Top 5 HIPAA-Compliant Application Hosting and Service Providers

David Emerson by David Emerson

If your application stores personal health information (PHI) and is subject to HIPAA regulations, hosting it on a HIPAA-compliant platform is not enough: You also need to comply with a large number of technical and procedural requirements, like handling authentication securely, enforcing secure access, and keeping proper audit logs. These web hosts provide tools and services – on top of their hosting – to make it easier for you to achieve and maintain HIPAA compliance.

Datica (www.datica.com)

Datica provides a complete hosting and compliance solution in the cloud. Their platform runs on on AWS, Microsoft Azure or IBM SoftLayer, and they unify disparate cloud services into a single, unified “platform-as-a-service” that is easy for developers to use. Developers can write their applications in a variety of tools of their choice and then deploy and manage them using Datica’s web dashboard and command line interface. Datica also includes tools and resources to make it easier to integrate with EMRs and other health platforms. On the operational side, Datica provides a unified business associate agreement and absorbs the cost of independent HIPAA audits, so that you don’t have to.

MedStack (www.medstack.co)

MedStack delivers all aspects of HIPAA-compliant hosting “out of the box”, in a ready-made bundle of tools and services that take all of the hard work (and risk) out of compliance. They provide built-in privacy and security protocols, an optional data repository with an HL7 FHIR data model and API, a developer-friendly cloud hosting environment, and pre-written privacy policy and procedure documents to make compliance easier. MedStack hosts on AWS, Azure and IBM Cloud, and they reduce time-to-market by enabling developers to use whatever languages, databases, or deployment tools that they desire. (Disclosure: We use MedStack for our clients here at SiteRocket Labs, and have chosen them because they provide exceptional functionality at a very competitive price point. They’re also a pleasure to work with.)

TrueVault (www.truevault.com)

TrueVault provides an innovative set of tools that enables it to “host” just the parts of your data that require HIPAA compliance. In other words, let’s say you have a health application that stores personal health information, along with other sensitive data such as user logins and permissions. With TrueVault, you can host your application at any (non-HIPAA compliant) host of your choice, and use TrueVault to store its sensitive data and handle user access and authentication. Unlike other providers such as MedStack, your developers would need to build functionality within your application to send and receive the sensitive data to TrueVault’s APIs. TrueVault also provides audit logging and other technical safeguards.

ClearDATA (www.cleardata.com)

ClearDATA provides a comprehensive set of services to ensure that apps containing personal health information are hosted securely and that they comply with HIPAA safeguards. Like several of the other service providers in this article, ClearDATA uses Amazon Web Services (AWS) as its hosting platform. ClearDATA’s platform can automate the services needed to control an AWS environment; automatically detect and respond to changes made within an AWS account; actively monitor infrastructure security; and provide unified reports that detail compliance with HIPAA guidelines.

Datapipe (www.datapipe.com)

Datapipe, a RackSpace Company, is a global provider of managed hosting, network management, and consulting services. Datapipe hosts applications on existing cloud hosting platforms such as Amazon Web Services and Microsoft Azure, and they manage (maintain and administer) the servers in order to ensure optimal security and performance. They can also work closely with your organization to manage the entire compliance process. Datapipe is more of a technology consulting company than a hosting business, and they offer a range of infrastructure services in addition to their HIPAA practice. This means that Datapipe can deploy, support and manage all of your organization’s cloud applications, rather than just the ones that fall under HIPAA.

Rough Pricing Comparison

Please take this pricing as a general rule-of-thumb only. The services described in this article are very different from one another, which makes them hard to compare. In addition, the prices listed here are subject to change depending on your needs.

Typical Monthly Costs
Vendor Entry level Mid-range Typical Enterprise
 Datica $1,000 $3,300 Custom
 MedStack $350 $750 Custom (see their handy pricing calculator)
 TrueVault $299 $999 $1,299
 ClearDATA Custom pricing only; but as a general rule, ClearDATA often adds an additional $1.75 for every $1 spent at AWS
 Datapipe Custom pricing only

 

Which Service is Right for You?

The vendors listed here have very different approaches from one another, and no service is appropriate for everyone. We would be happy to hear about your needs and provide a recommendation for you, so feel free to get in touch!