Healthcare
HIPAA Hosting — 7-point Checklist
What an MSP must actually do to host PHI workloads, not just claim to. BAA template, audit-log retention math, breach notification timeline, encryption requirements per state.
12 pages· PDF· Practice Manager, Compliance Officer
What's inside
Every cloud vendor claims HIPAA-eligible. Far fewer can produce evidence on demand, defend a state-level breach notification window, or sign a BAA without a 90-day legal review. This checklist is the seven-point bar we hold our own private cloud to — and the questions a clinic or pharmacy buyer should ask any hosting partner before sending PHI across the wire.
Table of contents
- Encryption at rest, in transit, and during processing — what counts
- Audit log retention math: 6 years, 7 years, or when do you cite state law?
- BAA template walkthrough — clauses that matter, clauses that don't
- Breach notification timelines: federal vs state-by-state
- Access control: RBAC vs ABAC for clinical workflows
- Backup + restore drills: what auditors want to see
- Vendor risk: questions to ask before signing the contract
Pairs well with
Finance
PCI-Aware Hosting Worksheet
Tax-firm-specific PCI scoping. Cardholder-data-environment segmentation. SAQ-D readiness checklist. Tax-season elastic capacity sizing.
Compliance
SOC 2 Pre-Audit Readiness
Pre-flight checklist for SOC 2 Type II auditors. Maps Ultiblob platform controls to Trust Services Criteria, then to your application-layer controls. Saves 8-12 hours of audit prep.
