who could access the systems storing patient data. A dedicated server gives you:

  • Exclusive physical hardware \x2014 no noisy-neighbor risk and a clean audit trail of exactly who has access.
  • Full root control over encryption, logging, and patching cadence, so you can prove your safeguards rather than trust a shared provider's.
  • The ability to physically or logically segment ePHI storage from non-regulated systems (e.g., your public marketing site) on separate hardware.

Running a Risk Assessment Against Your Own Infrastructure

HIPAA's Security Rule requires a documented risk assessment, and this is where many organizations either skip the exercise entirely or produce a generic template that doesn't actually reflect their real infrastructure. A useful risk assessment for a dedicated-server-hosted EHR or telehealth platform should walk through, concretely:

Identify Where ePHI Actually Lives

Map every location ePHI touches: the primary database, search indexes, application logs, cached query results in Redis, backup files, and any staging or development database that might contain copied production data. It's common to find ePHI has quietly leaked into a staging environment with weaker safeguards than production \x2014 a frequent finding in real audits.

Identify Who Can Access Each Location

For every location identified above, document exactly who (which named individuals or roles) has access, and confirm that access is the minimum necessary for their job function \x2014 the "minimum necessary" standard is a specific, named HIPAA requirement, not just good practice.

Identify and Rank Threats

Realistic threats for a dedicated server hosting ePHI include: compromised admin credentials (the most common real-world cause of healthcare breaches), an unpatched vulnerability in the application layer, a lost or stolen laptop with cached access, and insider misuse by an authorized user viewing records outside their job function. Rank these by likelihood and impact rather than treating every theoretical threat equally.

Document Mitigations and Residual Risk

For each identified threat, document the specific mitigation in place (MFA for admin access, automatic session timeout, audit logging with anomaly alerts) and honestly note any residual risk your organization has formally accepted. Auditors and cyber-insurance underwriters both respond far better to an honest, specific risk assessment than a boilerplate one that claims zero risk.

Incident Response Planning for a Healthcare Dedicated Server

HIPAA's Breach Notification Rule imposes specific timelines once a breach is discovered \x2014 generally requiring notification to affected individuals without unreasonable delay and no later than 60 days, with additional requirements for breaches affecting 500 or more individuals. A workable incident response plan for infrastructure you control needs to define, in advance:

  • Detection \x2014 what monitoring or alerting would actually catch unauthorized access to the server (failed login anomalies, unexpected data export volumes, unfamiliar admin IP addresses).
  • Containment \x2014 who has the authority to isolate or take the server offline immediately if a breach is suspected, and how quickly that can happen without waiting for a committee decision.
  • Investigation \x2014 what logs and forensic data need to be preserved, and whether your current audit logging retention would actually support a forensic investigation six months after the fact.
  • Notification \x2014 a pre-drafted communication plan and legal review process so the 60-day clock doesn't get eaten up by indecision about how to communicate the breach.

The organizations that handle a breach well are almost always the ones that had this plan written down and, ideally, tested with a tabletop exercise before they ever needed it for real.

Sizing and Pricing for Healthcare Workloads

Use CaseTypical LoadCPU / RAMStorageEst. Monthly Cost
Small clinic EHR / practice management5\x2d30 concurrent staff users4-core, 16 GB500 GB encrypted SSD, RAID 1$90\x2d$150 (before compliance add-ons)
Telehealth video platform (regional)50\x2d300 concurrent video sessions8\x2d16-core, 64 GB1 TB NVMe RAID 10$220\x2d$450
Multi-location health system / health-tech SaaS500+ concurrent, multiple facilitiesDual Xeon/EPYC, 128\x2d256 GB2\x2b TB NVMe RAID 10, offsite encrypted backup$500\x2d$1,200+ across a redundant pair

Budget separately for compliance-specific add-ons that a general-purpose dedicated server plan usually doesn't include by default: a signed BAA (often free from providers who support healthcare, but confirm), encrypted offsite backup with its own BAA coverage, and a managed security/monitoring add-on if you don't have in-house security staff to review logs. These can add 20\x2d40% to the base infrastructure cost, and that is a realistic, not padded, range.

Technical Safeguards Checklist for the Server Itself

Encryption at Rest

Full-disk encryption (LUKS on Linux, BitLocker on Windows Server) is the baseline. For database-level ePHI, add column-level or transparent data encryption (TDE) in MySQL/MariaDB or PostgreSQL's pgcrypto extension for the most sensitive fields (SSNs, diagnosis codes).

Encryption in Transit

TLS 1.2 minimum, TLS 1.3 preferred, for every connection touching ePHI \x2014 patient portal traffic, API calls between your EHR and lab integrations, and any admin access (SSH with key-based auth only, never password auth).

Access Controls and Audit Logging

Unique logins per staff member (no shared "nurse station" accounts), role-based access control limiting who can view which patient records, and audit logs that capture who accessed what and when \x2014 retained for at least six years per HIPAA's documentation retention requirement.

Automatic Session Timeout

Configure automatic logoff after a defined idle period on any application accessing ePHI, both at the application layer and, where practical, the OS session layer for admin access.

Backup and Disaster Recovery

Encrypted backups, stored offsite, with a documented and tested restore procedure. HIPAA's contingency plan requirement isn't satisfied by "we take nightly backups" \x2014 you need to demonstrate you can actually recover ePHI within a reasonable time frame.

Common Compliance Mistakes We See

  • Assuming a general "we're SOC 2 compliant" hosting provider automatically covers HIPAA \x2014 SOC 2 and HIPAA overlap but are not the same framework; confirm the provider explicitly supports BAAs.
  • Storing ePHI backups on a consumer cloud storage service without a BAA covering that specific service.
  • Using shared admin credentials across a small clinic's IT staff, which breaks the unique-user-identification requirement and makes audit logs meaningless.
  • Forgetting that ePHI in log files (error logs that accidentally capture patient names or diagnosis codes in a stack trace) is still ePHI and needs the same protections.

Sizing and Infrastructure by Care Setting

"Healthcare" covers wildly different infrastructure profiles depending on the type of practice, and lumping a solo dermatology clinic in with a multi-state telehealth platform leads to badly mis-sized quotes on both ends. A few common profiles we see in practice:

Solo and Small Group Practices

A single-location practice running a practice management system and an EHR for 3\x2d10 providers rarely needs more than a 4-core, 16 GB server, but the compliance overhead (BAA, encryption, audit logging setup) is nearly identical in complexity to a much larger deployment \x2014 there is no "lightweight HIPAA" tier. Many small practices underestimate this and are surprised that compliance setup takes real hours of configuration work regardless of how small the patient panel is.

Multi-Location Group Practices and Specialty Networks

Once a practice group spans multiple physical locations sharing a single EHR instance, network latency between locations and the central server becomes a real clinical workflow concern \x2014 a slow chart load during a patient visit is a workflow and, in some cases, a patient-safety issue, not just an inconvenience. These deployments typically need a server in a data center with strong regional connectivity to all practice locations, plus a tested failover plan, since an EHR outage across multiple active clinics is a much bigger operational event than a single-location outage.

Telehealth and Virtual-First Platforms

Video-based telehealth adds a bandwidth and real-time performance dimension that traditional EHR hosting doesn't have to consider as heavily. A regional telehealth platform running 200 concurrent video visits needs to budget not just for server capacity but for network quality metrics (jitter, packet loss) that directly affect clinical video quality \x2014 a pixelated or freezing video call during a psychiatric or dermatology consult is a real clinical care problem, not just a technical annoyance.

Health-Tech SaaS and Multi-Tenant Platforms

Software vendors serving many healthcare clients from shared infrastructure face the hardest version of this problem: proving tenant isolation to each individual client's compliance team, sometimes as part of that client's own HIPAA risk assessment of their vendors. Dedicated hardware with clearly documented, auditable tenant separation (separate databases per client at minimum, separate servers for the largest clients) becomes a sales requirement, not just a technical preference, once you're selling into enterprise health systems with their own security review processes.

Care SettingPrimary Infrastructure RiskKey Add-On to Budget
Solo / small group practiceUnder-resourced compliance setup relative to patient volumeBAA-covered encrypted backup, basic audit logging
Multi-location group practiceLatency and workflow disruption during chart accessRegionally central data center, tested failover
Telehealth platformVideo quality degradation under concurrent loadNetwork quality monitoring, sufficient uplink capacity
Health-tech SaaS / multi-tenantProving tenant isolation to enterprise clientsDocumented isolation model, dedicated hardware for top clients

Specialty Compliance Considerations Beyond HIPAA

42 CFR Part 2 for Substance Use Disorder Records

Behavioral health and substance use treatment providers in the US face an additional federal layer (42 CFR Part 2) with stricter consent and re-disclosure rules than standard HIPAA \x2014 infrastructure supporting these records often needs more granular access segmentation than a general medical practice, since Part 2 data frequently cannot be shared as freely even within the same health system.

State-Level Health Data Laws

Several US states have layered additional health data privacy requirements on top of HIPAA in recent years, some extending protections to health-adjacent data (fitness, reproductive health, mental health app data) that falls outside HIPAA's traditional covered-entity scope. If your platform handles consumer health data outside a formal clinical relationship, don't assume HIPAA is the only framework in play \x2014 check your state's specific health privacy statute.

International Patients and Cross-Border Data

Telehealth platforms serving patients outside the US layer on GDPR (EU/UK) or other regional health data frameworks, which can impose stricter consent and data localization requirements than HIPAA alone. Confirm your dedicated server's physical jurisdiction against every region you serve patients in, not just your own headquarters location.

Migrating an Existing EHR or Telehealth Platform Without an Outage

Moving a live clinical system to new dedicated hardware carries higher stakes than a typical website migration \x2014 an extended outage can mean clinicians can't access charts during active patient visits. A few practices that reduce risk meaningfully:

Run a Parallel Environment Before Cutover

Stand up the new dedicated server alongside the existing system and replicate data continuously rather than doing a single big-bang cutover. This lets you validate performance and compliance configuration under real (or realistic) load before a single patient record depends on the new hardware.

Schedule the Cutover for Genuine Low-Volume Hours

Even 24/7 platforms usually have a predictable overnight low-volume window; schedule the final database cutover there, with clinical staff informed in advance and a rollback plan ready if something doesn't validate correctly within the first hour.

Validate Compliance Configuration Before Go-Live, Not After

Confirm encryption at rest, audit logging, and access controls are fully configured and tested on the new server before any real ePHI touches it \x2014 retrofitting compliance configuration onto a server that's already live with patient data is both riskier and harder to document cleanly for audit purposes.

Keep the Old System Available Briefly as a Fallback

Don't decommission the previous server the moment cutover completes; keep it available (properly secured, not just abandoned) for at least a week or two in case an edge case in the migration surfaces only under real clinical use.

Monitoring and Ongoing Compliance Maintenance

HIPAA compliance is not a one-time configuration exercise \x2014 it's an ongoing operational discipline, and infrastructure that was properly secured at launch can quietly drift out of compliance over months as staff turn over, patches lag, and new integrations get bolted on without the same scrutiny as the original build.

Continuous Vulnerability Scanning

Schedule regular (at minimum monthly, ideally continuous) vulnerability scans against the server's exposed services, and treat newly disclosed CVEs affecting your specific software stack as a priority patch item rather than waiting for a routine maintenance window when a vulnerability is actively being exploited in the wild.

Quarterly Access Review

Review the list of who has access to ePHI-touching systems at least quarterly, removing access for departed staff and role changes promptly \x2014 stale access grants for former employees are a common finding in real HIPAA audits and an easy one to prevent with a simple recurring calendar reminder.

Annual Risk Assessment Refresh

Revisit your documented risk assessment at least annually or after any significant infrastructure change (new integration, migration, major software upgrade), rather than treating the original assessment as a permanent document that never needs updating.

Log Review, Not Just Log Collection

Collecting audit logs satisfies part of the technical safeguard requirement, but logs nobody ever reviews provide little real security value. Establish at least a periodic manual review process, or better, automated anomaly alerting (unusual access times, bulk record exports, access from unfamiliar locations) so log data actually gets acted on rather than accumulating unread.

Buyer's Checklist Before Signing With a Healthcare Hosting Provider

  • Will the provider sign a Business Associate Agreement, and does it explicitly cover the services you're buying (server, backup, support access)?
  • Does the data center carry SOC 2 Type II or ISO 27001 attestation you can review?
  • Can you get full-disk encryption and root access to configure your own audit logging?
  • Does the provider offer (or allow you to configure) encrypted, BAA-covered offsite backups?
  • What is the provider's incident notification timeline if they detect unauthorized access to your hardware? HIPAA's Breach Notification Rule has strict timelines you need your vendor to support.
  • Is 24/7 support available, given that healthcare systems often cannot tolerate business-hours-only response windows?

Frequently Asked Questions

Is a dedicated server automatically HIPAA compliant?

No. No server is "automatically" compliant \x2014 compliance comes from how the server is configured, secured, and operated, combined with your organization's administrative and physical safeguards. A dedicated server makes real technical safeguards achievable; it doesn't implement them for you.

Do we need a BAA even for a small telehealth startup with only a handful of patients?

Yes \x2014 HIPAA applies regardless of organization size once you're handling ePHI as a covered entity or business associate. Patient count doesn't create an exemption.

Can we host our patient portal and our public marketing website on the same dedicated server?

You can, but many compliance teams prefer logical or physical separation \x2014 keeping ePHI-handling systems isolated reduces your audit scope and limits the blast radius if the public-facing site (which typically has broader, less controlled access) is ever compromised.

How is this different from just using a HIPAA-eligible cloud service like AWS?

Major cloud providers offer HIPAA-eligible services under their own BAA, which is a valid path too \x2014 the tradeoff is usually cost predictability and raw performance per dollar. A dedicated server, similar to our comparison of dedicated vs cloud servers, often gives more consistent performance per dollar for steady-state healthcare workloads, while cloud shines for unpredictable elastic scaling.

What happens if our hosting provider suffers a breach affecting our patients' data?

Your organization remains responsible for Breach Notification Rule compliance even if the breach originated with your hosting provider (as your business associate) \x2014 this is exactly why the BAA needs to spell out notification timelines and responsibilities in writing before you sign, not after an incident.

Does 42 CFR Part 2 change our hosting requirements for a substance use treatment program?

It can \x2014 Part 2 imposes stricter re-disclosure consent rules than standard HIPAA, which sometimes translates into a need for more granular access segmentation between substance use records and general medical records, even on the same underlying server. Discuss this specifically with your compliance officer and hosting provider rather than assuming standard HIPAA safeguards automatically satisfy Part 2.

How should a multi-tenant health-tech SaaS platform prove tenant isolation to enterprise clients?

Document your isolation model explicitly \x2014 separate databases per client at minimum, dedicated hardware for your largest enterprise clients if required by their own security review, and be ready to provide this documentation as part of your prospective clients' own vendor risk assessments, since many health systems now formally review subcontractor infrastructure before signing.

Is video quality actually a compliance issue for telehealth, or just a UX concern?

Primarily a clinical care and UX concern rather than a HIPAA technical safeguard per se, but poor video quality during a mental health or specialist consult can have real clinical consequences, which is why serious telehealth platforms treat network quality metrics (jitter, packet loss, not just raw bandwidth) as seriously as encryption and access control.

Do international telehealth patients change our HIPAA obligations?

HIPAA itself doesn't change based on patient location, but you may face additional obligations under the patient's local data protection law (GDPR in the EU/UK, for example) layered on top of your existing HIPAA program \x2014 confirm your server's jurisdiction and any cross-border transfer requirements before expanding internationally.

WebsNP supports healthcare organizations and telehealth platforms with dedicated servers configured for encryption, access control, and audit logging, backed by a signed BAA. View dedicated server plans or contact our team to discuss your compliance requirements before you migrate ePHI.