HIPAA Compliant Hosting for a Web Application – A Real World Scenario

Sam Guiliano
by (86 posts) under Healthcare IT

Comic: comparison of PHI to phi (the golden ratio)

Medical organizations – including healthcare practitioners, plans, and clearinghouses – are considered covered entities under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA was enacted to safeguard the security and privacy of the protected health information (PHI) of patients. Healthcare companies must be compliant with the law to avoid hefty fines. They can choose to work with HIPAA compliant business associates, such as web hosting companies, if they choose.

Just as with any aspect of business, not all IT infrastructure needs are the same. Medical companies require HIPAA compliant solutions for a wide variety of scenarios. A storage environment, a real-time backup system, or a general website solution might be needed. A healthcare company might also want to run an application, with all PHI expertly and redundantly secured.

We offer broad information about HIPAA on our site and have covered the topic regularly on our blog. We also occasionally report scenarios based on actual interactions between our hosting consultants and new customers in this “Real World Scenario” series. Today, we will discuss a client’s request for a HIPAA compliant web application environment.

HIPAA compliant application hosting

Client: We are looking for an appropriate, HIPAA-compliant hosting solution for a product that will involve providing a web application and web service interface for users to save and maintain [omitted for customer privacy] data. Do you have existing customers that have similar products?

Consultant: We provide HIPAA compliant hosting platforms for our customers based on individual specifications. We cannot provide you with specific information concerning what our customers are hosting because we have NDA’s in place for all of our customers. Here is a case study on one customer, though.

Client: How are you prepared to demonstrate to us that you are following HIPAA Hosting  compliance?

Consultant: We provide HIPAA compliant platforms, and our healthcare customers host their services on the platform. We have attached a document that will provide you with the smallest environment we can provide based on both a Linux and Windows operating system. The platform has all of the components that are required under the law.

Client: How long have you been following HIPAA compliance?

Consultant: We have been hosting compliant healthcare platforms for over 5 years and we have been in business for 21 years. We have also attached a copy of our Business Associate Agreement for your review. Please list any other specific requirements that you require. We are also available for a conference call if you wish to discuss your needs by phone.

Client: Thanks for your quick response. We want to run an ASP.NET web application and a WCF web service on the hosted web server, and we expect to connect to a hosted SQL Server instance – all of which necessitate a Windows platform.

Consultant: I have attached the formal proposal. It is based on a Windows Hosted Platform. You have a choice of using either Windows Standard 2008 R2 or Windows Standard 2012 R2 as the operating system. If you would like the pricing for MS SQL we will need to know what version you require. You also have the choice of using your own MS SQL license, if you own one.

Client: The difference between virtualized and non-virtualized is unclear to us for our solution – what advantage through your hosting is gained by using a non-virtualized platform as opposed to a virtualized one?

Consultant: The advantage of using a Virtualized system is that we can create two Virtual Machines on one server. One would be the Web Server and the other one would be the SQL server. This would save you money, because you then do not have to deploy individual hardware for each application. Because you are using MS SQL, the one server will need to be a high performance platform, or you will not be able to operate properly. This means that we will need to maximize the amount of RAM at 32 GB, provide four hard drives in a RAID 10 configuration with a High Performance LSI 9260 RAID Card.

Client: Our total storage should initially require 200 Gigabytes at most (not including any backups).

Consultant: In order to create the Web and SQL Virtual Machines on the same server, we will need to use a RAID 10 configuration for the hard drives. This means that we will need to use ( 4 ) 500 GB hard drives, so you will have 1TB of Storage Space available to you – the smallest amount of storage capacity that we will be able to provide with this configuration. The Fully Managed Daily Backup that we provide is not conducted on your server. We complete and store the backups on an external storage device and offer redundant back-up on our SSD Cloud Server platforms.

We have similar conversations every day, as a trusted HIPAA Compliant Hosting provider that serves medical companies including Complete Healthcare Solutions. If you need to discuss any HIPAA compliant IT needs, our hosting consultants are available 24/7 to answer any questions. Fully customized solutions are available.

Comic words by Kent Roberts & art by Leena Cruz.

Related Posts

Stay Connected With Us