Jun 10, 2014

Colocation and HIPAA Compliance: What You Need to Know

One of the cornerstones of the Health Insurance Portability and Accountability Act (HIPAA) is the protection of personal health information. Any organization that deals with protected health information (PHI) bears a major responsibility to ensure that the information doesn’t fall into the wrong hands. The consequences of a PHI data breach are significant, and usually include fines and other punitive actions; securing data that’s stored electronically is of paramount concern.


Because meeting HIPAA guidelines for safeguarding PHI is so important, many organizations hesitate to move their networks to a data center or use cloud services. However, given the benefits of outsourcing data management, especially in terms of cost reductions and efficiencies, it only makes sense for organizations within the health care industry to move to offsite data centers.

However, before making the shift, it’s important to understand all of the issues surrounding colocation and HIPAA compliance.

Compliance Standards

The federal government’s Office of Human Rights determines how HIPAA compliance is measured, and has set forth a comprehensive list of 165 regulatory points that must be adhered to ensure that PHI is adequately secured. Of those 165 points, 88 are related to data breach privacy notifications, and 77 have to do with data protection.

The 77 data protection standards fall across a number of broad categories, including information access management, assigned security responsibility, workforce security, contingency plans, security awareness and training and business associate agreements. It’s this last point that is of the greatest interest to data centers and those organizations working with, or considering working with, them.

As of September of 2013, the law states that third party contractors, such as colocation providers, can be held responsible in the event of a data breach. In addition, the law requires that any organization dealing with PHI develop a Business Associate Agreement with the provider that states that the provider will take every necessary precaution to ensure that PHI is secure during storage, transmission or creation. In other words, colocation providers must not only understand and adhere to HIPAA guidelines, but they must invest in safeguards to ensure ongoing compliance.

Among the safeguards that health care organizations should look for include ongoing employee training and security awareness, facility infrastructure that’s focused on security and ongoing HIPAA compliance audits. For some organizations, data centers are actually an ideal solution, as they are able to manage the security aspects of HIPAA far more effectively than could be done in-house, and for a far lower cost. Smaller companies, for example, may not be able to effectively implement security measures that are HIPAA compliant, thus making colocation the only feasible option.

Questions to Ask Colocation Providers

When organizations dealing with PHI opt to move to a colocation center, they must ask important questions to determine whether the center will adequately meet their needs and adhere to HIPAA guidelines. Some of the basic questions to ask include:

    • Where are the servers physically located? PHI must be stored within the U.S. borders, as international privacy laws differ and could put your organization out of compliance.
    • What physical security measures are in place? A colocation provider should offer 24 hour surveillance with stored video as well as locked cages and restricted access privileges.


  • What type of SSL and HTTPS protocols are in place to encrypt data during transmission?
  • What type of disaster recovery protocol is in place?


    • Has the data center undergone an independent HIPAA compliance audit, and are the results available for review? A nondisclosure agreement may be necessary to review the compliance report, but knowing that the center has been evaluated for compliance provides extra peace of mind.


  • What are the processes for security vulnerability and risk assessments?
  • What are the plans for backups and handling outages?



These are just a few of the important questions to ask when considering a data center for managing PHI. When choosing a colocation provider, it’s important to look beyond the most technologically advanced or most affordable options, and determine which providers will best protect the data and keep you in compliance with the HIPAA standards.

Given the risks associated with managing PHI in-house, and the complexity and costs associated with meeting HIPAA compliance standards, colocation is becoming a far more attractive option to many organizations that previously resisted such an arrangement. By conducting adequate research, and asking the right questions, it’s possible to find a colocation provider that will make your data even more secure than you thought possible.

Leave a comment