A Story About a HIPAA-Compliant Website & Mobile App

Dell strategist Jim Stikeleather has argued that big data projects should tell a story.  He said that by thinking similarly to journalists, data scientists could frame and communicate the information and filters they want to explore more deliberately and captivatingly.

Storytelling can assist with the understanding of any situation, particularly technology – which often can seem obtuse, boring, and inhuman.  People breathe life into technological situations – as when stories are told of people problem-solving using the tools of the technological era.

Since HIPAA-compliant hosting is one of our specialties, let’s look at a recent interaction with a client interested in hosting a healthcare site and mobile application.

*** Note that various details are changed for privacy, clarity, etc. ***

Healthcare Client:

Hello, I have a client that requires a HIPAA compliant hosting service.  The client has a website and an app.  The app is for end-users to upload images of their doctor bills.  The website is where billing specialists review their claims and tell them if they were billed incorrectly.  This is a startup company with unknown needs as far as server size.  I would assume it would only require a small server, but we want to scale up quickly if this company takes off.  My job is to investigate hosting companies and recommend one to our client, who will establish the account independently.

Hosting Consultant:

Thank you for contacting Atlantic.Net.  We need answers to the following questions to provide you with a formal proposal.  In the meantime, I have attached a copy of our BAA and HIPAA Audit that you can review.

• Does your client require a Linux or Windows platform?
• How many internal users will be accessing the hosting platform?
• Will there also be a database hosted on the platform?  HIPAA regulations require that a database and an application are hosted on separate servers.
• Is 1 TB of storage space enough?

Healthcare Client:

• It will be a Linux platform.
• Internal meaning users that access the servers themselves – correct?  There would be 1 or 2 users responsible for updating the website and web services required for the iPhone app.  The client might want their own account also, although I don’t know for sure.  Are there additional costs associated with the number of authorized internal users?
• Yes, there will be a database.  I understand HIPAA requires the database to be on a separate server.  Does this requirement mean it needs to be on a different physical server, or is virtual enough?
• How quickly can the servers be scaled?  I think initially, 1TB would be enough.  Again, we don’t know if this might be wildly successful and will require scaling.  If that is needed, can you provide information on costs to scale to more ample Storage and machines?

Lastly, what kind of timeline is required to set up the account and go live with it?

Hosting Consultant:

Thank you for the information.  Attached you will find the formal pricing proposal.  We include ( 5 ) encrypted VPNs, so your internal users are covered.  We need a dedicated server environment for the Storage.  However, we can separate the dedicated server into ( 2 ) Virtual Machines, and it still meets HIPAA requirements concerning the separation of the application and the database server.  This is built into our proposal.

The dedicated server we provide can hold up to ( 4 ) hard drives.  We are starting with ( 2 ) hard drives in a RAID 1 configuration (HIPAA platforms require RAID).  We can add another ( 2 ) hard drives at any time (again in a RAID configuration ), and the SAS Encrypted Hard drives come in either a 1TB or 2 TB size.  The dedicated server can hold 32 GB of RAM, and we are starting with 16 GB of RAM.  We need the 16 GB of RAM to create the ( 2 ) virtual machines, and we have to allow for RAM overhead for the Hypervisor (we use KVM / Proxmox) on Linux VPS Platforms.  You can add another 16 GB of RAM at any time.  If you need more resources than we can add to the one dedicated server, we would have to deploy a second dedicated server.  The firewall and intrusion system can support unlimited dedicated servers behind them.

The platform will take 5 to 7 days to deploy from the time we receive a signed agreement.  I have attached the following supporting documents for your review:

• Fully Managed Hardware Firewall
• ( 5 ) Encrypted VPNs
• Intrusion Detection System
• Fully Managed Daily Backup.

Thank you for permitting Atlantic.Net to provide your organization with a custom proposal for a HIPAA Compliant Hosting Platform.  Below are the highlights of our proposal.  Please get in touch with us if you have any questions.

1.) Fully Managed Hardware Firewall

2.) ( 5 ) Managed Encrypted VPNs

3.) Intrusion Detection System

4.) Fully Managed Daily Backup

5.) Private Dedicated Server Platform – Linux Centos OS 6.5 64 bit or Ubuntu 12.04

• 4 Virtual Core Processor
• 16 GB of RAM
• 1 TB of Encrypted RAIDed Storage
• ( 2 ) Virtual Machines (Web and App)

6.) 10 TB of Monthly Data Transfer with a 100 Mbps Port

7.) 100% Uptime SLA

8.) cPanel w/ WHM

9.) Kapersky Anti-Virus

10.) 24 X 7 X 365 Live Technical Support by email / chat / phone

11.) Business Associate Agreement

12.) HIPAA Audited Data Center with SSAE SOC 2 Certification

$ XXXX per month on a 12-month agreement, with no setup fee.

Healthcare Client:

It looks good, but I have a couple of questions.  What do items 6 and 7 refer to?  I am not completely up to speed on the terminology here.  The price quoted on the Linux HIPAA Compliant Hosting Platform: is this the price our customer would pay on what you have quoted?  Also, if we need to scale, how would that affect the quoted price?

Hosting Consultant:

• Item 6 is the amount of data transfer per month that the customer can use without charging overage bandwidth.  10 TB of monthly data transfer is equal to 33 Mbps of bandwidth.  The 100 Mbps port is the amount of bandwidth the customer can burst to at any given time.  We have large HIPAA customers, and no one ever exceeds the 10 TB of monthly data transfer.  If by some chance your customer does, the overage charge is xxx cents per month per GB.
• Item 7 refers to the fact that we warrant the HIPAA hosting platform will stay up 100% of the time.  It also means that we are 100% responsible for all of the hardware that has been deployed to make the hosting platform work.  Hardware pricing for dedicated servers changes very rapidly.  I can only provide you with the monthly pricing if you added extra server resources today.  Each additional 8 GB of RAM is $ xx per month.  Each extra 1 TB SAS Encrypted hard drive is $ xxx per month (they have to be added two at a time because of the required RAID configuration on the hard drives).  Each extra 1 TB SAS Encrypted hard drive is $ xxx per month (they have to be added two at a time because of the required RAID configuration on the hard drives).  To add a second dedicated server to the hosting platform would be $ xxx per month (this server would have the same starting configuration as what is on the proposal I sent you).
• The $ xxx per month is what your customer would pay without any upgrades to the dedicated server.

Healthcare Client:

One more question.  Where are the hosting centers?

Hosting Consultant:

We are in (5) data centers, but the HIPAA hosting platforms can only be hosted in our data center in Orlando, FL.  It is the only data center that has the HIPAA audit certification.

Healthcare Client:

Ok, I am recommending you to our client.  Thank you for your quick responses.

Partnering with HIPAA-Compliant Expertise

As you can see above, we are happy to answer all questions related to HIPAA Web Hosting plans.  HIPAA compliant hosting is a significant area of focus for us at Atlantic.Net, so our established expertise allows us to guide you toward the right decision.

Contact us now to explore your options!

By Moazzam Adnan