The HIPAA Hosting Buyers Guide: 12 Questions to Ask Before You Sign a BAA
HIPAA-compliant hosting vendors all market themselves identically. This guide is twelve questions, drawn from real audits and real breach response engagements, that reveal who delivers a HIPAA program versus who delivers infrastructure compliance only. Use it on every vendor call.
What is in this guide
- Introduction: why this guide exists
- Q1: Is your penetration testing in-house or outsourced?
- Q2: Do you author my organization's HIPAA policies, or just give me templates?
- Q3: Do you deliver HIPAA workforce training, or just remind me it is required?
- Q4: Do you conduct a formal Security Risk Assessment per 45 CFR 164.308(a)(1)(ii)(A)?
- Q5: Will your BAA cover incident response and breach notification, or just hosting uptime?
- Q6: What is your incident response time, and do you offer an IR retainer?
- Q7: What evidence packet do you produce in an OCR audit?
- Q8: Are you SOC 2 Type II audited? If not, how do you demonstrate equivalent control posture?
- Q9: What is your BAA chain when subcontractors are involved?
- Q10: What does my exit look like? Data portability, time, cost?
- Q11: What do you NOT do?
- Q12: What is your tenant cap?
- Closing checklist: the vendor scorecard
- About Petronella Technology Group
Introduction
HIPAA-compliant hosting vendors all market themselves identically. Open ten of their homepages side by side and you will see the same phrasing: signed Business Associate Agreement, AES-256 encryption at rest, RSA-2048 in transit, 24/7 monitoring, six-year log retention, multi-tenant isolation, hardened images, managed firewall rules. Some add a Compliancy Group seal. Some add a SOC 2 Type II attestation. Most claim "true HIPAA compliance" or "fully HIPAA compliant cloud."
The problem is not that any of those claims are false. The problem is that they are all describing the same scope: the host's own infrastructure. Buyers cannot tell, from this kind of marketing, who actually delivers HIPAA program support to the covered entity versus who delivers only infrastructure compliance.
The cost of getting this wrong shows up at OCR audit time, or after a breach, when the covered entity learns that the host's BAA covers only the host's stack and not the covered entity's organization. The Security Risk Assessment under 45 CFR 164.308(a)(1)(ii)(A) is a covered-entity obligation. The workforce training program is a covered-entity obligation. The breach notification workflow under 45 CFR 164.400 to 164.414 is a covered-entity obligation.
This guide is twelve questions that reveal the difference, plus a one-page checklist you can run on any vendor before you sign. The questions are designed to be asked verbatim on a sales call. The answers, properly scored, will tell you whether you are buying a host, a partner, or something in between.
We at Petronella Technology Group built this guide because we lost a client who learned the difference the hard way. They left a bundled hosting plus compliance program retainer to save on the hosting line. Twelve months later, an upstream contract required them to produce a current Security Risk Assessment, a workforce training attestation log, and an incident response plan that fired during a tabletop exercise. None of those artifacts were in the new vendor's scope. We do not name them. We just want you to recognize the pattern before you walk into it.
The 12 Questions
Is your penetration testing in-house or outsourced?
Why it matters
A penetration test is not a vulnerability scan. A scan runs automated tooling against your stack and produces a list of CVEs. A pen test is a human exercise in which a credentialed tester attempts to actually compromise your environment using the same techniques an adversary would. HHS does not mandate annual pen testing in the rule itself, but pen testing is named in NIST 800-66 (the HIPAA Security Rule implementation guide) as part of evaluation under 45 CFR 164.308(a)(8), and most HIPAA program audits expect to see one annually.
What to listen for
A simple yes or no, and then who. If the answer is "yes, in-house, by our team," ask for the lead tester's credentials. The Digital Forensics Examiner credential, the OSCP, the GPEN, or equivalent should be on staff. If the answer is "yes, through a partnering agency," you are now shopping two vendor relationships: the host and the testing agency.
HipaaVault publishes verbatim on their own page that they "provide comprehensive penetration testing services through a partnering agency for healthcare organizations." This is honest disclosure. The customer-side implication is that the pen testing relationship is layered, not bundled.
Source: https://www.hipaavault.com/hipaa-pen-testing/Score this answer
In-house, named tester, credential on file equals full credit. Outsourced through a single named partner with a separate BAA equals partial credit. "We use various partners" or "depends on the engagement" equals treat as no.
Do you author my organization's HIPAA policies, or just give me templates?
Why it matters
HIPAA policies and procedures are a 45 CFR 164.316 obligation. The rule requires written policies and procedures that are "reasonably designed" to comply with the Security Rule, that account for the size and complexity of the covered entity, and that are kept current. Templates fail this test on their face because they are not designed for your size, your complexity, or your workflow. An auditor opens a template policy, sees a sentence like "the Security Officer shall determine appropriate access controls," asks who your Security Officer is, and the conversation goes downhill from there.
What to listen for
Authored policies are scoped to your organization: your roles, your vendors, your data flows, your sanction policy specific to your employee handbook, your contingency plan specific to your facility and your downtime tolerance. The vendor should ask you questions before delivering a draft. They should iterate. They should produce policies you can sign, name a Security Officer in, train your workforce on, and produce on demand at audit time.
Score this answer
Authored, scoped to your org, with iterative review equals full credit. Templates with a fill-in-the-blank cover sheet equals partial credit, but understand the work to make those defensible at audit is still on you. "We point you to the HHS sample policies" equals no credit, you do not have a HIPAA policy program.
Do you deliver HIPAA workforce training, or just remind me it is required?
Why it matters
Workforce training under 45 CFR 164.308(a)(5) is a Security Rule administrative safeguard. The covered entity must train all members of its workforce on policies and procedures, must document the training, must retrain after material changes, and must produce attestation records on demand. This is one of the first artifacts an OCR auditor asks for, because it is one of the easiest ones to miss. Hosts that do not deliver training leave the covered entity to find a separate training vendor, which means another contract, another platform, another login, another data export problem when you switch.
What to listen for
"Yes, we deliver training, here is the curriculum, here is the LMS or video module set, here is how attestation is logged, here is how new hires are routed in, here is how annual retraining is scheduled, here is the report you can hand to OCR if asked." If the vendor cannot produce a sample attestation report in the demo, they are not delivering a training program.
Score this answer
Bundled training delivery with attestation tracking and an audit-ready report equals full credit. "We have a training video you can buy as an add-on" equals partial credit, expect a separate invoice and a separate platform. "We will remind you when training is due" equals no credit.
Do you conduct a formal Security Risk Assessment per 45 CFR 164.308(a)(1)(ii)(A)?
Why it matters
The Security Risk Assessment is the foundation of a HIPAA program. The rule under 45 CFR 164.308(a)(1)(ii)(A) requires the covered entity to conduct an "accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information." This is a covered-entity obligation, not an infrastructure obligation. Hosting vendors typically conduct their own internal SRA on their own stack, which is fine and expected, but that is not the SRA your auditor wants. Your auditor wants the SRA that covers your organization: your workflows, your data flows, your downstream vendors, your physical facility, your remote workforce, your backup posture, your access provisioning, your sanction policy, your contingency plan, your business associates, your subcontractors.
What to listen for
The SRA your vendor delivers should result in a written report, scoped to your organization, dated, signed, and updated at least annually or after material changes. The report should map identified risks to specific controls or remediation projects. The report should be defensible at OCR.
Score this answer
Annual, organization-scoped, written, signed, updated SRA delivered as part of the retainer equals full credit. "We can refer you to a third-party assessor" equals no credit, that is not a bundled service. "Our hosting is HIPAA-assessed, so you do not need one" equals run, that answer is wrong on the facts.
Will your BAA cover incident response and breach notification, or just hosting uptime?
Why it matters
A Business Associate Agreement under 45 CFR 164.504(e) defines what the business associate will do, and not do, with PHI. Most hosting BAAs are tightly scoped: the BAA covers the host's safeguards on the host's infrastructure, and the host's notification obligation to the covered entity if the host detects a breach in the host's stack. That is reasonable. What it does not cover is the covered entity's obligations under the Breach Notification Rule (45 CFR 164.400 to 164.414): identifying that a breach occurred, conducting the four-factor risk assessment to determine reportability, notifying affected individuals within 60 days, notifying HHS, notifying media if 500 or more individuals are affected in a single state, documenting the entire workflow.
What to listen for
Ask the vendor to read the relevant section of the BAA out loud. If the BAA says "Business Associate will notify Covered Entity within X hours of discovering a breach affecting Business Associate's systems," that is the standard hosting BAA. It is not a breach notification workflow. A vendor who delivers an incident response and breach notification workflow will say so explicitly: who runs the four-factor analysis, who drafts the individual notification letters, who files with HHS, who runs the tabletop exercises, who maintains the retainer hours.
Score this answer
Bundled IR and breach notification workflow with retainer hours and named owners equals full credit. Breach notification template with self-service guidance equals partial credit. "Notification on our stack only, you handle the rest" equals standard BAA, plan accordingly.
What is your incident response time, and do you offer an IR retainer?
Why it matters
When a covered entity calls a hosting vendor at 2 AM because something is wrong, the vendor's incident response is operating on the host's stack: server is down, traffic spiked, SSL cert expired, intrusion detection fired. That is hosting incident response, and a 15-minute critical-response SLA on hosting is a meaningful number. Breach incident response is different. The covered entity has discovered, or suspects, that PHI was disclosed in violation of the Privacy Rule. Now you need a forensic preservation step, a four-factor analysis, a legal hold, regulatory clock management, individual notification, HHS notification, and possibly law enforcement coordination.
What to listen for
Two distinct SLAs: hosting incident response (their stack) measured in minutes, and breach incident response (your data) measured in hours of retained capacity. A retainer model with named hours is a strong signal. Pay-as-you-go breach response at hourly rates with no retainer is workable but understand you will be negotiating fees during the worst week of your year.
Score this answer
Two distinct SLAs, retained breach IR hours, named forensic lead equals full credit. One SLA covering "any incident" equals ask follow-ups. No breach IR scope equals standard hosting, plan to retain a separate forensic vendor.
What evidence packet do you produce in an OCR audit?
Why it matters
OCR HIPAA audits are document-driven. The auditor sends a request list, the covered entity responds within a deadline, and the response is graded against the rule. Hosts can produce hosting-side evidence: the SOC 2 attestation letter, the BAA, the encryption key management documentation, the multi-tenant isolation diagram, the access logs to the hosted environment. That evidence is necessary. It is also a small fraction of what the auditor requests. The covered entity needs organization evidence: the SRA, the policies, the training records, the sanction policy with employee acknowledgments, the contingency plan, the BAA inventory with downstream vendors, the access-review logs for human users, the audit log review evidence, the incident response plan, the breach notification log if applicable.
What to listen for
Ask the vendor to walk you through their audit-evidence packet. A vendor who has done this before will have a structured response: a binder, a shared drive folder, a portal export. They will distinguish hosting-side evidence from organization-side evidence. They will tell you which artifacts they own and which the covered entity owns. They will tell you how recent the artifacts are.
Score this answer
Vendor produces both hosting and organization evidence in a single packet, dated, current, defensible equals full credit. Vendor produces only hosting-side evidence and tells you so explicitly equals honest, plan to source the rest. Vendor cannot describe the packet equals no audit-evidence program.
Are you SOC 2 Type II audited? If not, how do you demonstrate equivalent control posture?
Why it matters
SOC 2 Type II is a third-party audit attestation that an organization's controls operated effectively over a defined window, typically 6 to 12 months. It is not a HIPAA requirement. It is a contract requirement that some upstream parties impose, and it is a useful proxy for "this vendor has a control program a third party reviewed." A vendor without SOC 2 Type II is not automatically untrustworthy, but a vendor without SOC 2 Type II owes you a clear answer about what substitute proof of control posture they offer.
What to listen for
A vendor with SOC 2 Type II should be able to share a current attestation report under NDA. A vendor without SOC 2 Type II should be able to name what they do hold: registered provider organization status with a regulator-recognized body, third-party HIPAA seal verification, in-house pen testing, independent vulnerability disclosure handling, BBB rating with track record, named credentialed staff. These are not equivalent to SOC 2, and the vendor should not pretend they are.
Our own honesty. Petronella Technology Group does not currently hold a SOC 2 Type II attestation on our own infrastructure. Our substitute proof stack: CMMC Registered Provider Organization #1449 (verifiable at cyberab.org), entire team CMMC-RP credentialed, in-house penetration testing led by a Digital Forensics Examiner (DFE #604180), BBB A+ rating since 2003, and third-party HIPAA verification through the Compliancy Group Seal of Compliance mechanism for clients who contract for it. When a client's upstream contract requires a SOC 2-audited hosting layer, we route the hosting layer through a SOC 2-holding upstream partner while we own the program layer.
Score this answer
Current SOC 2 Type II attestation under NDA equals full credit. Honest acknowledgment of gap with named substitute proof stack equals partial credit, evaluate the substitutes against your risk. Vague claim of "SOC 2 readiness" or "SOC 2 alignment" equals no credit, that is marketing, not attestation.
What is your BAA chain when subcontractors are involved?
Why it matters
Under 45 CFR 164.502(e)(1)(ii) and 45 CFR 164.504(e), a business associate must obtain satisfactory assurances, in the form of a written BAA, from any subcontractor that creates, receives, maintains, or transmits PHI on the business associate's behalf. This BAA chain extends downstream as far as the data flows. Hosting vendors often resell upstream cloud capacity (AWS, GCP, Azure), use a separate backup vendor, route email through a third-party provider, ship logs to a third-party SIEM, and engage a separate pen testing agency. Each of those subcontractors needs its own BAA chain.
What to listen for
Ask the vendor for a diagram. A vendor with a clean BAA chain will produce one without hesitation: a tree showing the covered entity at the top, the prime business associate (the host) below, and each subcontractor BAA branching out, with the date of each BAA and the named subcontractor. Vendors that resist this question, or produce it slowly, are signaling that the chain has gaps.
Score this answer
Current diagram, dated BAAs, every named subcontractor accounted for equals full credit. Verbal description of "we have BAAs with everyone we need" equals partial credit, ask for the diagram. No diagram, no list, no current dates equals treat as a finding.
What does my exit look like? Data portability, time, cost?
Why it matters
Vendor lock-in is not a HIPAA rule violation by itself, but it becomes one fast if you cannot migrate cleanly when a contract ends or a vendor relationship sours. Proprietary backup formats, undocumented database schemas, encrypted archives whose keys are not held by the customer, and ambiguous export terms all create exit friction. When you eventually need to switch, you need to be able to leave with a current encrypted copy of all PHI in a documented, restorable format, on a defined timeline, at a defined cost.
What to listen for
Specific answers. "We provide a full encrypted export within 30 days of termination notice, in formats X, Y, Z, at no additional cost" is a clean answer. "Egress is billed at standard rates" with a sample bill from a comparable customer is workable. "We will work with you on a case-by-case basis" is a non-answer that becomes very expensive at the worst time.
Score this answer
Defined export format, defined timeline, defined cost, in writing in the master agreement equals full credit. "We have done this before, here is how it went" with a customer reference equals partial credit. Vague or refused equals treat as a major finding.
What do you NOT do?
Why it matters
A vendor who claims to do everything is either misleading you or has so much scope creep that nothing is done well. A vendor with explicit "not us" guardrails is more trustworthy. They have thought about where their competence ends and where they refer out. The referrals they trust tell you something about their network and their judgment.
What to listen for
A vendor confidently saying things like "we do not provide mobile-device forensics, we refer to a Cellebrite-licensed examiner," or "we do not offer 24/7 SOC monitoring at scale, we partner with X for that tier," or "we do not handle international data residency, we route through Y in the EU," or "we do not consult on Stark Law, we refer to healthcare counsel." A vendor who answers "we can do all of that" is either a much larger company than they are pretending to be, or they are about to over-promise.
Score this answer
Clear list of not-us, with named referral partners equals full credit. Honest "we focus on X, ask us if you need Y" equals full credit. "We do everything you might ever need" equals treat as a yellow flag and ask follow-ups.
What is your tenant cap?
Why it matters
Vendor economics drive vendor behavior. A vendor that scales to 50,000 customers has very different economics than a vendor that caps at 25 premium tenants. The high-volume vendor wins on price. The low-volume vendor wins on attention. Neither is wrong. The question is which model serves your need. If you are a 6-person specialty practice with a single office and a members LMS, you can be efficiently served by a high-volume hosting vendor. If you are a 75-employee multi-clinic group with a CMMC-adjacent upstream contract and a board-level cyber report due quarterly, the math on attention-per-tenant matters.
What to listen for
A vendor will not always volunteer their cap. Ask directly. A high-volume vendor will say "we have thousands of customers" or "we do not cap, we scale." A capped vendor will say "we run a small practice, currently capped at X tenants" and tell you what it costs to be in that practice. Both are valid. Match the model to your need.
Score this answer
Vendor names a model and a number, and the model fits your profile equals full credit. Vendor refuses to characterize their model equals partial credit, infer from their pricing tiers. Vendor claims unlimited scale at boutique attention equals treat as marketing, ask follow-ups.
Closing checklist: the vendor scorecard
Use this grid during vendor calls. Tick yes or no for each. A column per vendor. A vendor scoring 10 or higher is delivering a HIPAA program. A vendor scoring 6 to 9 is delivering substantial program support and you should know exactly which gaps you carry. A vendor scoring 5 or below is delivering hosting compliance only, which is a legitimate service, but the program layer is on you.
| Question | Vendor A | Vendor B | Vendor C |
|---|---|---|---|
| 1. Pen testing in-house (named tester, credential on file) | |||
| 2. Policies authored to my organization (not templates) | |||
| 3. Workforce training delivered with attestation tracking | |||
| 4. Annual SRA per 45 CFR 164.308(a)(1)(ii)(A) for my org | |||
| 5. BAA covers IR and breach notification (not just uptime) | |||
| 6. Two distinct SLAs: hosting IR + breach IR (with retainer) | |||
| 7. OCR audit packet (hosting + organization evidence) | |||
| 8. SOC 2 Type II OR named substitute proof stack | |||
| 9. BAA chain diagram with named subcontractors and dates | |||
| 10. Exit terms in writing: format, timeline, cost | |||
| 11. Explicit not-us list with referral partners | |||
| 12. Tenant cap model named and matches my profile | |||
| Yes count |
About Petronella Technology Group
Petronella Technology Group was founded in 2003 in Raleigh, North Carolina. We have held a BBB A+ rating continuously since the year we opened, which is now 23-plus years.
We are a CMMC Registered Provider Organization, RPO #1449. The membership listing is verifiable at cyberab.org. Every member of our delivery team holds the CMMC-RP credential, including Craig Petronella, Blake Rea, Justin Summers, and Jonathan Wood.
Craig Petronella, our founder, holds the Digital Forensics Examiner credential (DFE #604180), the CMMC-RP credential, the CCNA, and the CWNE. Craig leads in-house penetration testing engagements personally and oversees breach incident response.
Our office is at 5540 Centerview Drive, Suite 200, Raleigh, NC 27606. Our phone is (919) 348-4912.
We do not currently hold a SOC 2 Type II attestation on our own infrastructure. We will never claim otherwise. When a client's contract requires a SOC 2-audited hosting layer, our enterprise tier routes the hosting layer through a SOC 2-holding upstream partner. Petronella Technology Group continues to own the Security Risk Assessment, the policy authoring, the training delivery, the incident response, and the BAA chain.
Our verified client reviews: 15 Google reviews at 5.0 stars, plus 92 aggregated mentions surfaced through the Trustindex platform across review channels. We do not publish a fabricated AggregateRating schema. The numbers are the numbers.
We run a small, capped HIPAA hosting practice. We deliberately do not chase 1,000-tenant scale. The retainer model bundles hosting on our managed Plesk fleet with the program layer (SRA, policy authoring, training, IR, in-house pen testing). Pricing starts From $2,500 per month and scales by complexity. We will quote you after a 30-minute fit call, not before, because we want to know what you actually need before we propose a number.
Ready to talk?
Schedule a free 30-minute HIPAA hosting and program audit. You will leave the call with a one-page written gap summary, scored against the 12 questions in this guide, whether or not you choose us as your vendor.
Book the free 30-minute audit Or send a messageOr call (919) 348-4912 directly. Reach our HIPAA compliance program at petronellatech.com/compliance/hipaa-compliance/ or our healthcare vertical view at petronellatech.com/industries/healthcare-cybersecurity/.