Why HIPAA Hosting Alone Is Not HIPAA Compliance

Posted: April 25, 2026 to Compliance.

If you signed a contract this year with a vendor that markets "HIPAA compliant hosting," you may already feel the box is checked. The Business Associate Agreement is signed. The encryption is at rest. The logs are retained. So your covered entity is HIPAA compliant, right? Not quite. Hosting compliance covers the infrastructure layer of your environment. HIPAA compliance is an organizational posture that lives across people, policies, training, vendors, and incident response. The two are related, but they are not the same, and the Office for Civil Rights treats them very differently when an audit notice arrives.

This article walks through where the line falls between the host's job and the covered entity's job, why the difference matters in dollars, and how to evaluate a vendor that promises both.

The HIPAA Security Rule splits the work between you and your host

The HIPAA Security Rule at 45 CFR 164.308 through 164.316 lays out the administrative, physical, and technical safeguards a covered entity must put in place. A managed hosting provider can implement many of the technical safeguards on the infrastructure they control. The administrative safeguards, almost without exception, stay with you.

The table below maps the most common Security Rule controls to who actually performs the work. It is not exhaustive, but it is enough to expose the gap.

Control area	CFR citation	Host's job	Covered entity's job
Encryption at rest and in transit	164.312(a)(2)(iv), 164.312(e)(2)(ii)	Yes (AES-256, TLS)	Verify, document in policy
Audit logging and 6-year retention	164.312(b), 164.316(b)(2)	Yes (system logs)	User access logs, review cadence
Multi-tenant isolation	164.312(a)(1)	Yes	Verify in BAA
Backup and contingency plan	164.308(a)(7)	Backup execution	Plan authorship, annual testing, board review
Security Risk Assessment (SRA)	164.308(a)(1)(ii)(A)	No	Yes, documented and refreshed annually
Sanction policy	164.308(a)(1)(ii)(C)	No	Yes, written and applied
Workforce training and attestation	164.308(a)(5)	No	Yes, delivered and tracked
BAA management with subcontractors	164.308(b)(1), 164.314(a)	Their own BAA only	Inventory of every downstream BAA
Incident response procedures	164.308(a)(6)	Hosting-side detection	Plan, drills, forensics retainer, breach notification workflow
Penetration testing	164.308(a)(8)	Sometimes (often outsourced)	Scope, scheduling, remediation tracking

Add up the right-hand column. That is the program layer your hosting bill does not pay for.

The "partnering agency" gap most buyers do not ask about

Penetration testing is one of the most quietly outsourced services in the HIPAA hosting market. A common pattern: the host advertises pen testing as part of the package, and only when you read the fine print do you learn it is delivered through a third party. To pick a current public example, HIPAA Vault states on its own pen testing page:

"At HIPAA Vault we provide comprehensive penetration testing services through a partnering agency for healthcare organizations."

Source: hipaavault.com/hipaa-pen-testing/ (verified 2026-04-25). Their disclosure is honest, and a partnering agency model can produce solid technical work. But notice what just happened to the buyer. You now have two vendor relationships supporting one regulatory requirement: the host who scopes the test, and the agency who runs it. Two BAAs to manage. Two SLAs to enforce. Two reports to reconcile. If the test surfaces a finding tied to a hosting control, the remediation conversation goes through three parties: you, the host, and the agency.

That is a real coordination cost most buyers do not price into the deal until they hit it. It is also why we keep penetration testing in-house at Petronella Technology Group, where the test, the report, and the remediation guidance all sit inside the same retainer.

What an OCR audit actually asks for

The Office for Civil Rights publishes its HIPAA Audit Protocol covering 180 audit-procedure entries across the Privacy, Security, and Breach Notification rules. Roughly a quarter of those entries map to controls a host can produce evidence for. The rest sit squarely with the covered entity.

When an OCR investigator opens a complaint or a breach review, the document request typically includes:

• Your most recent Security Risk Assessment, with the methodology, scope, and remediation tracker
• Your written policies and procedures, signed and dated, covering each Security Rule standard
• Workforce training records: who trained, when, on what content, with attestation signatures
• Your sanction policy and any sanctions actually applied to workforce members in the period under review
• Your BAA inventory, including every downstream business associate you share PHI with
• Your contingency plan and the most recent annual test of it
• Your incident response logs, including any incidents that did not rise to the level of a reportable breach
• Your access management records: provisioning, modification, and termination of user access to PHI

Your hosting provider can answer a small slice of this list. They can produce their SOC report, their encryption attestations, their facility access logs, and their portion of the audit log retention. They cannot produce your SRA, your training attendance, your sanction file, your downstream BAA inventory, or your incident response drills, because those documents do not exist on their side of the line.

If those records do not exist on your side either, the audit goes badly regardless of how clean the hosting layer is.

Breach math: who pays

The HIPAA Breach Notification Rule at 45 CFR 164.400 through 164.414 puts the obligation on the covered entity, not the host. If a host suffers a security incident that exposes your PHI, the covered entity is the one who must notify affected individuals, the Department of Health and Human Services, and (for breaches affecting 500 or more residents of a state or jurisdiction) the media, all within 60 days.

The covered entity also pays the civil penalty. HHS publishes the HIPAA penalty tiers, which Congress requires be adjusted for inflation. As of the most recent inflation adjustment, the four tiers run from a minimum of approximately $137 per violation up to an annual cap of approximately $2,134,831 for the willful neglect, not corrected tier. The HHS Office for Civil Rights enforcement page maintains the current numbers; they move every year. The point is that the dollar exposure sits with you, even when the technical failure happened on a host.

Your host's indemnification clause is rarely sized for that exposure. Read your BAA closely. Most reputable hosting BAAs cap liability at a multiple of the previous twelve months of fees paid. If you are paying $499 a month, twelve months is roughly $6,000, and a 2x cap is roughly $12,000. The OCR penalty for a single category of violations can be three orders of magnitude larger.

None of this means a host has done anything wrong. It means the regulatory and financial consequences land on the covered entity, which is exactly why the program layer matters.

What a "full HIPAA program" actually includes

Treat the list below as the floor, not the ceiling. If your environment does not have these documents, processes, and evidence trails in a state where you could hand them to an auditor on 30 days' notice, your program has gaps regardless of how good the hosting is.

1. Documented Security Risk Assessment, refreshed at least annually, covering every system that creates, receives, maintains, or transmits PHI. See our HIPAA compliance hub for the methodology we use.
2. Written policies and procedures, each one signed by the privacy or security officer, mapped to a specific Security Rule citation, and reviewed annually.
3. Workforce training delivered to every member who handles PHI, with attestation captured and stored, and re-trained on material change to the policy set.
4. BAA catalogue listing every downstream business associate, each BAA's effective and renewal dates, and an annual review of whether the relationship is still active and whether the contract terms still match the regulation.
5. Incident response plan with clear thresholds for what counts as a security incident, what counts as a breach, who decides, and who notifies.
6. Annual contingency plan test that exercises backup, failover, and recovery, with the test results written up and reviewed by leadership.
7. In-house penetration testing on a defined cadence, with findings tracked through to remediation and re-test.
8. Board or executive reporting cadence that puts the compliance posture on a calendar, not in a folder no one reads.

Five questions to ask any vendor that says "HIPAA compliant"

1. Is your penetration testing in-house, or is it through a partnering agency? If it is outsourced, ask who manages the BAA with the test agency and whose name is on the report.
2. Do you author the policies for our organization, or do you just provide hosting? A hosting BAA is not a policy library. The policies have to be written for your workforce, your data flows, and your sanctions framework.
3. Do you deliver workforce training, or do you simply remind us it is required? Training delivery and attestation tracking are concrete deliverables. A reminder email is not.
4. What is your incident response time, and will you sign an IR retainer? An hourly engagement during an active incident is the wrong moment to negotiate. Pre-signed retainers compress the response.
5. Will you produce the documents an OCR investigator asks for, or only your own hosting evidence? If the answer is "only our hosting evidence," ask who fills the rest of the binder.

What we do at Petronella

Petronella Technology Group runs a small HIPAA practice for healthcare organizations that want one accountable vendor for hosting and the program layer. Our team is CMMC RPO #1449 (verifiable on the Cyber AB registry), our staff is CMMC-RP certified, our penetration testing is delivered in-house, and Craig Petronella holds the Digital Forensics Examiner credential (DFE #604180), which is directly relevant when an incident response engagement turns into a forensic one. Petronella is BBB A+ accredited and has operated continuously since 2003 from 5540 Centerview Dr., Suite 200, Raleigh, NC 27606.

If the gap between your hosting bill and your full HIPAA program is wider than you would like, the path forward is documented on our pillar page, HIPAA hosting with the compliance program built in. If you are coming from a hosting-only provider and want a side-by-side, see our HipaaVault alternative analysis for 2026 and the migration audit at switch from HipaaVault.

For the broader buyer view, our healthcare cybersecurity practice page covers how we work with healthcare clients across the regulatory and operational stack.

The takeaway

Hosting compliance is real, it is necessary, and it is not the same thing as HIPAA compliance. A "HIPAA compliant" hosting bill tells you your infrastructure layer meets the technical safeguards a host can implement on their side of the line. It says nothing about your Security Risk Assessment, your written policies and procedures, your workforce training records, your downstream BAA inventory, your incident response plan, or your sanction policy. Those documents are the core of an OCR audit response, and every one of them sits on your side of the line, not your host's side. That is the part of the picture the marketing language usually leaves out, and it is the part the regulator cares about most.

The right vendor either delivers the program layer alongside the hosting, or tells you plainly which pieces are out of scope so you can source them somewhere else, and from whom. The wrong vendor lets you assume their infrastructure compliance covers your organizational compliance, and you only learn the difference when the breach notification letter or the audit document request lands on your desk.

If you would like a 30-minute gap audit against the eight-item program checklist above, with no slide deck and no obligation, contact Petronella Technology Group. We will tell you which pieces are in good shape, which pieces need work, and the priority order in which to close the gap, against real CFR citations and a real OCR audit document list rather than a marketing checklist.