HIPAA Hosting Plans Comparison: Three Options

In the healthcare industry, the need for regulatory compliance can sometimes feel daunting. As with anything that requires a sophisticated solution, you may find yourself unsure of how to get started.

We have some ideas to make your HIPAA architecture selection process easy and smooth. We will not go into the technical complexities to keep our discussion streamlined.

When colocation makes sense

If you are a healthcare provider already in business and looking to become compliant with HIPAA, one option is to colocate your servers at an SSAE 16 Type II (Statement on Standards for Attestation Engagements 16 Type II) certified data center.

Colocation is a basic idea: bring in your servers; and take advantage of a professional data center’s physical environment and HIPAA compliance knowledge.

Once you have transferred your machines to the colocation facility, you need to implement the following technologies that characterize a multiply redundant and ultra-secure data environment. Together these technologies, built into an expertly engineered computing environment, will meet and exceed HIPAA expectations (although, as you know, securing PHI goes beyond the technology to the actions of your workforce, hardcopy paperwork, and nonelectronic communication):

• daily backup
• antivirus subscription
• firewall
• intrusion detection system
• log management
• virtual private network (VPN)
• dedicated IP address
• business associate agreement (BAA).

If you choose this option for compliance, you will lease space in a cabinet ranging from 1U to 42U (with the latter representing a standard complete rack that has room for 6 feet of hardware); you might even need multiple cabinets or a private cage. You will pay for the space. The colocation company will provide the cabinet/cages. You’ll be responsible for power expenses, though. You should consider getting dual power feeds – alternately called A-side/B-side, A+B, A&B, and A/B – if your budget permits. Along with the power, you will be paying for bandwidth monthly.

When vanilla servers make sense

If your servers have a few years on them and need upgrading, or if you have a new project, there is no point in fronting the CAPX (capital expense). Use those funds instead to improve your applications and hire more people to excel in your specific applications. In other words, look into a hosting plan.

When you sign up for a hosting service, rather than going out and accruing assets for your company, you’ll be leasing servers. There is no capital investment on your books, which is a wise choice to lower your company’s taxes. Our recommendation is to lease the servers with no buyout option (in other words, straight leasing rather than “lease-to-own”).

When you choose to lease, you can get vanilla servers with no management. Just make sure the hardware is in a secure, SSAE 16 certified facility. Then make sure that all of the technologies from the bullet list in the colocation section are deployed, configured, and enabled.

A hosting package includes the space, power, and Internet (the extra expenses from the above option) as components of the contracted services.

When HIPAA-ready servers make sense

If you want to allow your HIPAA technology partner to assist you with creating a “by-the-book” environment, you can use leased servers that are already HIPAA compliant and audited.

This option, as with the vanilla servers described above, includes space, power, and Internet for the contracted services. It also includes some management.

Examples of HIPAA-ready servers

Since this option is prepackaged, unlike using your own servers with colocation or using unmanaged vanilla servers, it deserves further discussion via example.

Here is what we standardly provide, which primarily reflects the requirements of the bullet list above, adding management:

• Daily Backups
• Trend Micro Deep Security
• Atlantic.Net Managed Firewall
• Atlantic.Net Managed IDS/IPS
• Log Management
• VPN
• Dedicated IP Address
• Business Associate Agreement

Our plan offerings are as follows:

1. HIPAA Starter Packages – This plan type includes everything you need for a computer server with HIPAA compliance. However, it does not include encrypted storage and backup. This option can help you save money if you are on a tight budget. You can always set up backup at another location cost-effectively (provided that the facility meets compliance requirements).
2. Affordable HIPAA Packages – This category of plans includes everything you need for a computer server with HIPAA compliance. In this case, backup is included. However, it does not include encrypted storage.
3. HIPAA Self-Encrypting Storage Packages – These plans include everything you need for a computer server with HIPAA compliance. It also includes encrypted storage and backup. This approach can help you save management costs and meets all requirements, with no exceptions.

In business since 1994, Atlantic.Net has a long history of providing high-quality solutions tailored to specific industries. We have offered HIPAA Compliant Hosting solutions for five years and many other VPS Hosting solutions. Joseph Nompleggi, the VP of Product Development for Complete Healthcare Solutions, commented that our “financial strength and proven track record are something we view with great confidence.” Get started today!