HIPAA Questions Answered – A Real World Scenario

HIPAA Questions Answered

Topics: Cyber Liability Insurance, Patching, Disaster Recovery, Encryption at Rest & Data Destruction

Healthcare companies around the United States know that they must meet the standards of two landmark pieces of healthcare legislation, HIPAA (Health Insurance Portability and Accountability Act of 1996) and HITECH (Health Information Technology for Economic and Clinical Health Act of 2009). Although, of course, many healthcare providers, plans, and data clearinghouses care about the privacy and security of their patient information, these regulations sought (in part) to make failing to protect sensitive medical data extremely unattractive.

With HIPAA, healthcare organizations now have an additional incentive beyond medical ethics to safeguard their patients’ data, especially in electronic form: avoiding fines. According to the American Medical Association (AMA), fines can be as much as $50,000 per violation, with total annual fines per organization capped at $1.5 million.

The statistics from the Health & Human Services (HHS) Department suggest a crackdown from this major branch of the federal government reminiscent of the enormous quantity of car recalls in 2014, a record-breaking year for the National Highway Traffic Safety Administration (NHTSA).

A look at the numbers – total violations resolved by HHS

• 2004 – 4799 resolutions
• 2009 – 8106 resolutions
• 2013 – 14,300 resolutions.

Clearly, these numbers are rising. Furthermore, it’s just the beginning: Law360 reported on June 12, 2014, that a senior attorney with the HHS promised “aggressive punishment” for any violations. Jerome B. Meites, a top regional civil rights attorney for the agency, told attendees of an American Bar Association meeting held in Chicago that the HHS was planning to increase its efforts to police the healthcare industry and uphold consumer rights.

Regardless of anyone’s opinions on the law, healthcare companies should be concerned with HIPAA. They should have lots of questions for any company they are considering as a business associate (such as a hosting service). Here is a real-world scenario in which one of our clients, the CEO of a medical laboratory on the market for a HIPAA package, asked one of our hosting consultants for pertinent information.

Real-world scenario – HIPAA for healthcare lab

Client:

I am the COO of a small laboratory. We currently have two Windows servers. One is running IIS and hosts around a dozen websites that use a maximum of 1-2 MB of throughput per day. We also have 3 SQL Server Express databases that will NEVER go beyond the 10GB limit. What would be our total monthly cost using the HIPAA Starter Package? Thanks.

Consultant:

Thank you for contacting Atlantic.Net. Based on your requirement for having a separate database SQL Express server, we will have to increase the amount of RAM in the dedicated server in order to create ( 2 ) VM’s inside the dedicated server.

I have attached the formal proposal. The pricing is the Starter Package pricing along with the extra RAM that is required to virtualize the server into ( 2 ) VM’s. Also attached are the following supporting documents:

1. Fully Managed Hardware Firewall
2. Encrypted VPN’s
3. Intrusion Detection System
4. HIPAA Business Associate Agreement (BAA).

An overview of the technology is as follows:

• Fully Managed Hardware Firewall w/ 5 VPN’s
• Intrusion Detection System / Log Management / Log Monitoring
• Windows Standard 2012 R2
• Hypervisor: HyperV
• Core I3-3240 Dual Core 3.4 GHz w/HT
• 24 GB of RAM
• 2 X 160 GB SATA 3 RAID 1
• LSI Hardware RAID Card
• ( 2 ) VM’s
• 10 TB of Monthly Data Transfer with a100 Mbps Port
• 100% Uptime SLA (service level agreement)
• MS SQL Server Express
• 24x7x365 support by live phone or email.

Do you have any questions pertaining to this HIPAA Hosting proposal?

Client:

A colleague of mine has advised me to ask how Atlantic.Net handles the following:

• Cyber Liability Insurance
• Patching
• Disaster Recovery
• Encryption at Rest
• Data Destruction.

Consultant:

Here are the answers to your questions:

Cyber Liability Insurance

We have cyber liability insurance through a major insurance carrier.

Patching

There are two options:

1. You can do your own patching.
2. You can purchase our fully managed hosting package, which is an extra $100.00 per month. We would perform the patches, along with additional managed services. I have attached the Managed Hosting Package document for your review.

Disaster Recovery

I have attached our DR plan for your review.

Encryption at Rest

Some customers require encryption at rest, and others do not. The Starter Package has SATA (serial ATA) hard drives that are not encrypted, but you can substitute Encrypted At Rest hard drives for an extra charge. The smallest Encrypted At Rest hard drives are 1 TB SAS (serial attached SCSI) drives. Those drives would increase the cost of the Starter Package by $25.00 per month.

Data Destruction

All used or damaged equipment is destroyed, and all hard drives have the data removed before their destruction. This is in accordance with HIPAA regulations.

Choosing your business associates wisely

We love it when our customers and potential customers ask us questions. It’s an opportunity to provide evidence that we are widely knowledgeable on the protection of PHI (protected health information) and technology systems in general. We have been in business since 1994. One of our healthcare clients, Complete Healthcare Solutions, said they chose us for our “secure infrastructure and expertise in healthcare IT.” Explore your HIPAA Compliant Hosting options along with our full line of VPS Hosting Solutions.