The clinic was paying $11 a month for shared hosting. The site was down once a week for 20 minutes. The site was slow because they shared a server with 400 other tenants, and one of them was always running a backup or a cron job that spiked the CPU. The marketing person did not know any of this. They knew the site was slow and they thought it was a WordPress problem. It was not. It was a hosting problem dressed up as a WordPress problem. Clinic website hosting is the decision that most often determines whether a site feels fast, stays up, and survives a HIPAA audit.

Hosting decisions for a small clinic are not glamorous, but they shape every other technical decision downstream. This post is the honest framework I use when a clinic asks where to host.

The three clinic website hosting categories, in plain terms

Shared hosting is what most clinics start with. The clinic rents space on a server that is also serving dozens or hundreds of other sites. The cost is low, often $5 to $15 a month. The reliability is bounded by what the noisy neighbors are doing. The security posture is whatever the hosting company enforces, which is usually adequate for a static brochure site and inadequate for anything that handles patient information.

Managed WordPress hosting is the middle option. Vendors like Kinsta, WP Engine, Pressable, and Cloudways run WordPress for you on dedicated containers or virtual machines. The cost is meaningfully higher, $30 to $100 a month for a small practice. You give up some flexibility (their PHP versions, their plugin restrictions, their caching layer) and you get back operational reliability, automated backups, better performance, and a support team that knows WordPress.

VPS hosting is renting a virtual private server. Hetzner, DigitalOcean, Linode, Vultr. The clinic (or the developer they hire) owns the operating system, the web server configuration, the database, the security updates, the backup strategy. The cost is in the same range as managed WordPress for the hardware ($10 to $40 a month), plus the labor cost of running it. The reward is full control and substantially better performance per dollar.

The HIPAA dimension

The first question is not price. It is whether the host will sign a BAA. If the clinic’s site handles PHI (intake forms, contact forms that ask about conditions, anything beyond a static brochure), the host needs to be a business associate.

Shared hosts almost never sign BAAs. The shared-tenancy model is incompatible with the access controls HIPAA requires. Any clinic on shared hosting that collects PHI has an exposure they probably are not aware of.
Managed WordPress hosts have a mixed posture. Kinsta and WP Engine offer HIPAA-compliant tiers at meaningfully higher prices. Pressable and most others do not. The HIPAA tier is sometimes called “healthcare,” sometimes “enterprise,” and the pricing jump is usually 3 to 5 times the standard tier.
VPS hosts like DigitalOcean and Hetzner will sign BAAs on their business or enterprise tiers, with specific configuration requirements. The clinic (or their developer) is responsible for the application-layer compliance. The host provides the infrastructure-level compliance.

If the answer to the BAA question is “no” or “only on a tier you cannot afford,” the host is wrong for the clinic, regardless of every other factor.

The performance dimension

On a typical small-clinic WordPress site, here is what I have measured on each tier:

Shared hosting ($5-15/mo): TTFB 600-1500 ms, variable. LCP 3-5 seconds. Frequent slow periods when neighbors spike. Outages weekly to monthly.
Managed WordPress (mid-tier, $30-50/mo): TTFB 200-400 ms, stable. LCP 1.5-2.5 seconds. Outages rare.
Managed WordPress (HIPAA tier, $150-400/mo): TTFB 150-300 ms. LCP 1.5-2.5 seconds. Adds compliance posture and audit logging.
VPS with good configuration ($10-30/mo + setup labor): TTFB 50-200 ms. LCP 1-2 seconds. Outages rare if configuration is competent.
VPS with bad configuration: Worse than shared hosting. Easy to get wrong if you do not know what you are doing.

VPS with good configuration is the performance leader at the price point. It is also the tier with the highest variance, because the outcome depends entirely on who is configuring it.

The maintenance dimension

This is the dimension that gets undercounted in vendor comparisons. Each tier has a different maintenance profile.

Shared hosting requires almost no infrastructure maintenance. The host handles the OS, the web server, the database. The clinic handles WordPress updates, plugin updates, theme updates, content. Low labor cost. Real if-the-host-has-a-problem cost.

Managed WordPress reduces clinic-side maintenance further. The host often handles WordPress core and major plugin updates. The clinic handles content, theme decisions, and the plugins the host does not manage. Low labor cost. Some flexibility cost (the host may not allow certain plugins).

VPS requires real maintenance discipline. OS security updates, PHP updates, web server reconfiguration when versions change, database backups, monitoring, logging. The clinic does not do this themselves. The clinic hires someone, or pays for a managed service on top of the VPS. The all-in cost can match or exceed managed WordPress, with the upside that the configuration is exactly what the clinic needs rather than what fits in a vendor’s product.

For a small clinic with a static brochure site, no forms, no PHI: shared hosting from a reputable provider (SiteGround, A2, DreamHost) is fine. Move when the site grows.

For a clinic with an intake form, a contact form, or any PHI handling: shared hosting is the wrong answer. The choice is between managed WordPress on a HIPAA tier and a VPS with a developer who handles the configuration. Both are defensible. The VPS is usually 30 to 50 percent cheaper all-in, the managed option has more predictable monthly costs.

For a clinic that is growing, adding services, or planning custom integrations: VPS, almost always. The flexibility pays for itself the first time you need to add a Go binary alongside PHP, or run a cron job that the managed host does not allow, or self-host an internal service.

The hidden cost of staying on shared

The clinic at the top of this post moved to a Hetzner VPS with CloudPanel for management. Total monthly cost: $13 for the VPS, $30 for the managed-service overhead from our side, $43 all in. Down from $11 on shared hosting, with the previous 20-minute weekly outages.

The 32-dollar increase per month bought them a TTFB under 100 ms, no outages in 18 months, a BAA-eligible host, and full control over their WordPress installation. They estimate the front desk recovered three to five hours a month previously spent fielding “the website is broken” calls. At a fully loaded labor cost, the move paid for itself in the first month.

Hosting decisions almost always look cheaper than they are. The shared host’s price tag is the line item. The cost is in the calls the front desk took, the patients who closed the tab, and the exposure that nobody priced in. See the related post on refilling vs. rebuilding and our plans page for how we structure migrations.