HIPAA, PCI, and DIACAP: What They Mean for Hosting and Co-location Decisions

When you’re evaluating hosting or Co-location, “compliance” can sound like a label providers throw around to signal trust. But HIPAA, PCI, and DIACAP aren’t interchangeable badges, and they don’t carry the same expectations, evidence, or risk.

We’ve long emphasized that customers should look for proof of compliance alignment, not just claims, when choosing a data center or Co-location partner.

Here’s what each framework really means in practical terms, and how it should shape your hosting and Co-location decisions.

First: Hosting vs. Co-location (Why the Difference Matters)

Before we talk about compliance, you need clarity on the service model:

• Co-location: You own the hardware; the provider supplies space, power, cooling, and physical security (and sometimes connectivity). Compliance responsibilities are shared, and your scope often extends beyond the Co-location’s scope.
• Hosting / managed infrastructure: The provider owns and/or manages more of the stack (hardware, hypervisor, OS, monitoring, backups, etc.). More provider control can mean more compliance obligations for providers (and more evidence you should demand).

This matters because HIPAA, PCI, and DoD frameworks ultimately come down to who controls what and who can affect data security.

HIPAA: It’s About Protecting ePHI and Governing Vendor Responsibility

What HIPAA means for hosting/Co-location

HIPAA applies when electronic protected health information (ePHI) is created, received, maintained, or transmitted on behalf of a covered entity or business associate.

If a cloud/hosting provider (or in many cases, a managed service provider) touches ePHI in those ways, they are typically considered a Business Associate, and a Business Associate Agreement (BAA) is required.

Importantly, HHS has clarified that a cloud service provider can be a Business Associate even if it only stores encrypted ePHI and doesn’t hold the encryption key.

What to require from a hosting or Co-location partner

For HIPAA-aligned environments, the real questions are:

1. Will the provider sign a BAA?
   If not, you’re usually looking at a non-starter for ePHI workloads. HHS guidance is explicit that the relationship requires a HIPAA-compliant BAA when the provider is creating/receiving/maintaining/transmitting ePHI for you.
2. What safeguards are implemented (administrative, physical, technical)?
   HIPAA’s Security Rule is structured around those safeguard categories, so you should expect evidence and documentation that maps to them.
3. Where does shared responsibility start and end?
   HIPAA compliance is not “outsourced.” Even with a strong provider, you still need governance, access management, and risk management in place.

What HIPAA should change in your decision

• Choose providers who can support HIPAA-required safeguards and will contractually commit via a BAA.
• Prefer environments where audit evidence, access logging, incident procedures, and physical security controls are mature and provable, not implied.

PCI DSS: It’s About Securing Cardholder Data and Proving Controls

What PCI means for hosting/Co-location

PCI DSS applies when you store, process, or transmit payment card data and includes specific requirements for network security, access control, monitoring, vulnerability management, and more.

Service providers aren’t “PCI compliant” in a vacuum. PCI expectations depend on the services they provide and the systems they can affect. The PCI Security Standards Council makes it clear that service providers are expected to meet PCI DSS requirements as applicable to the services they offer, and that multi-tenant providers may have additional requirements.

What to require from a hosting or Co-location partner for PCI compliance

For PCI-aligned workloads, you should ask:

1. What PCI evidence can you provide (AOC/ROC as applicable)?
   Don’t settle for “we’re PCI compliant.” Ask what documentation exists and what parts of the environment it covers.
2. What’s the responsibility matrix?
   In many Co-location arrangements, the provider primarily supports physical security and facility controls, while the tenant owns most of the controls inside the rack and within the network/system stack. (This shared scope is a common source of failed audits.)
3. How do you handle multi-tenant risk?
   If you’re in a shared environment (especially for hosting/cloud-like services), ensure the provider understands and can support multi-tenant requirements where applicable.

What PCI should change in your decision

• You should favor providers who can clearly explain scope boundaries and provide proof aligned to their responsibilities.
• For PCI environments, “secure building” isn’t enough; you need clarity on segmentation, logging, access controls, vulnerability processes, and incident handling across the parts the provider touches.

DIACAP: A Legacy DoD Framework You Still Hear, But RMF Is the Current Reality

What DIACAP means today

DIACAP (DoD Information Assurance Certification and Accreditation Process) is a deprecated DoD framework that was replaced by the DoD Risk Management Framework (RMF).

You may still see DIACAP referenced in older contracts, legacy system environments, or provider marketing—especially if they’ve supported federal customers for a long time. But if you’re making current hosting/Co-location decisions tied to DoD expectations, you should be thinking in terms of RMF alignment.

DoD Instruction 8510.01 governs RMF for DoD IT, and multiple official references state that RMF replaces DIACAP.

What to require from a hosting or Co-location partner

For DoD-adjacent requirements:

1. Do they understand RMF and current control expectations (NIST-based)?
   DoDI 8510.01 states NIST publications are authoritative guidelines for DoD RMF.
2. Can they support authorization-related workflows, documentation, and auditing expectations?
   Even if the provider isn’t authorizing your system, their controls and evidence can become part of what your organization must document.
3. Are their claims current?
   If a provider leads with “DIACAP compliant,” ask how that maps to modern RMF expectations and evidence.

What DIACAP/RMF should change in your decision?

• Prefer providers who speak the language of RMF and NIST-based controls, not only legacy terminology.

The Practical Takeaway: Compliance Labels Don’t Make You Compliant, Evidence Does

No matter the framework, your job is to identify two things:

1) What data and systems are in scope

• ePHI → HIPAA expectations + BAA requirements
• Cardholder data → PCI DSS expectations + service provider scoping
• DoD workloads → RMF alignment expectations (even if DIACAP is mentioned historically)

2) What your provider can affect

If a provider can affect the confidentiality, integrity, or availability of regulated data, even indirectly, you need contractual alignment and operational evidence.

This is why we have historically advised that if a provider can’t show proof of compliance alignment (or refuses to provide evidence), you should move on.

A Simple Checklist for Hosting & Colo Shortlists

When comparing providers, ask for:

• Contractual readiness
  • HIPAA: Will they sign a BAA?
  • PCI: Can they provide PCI evidence aligned to their services?
  • DoD: Can they map controls/evidence to RMF expectations?
• Operational evidence
  • Physical access controls and logging
  • Incident response procedures
  • Monitoring and alerting expectations
  • Change management and patching processes (where applicable)
  • Clear shared-responsibility documentation
• Proof over promises
  • Third-party audits/attestations where relevant
  • Written scope statements (what the provider covers vs. what you cover)
  • A willingness to walk through the controls, not just list them

HIPAA, PCI, and DIACAP/RMF Readiness

HIPAA, PCI, and DIACAP/RMF influence hosting and Co-location decisions in different ways, but they all push you toward the same principle:

Choose providers who can prove control maturity, clarify shared responsibility, and commit contractually where required.