Skip to content
Healthcare

HIPAA Hosting — 7-point Checklist

What an MSP must actually do to host PHI workloads, not just claim to. BAA template, audit-log retention math, breach notification timeline, encryption requirements per state.

12 pages· PDF· Practice Manager, Compliance Officer

What's inside

Every cloud vendor claims HIPAA-eligible. Far fewer can produce evidence on demand, defend a state-level breach notification window, or sign a BAA without a 90-day legal review. This checklist is the seven-point bar we hold our own private cloud to — and the questions a clinic or pharmacy buyer should ask any hosting partner before sending PHI across the wire.

Table of contents

  • Encryption at rest, in transit, and during processing — what counts
  • Audit log retention math: 6 years, 7 years, or when do you cite state law?
  • BAA template walkthrough — clauses that matter, clauses that don't
  • Breach notification timelines: federal vs state-by-state
  • Access control: RBAC vs ABAC for clinical workflows
  • Backup + restore drills: what auditors want to see
  • Vendor risk: questions to ask before signing the contract

Pairs well with