No, you only need to have a valid SSL certificate installed and setup (the URL in your address bar should start with https:// and your browser should indicate that the connection is secure).
The reason you do not need a special HIPAA Compliant hosting solution is because the form data is never actually stored on your hosting server. Even though you build the actual forms on your website the actual for data is not saved on your website. Instead when a person clicks on a HIPAA Compliant form’s submit button the form data is encrypted and sent through the HIPAA FORMS Service API where it is then stored on a HIPAA Compliant data storage solution where it remains encrypted. Even when you log into your administrator dashboard with the appropriate credentials and user roles and view the submitted forms the data never actually rests on your hosting server, it is simply pulled from the HIPAA FORMS Service API then decrypted for viewing.
The only way the protected form data can leave the HIPAA FORMS Service is by clicking the “generate PDF” button next to a submitted form in which case you must provide a password which will then be used to access an encrypted and password protected PDF version of the form. Once the PDF is created and you enter the password you can then print or save the PDF to your hard drive. While the PDF is encrypted and password protected we HIGHLY recommend only downloading the PDF files to an encrypted hard drive.
If you would feel more comfortable hosting your website on a HIPAA Compliant hosting solution we do offer hosting options.
Click here about requiring a BAA with your Host Server.
IMPORTANT: While HIPAA Forms is designed to ensure your website is using SSL/HTTPS and will not function under unsecured HTTP, it is the Covered Entity's responsibility to ensure other aspects of your server configuration such as load balancers also operate under HTTPS to remain HIPAA compliant. Your hosting company and/or website administrator should be able to confirm this easily if asked.