HIPAA and Free Hosting: A Practical Checklist for Small Healthcare Sites

Small healthcare websites, clinics, and solo practitioners often look for free or low-cost hosting to keep costs down. But HIPAA doesn’t get cheaper just because hosting does. This guide turns dense compliance guidance into a hands-on HIPAA hosting checklist you can use to audit free or low-cost providers — focusing on realistic technical controls, logging, and contract language you can negotiate or at least document.

Who this checklist is for

This checklist is aimed at marketing teams, site owners, and SEO managers who run or publish healthcare-related content and who must protect patient data (including EHR access portals, appointment forms, and contact requests). It assumes you are not a full-time security pro but need practical steps you can implement and document.

Quick reality check: free hosting and BAAs

Most truly free hosting providers will not sign a Business Associate Agreement (BAA) — a core HIPAA requirement when a vendor stores or processes protected health information (PHI). If your site collects PHI or connects to EHR systems, using a host that refuses to sign a BAA is a red flag. For less-sensitive public health content, free hosting can be fine with reasonable controls.

Before you start: classify data and scope

Start by mapping what the site does and what it touches. Keep this short and defensible.

1. Does the site collect PHI? (Names + health details, appointment info tied to a person, patient IDs, or PDFs of records)
2. Does the site display or transmit EHR data or link to patient portals?
3. Who can access the hosting account, FTP, or admin console?

If the answer is yes to collecting PHI or connecting to EHR, prioritize a HIPAA-ready host that will sign a BAA. If no, proceed with tightened controls and documentation.

Practical HIPAA hosting checklist (use this to audit providers)

Use this list as an interview and test plan when evaluating a free or low-cost host.

• BAA availability
  • Ask directly: "Will you sign a BAA for services that process or store PHI?" Document the response in writing.
  • If they say no, do not host PHI on their platform. Instead, separate PHI-handling features to a compliant vendor.

Actionable technical controls you can implement today

Even if a host is not HIPAA-ready, you can reduce risk with these practical steps.

• Do not collect PHI in public forms. Use forms that route sensitive input to an email or service that can sign a BAA, or implement client-side encryption that sends ciphertext to the server only.
• Force HTTPS and HSTS. Redirect all HTTP to HTTPS, enable HSTS, and use TLS 1.2+.
• Enable MFA for all accounts. Admin panels, FTP/SFTP, and any dashboard should use strong second-factor authentication.
• Limit admin logins by IP and role. Restrict control panel access to staff IPs where practical.
• Keep software updated. CMS, plugins, and server software must be kept up-to-date and minimal attack surface is ideal (disable unused modules).
• Configure secure backups. Ensure backups are encrypted, regularly tested, and can be purged securely on termination.

Logging: what to collect and how to verify it

Logs are the lifeblood of incident response and HIPAA audits. Ask for these and test them.

• Web server access logs with timestamp, request method, URL, source IP, user-agent, and response code.
• Authentication logs for admin logins and failed attempts.
• File access and upload logs for any directories holding user-submitted content.
• Backup and configuration change logs (who changed what and when).

Verify logs by performing a known action (e.g., upload a test file, log in) and requesting the related entries. If the host cannot provide logs or only provides aggregated analytics, treat this as a compliance gap.

Contract language you can request or record

If the provider will not sign a traditional BAA, ask them for written assurances you can use in your records. Below are practical clauses or requests to include in negotiation or documentation.

Sample BAA-style assurance (short)

"Provider agrees to implement reasonable and industry-standard administrative, physical, and technical safeguards to protect customer data and will notify Customer within 72 hours of discovering a security incident affecting Customer data. Provider will provide reasonable cooperation to Customer in responding to and documenting security incidents."

Minimal SLA & notification clause

"Provider will retain and, upon Customer request, provide raw access and authentication logs for a minimum of 12 months. Provider will deliver log extracts in machine-readable format within 5 business days of request."

Note: these clauses do not replace a BAA. If you handle PHI, consult legal counsel and prefer a host that signs a full BAA.

If the host won’t sign a BAA: reasonable mitigations

When replacing hosting is not immediately possible, implement compensating controls:

• Move PHI capture and storage to a service that will sign a BAA (secure form processors, HIPAA-compliant email gateways, or EHR vendor APIs).
• Use client-side encryption where the host only stores ciphertext and keys stay with you or a compliant KMS.
• Disable file uploads and avoid embedding EHR links that pass tokens through the hosting provider.
• Document the provider's limitations and your compensating controls in your HIPAA risk assessment.

Practical audit checklist you can bring to a host call

1. Do you sign a BAA? (Get a yes/no in writing.)
2. What encryption is used in transit and at rest? (Ask for TLS versions and encryption-at-rest details.)
3. Can I get raw server and auth logs on demand and how long are logs retained?
4. Do you support MFA and role-based access controls? Can admin accounts be IP-restricted?
5. Where are servers located? Which cloud provider/region hosts my data?
6. Do you have SOC 2/HITRUST reports or other third-party audits? Can I review a summary?
7. What is your incident response and breach notification timeline?
8. How do you handle backups and secure deletion on contract termination?

Resources and next steps

When you need to move from free hosting to more secure options, check our practical hosting guides and tips for small sites:

• Maximizing Your Free Hosting Experience: Tips from Industry Leaders — for cost-saving moves while planning a migration.
• Navigating Free Hosting for Local Events: A Complete Guide — how to run short-lived sites without risking PHI.
• Protect Your Site's Reputation: Block Unsafe Ad Placements and Affiliate Inventory — practical steps to keep third-party content safe.
• What to Expect: Hosting Your Site Amidst Industry Changes like TikTok’s Business Split — contextual trends affecting hosting and cloud-native HIPAA approaches.

Final note

HIPAA compliance is more than a checklist — it’s an ongoing program of assessments, controls, and documentation. Use this checklist to triage risk, negotiate basic contractual assurances, and document compensating controls. When PHI is involved, prioritize a host that will sign a BAA or move PHI handling to a compliant service. If in doubt, consult legal counsel or a security professional before launching or migrating patient-facing functionality.