HIPAA Web/Database Hosting Solution – A Real World Scenario

HIPAA humor PHI

Healthcare companies must be in full compliance with federal regulations in order to avoid fines. The Health Insurance Portability and Accountability Act (HIPAA) contains law applicable to the handling of protected health information (PHI) by healthcare plans, clearinghouses, and practices. Title II of the act includes a Privacy Rule and Security Rule, which are of special concern to covered entities when working with business associates – such as web hosting companies – on their IT architectures.

Along with the general information we provide elsewhere on our site related to the act, we have previously reviewed requests for legal healthcare solutions in our Real World Scenario series. This series shares common situations experienced by our customers: we provide dialogues based on actual interactions between our hosting consultants and clients. The below installment will explore an additional HIPAA request, to provide a further sense of the attainment of a 100% compliant system.

HIPAA hosting solution Q & A

Client: Hello, I need to obtain a price quote on a web/database platform that will be HIPAA Compliant Hosting and support the following resources:

Web Server

  • Windows 2008 R2
  • 1 CPU
  • 4GB RAM
  • Drive 1 – minimum 60GB HD
  • Drive 2 – minimum 100GB HD
  • SSL Certificate.

Database Server

  • Windows 2008 R2
  • 1 CPU
  • 4GB RAM
  • Drive 1 – minimum 60GB HD
  • Drive 2 – minimum 100GB HD
  • SQL Server 2008 R2.

Disaster Recovery

  • Web/Database Server
  • Windows 2008 R2
  • 1 CPU
  • 4GB RAM
  • Drive 1 – minimum 60GB HD
  • Drive 2 – minimum 100GB HD
  • SSL Certificate
  • SQL Server 2008 R2.

Consultant: Thank you for contacting Atlantic.Net. The only questions we have are as follows:

  1. Will you be providing the SQL license?
  2. Will you be providing the SSL certificate?

Client: Yes, we have a license for the SQL Server. We do not have an active SSL certificate, though. Please include one in the plan you are recommending.

Consultant: Attached, you will find our formal proposal. Note that the SQL license is not included, but an SSL certificate is. We have also attached a document detailing our hardware firewall and intrusion detection system (IDS), along with a copy of our business associate agreement (BAA) for your review. Here are the highlights of our proposal:

  1. Windows Enterprise 2008 R2 Operating System – which will allow for the creation of up to (4) virtual machines, one more than you require
  2. Dual Core i3-3220 processor with Hyperthreading (which will provide you with 4 virtual cores to work with for the VM’s) / 32 GB of Ram / 1 TB of RAIDed Storage Space
  3. Fully Managed Hardware Firewall w/ 5 encrypted VPN’s
  4. Intrusion Detection System with Log Management
  5. Fully Managed Daily Backup – files / database / VM snapshots
  6. 3220 3.3 Ghz Dual Core w/HT 32 GB of RAM – 2 X 1TB
  7. SATA 3 Black RAID 1
  8. LSI 9240 RAID Card 1
  9. 10 TB of Monthly Data Transfer
  10. 100 Mbps Port Multi-Homed Bandwidth
  11. SSL Certificate
  12. 16 IP’s
  13. Private Hosting Platform
  14. Mail
  15. 24 X 7 X 365 Live Technical Support by Phone or Email
  16. 100 % uptime SLA on all of the services we are providing
  17. Business Associate Agreement (BAA) for HIPAA compliance (based on the inclusion of all the hosting components we have listed)
  18. 12- and 24-month term pricing.

Please let us know if anything needs clarified or you have any further questions.

Client: I’ve noticed that you have SSAE 16 (SOC 1) Type II certification listed as one of your HIPAA attributes. How is that relevant to healthcare computing?

Consultant: That certification is from the Statements on Standards for Attestation Engagements (SSAE), the protocols and parameters of which are designed and revised by the American Institute of Certified Public Accountants (AICPA). It’s a set of auditing guidelines that verifies the integrity of our infrastructure and the mechanisms in place to avoid breach and/or corruption. It generally validates our security.

Client: Okay, I’m also just curious what type of SSL certificate you will purchase and install on our behalf.

Consultant: We use GeoTrust. A 2010 Netcraft survey revealed that SSL certificates provided by GeoTrust are used more than any other brand among the Alexa 1 million (the 1 million sites that receive the most unique visits annually). GeoTrust QuickSSL Premium certificates are also backed by a $500,000 USD warranty.

Client: Thank you for the assistance. I have submitted the BAA to our lawyer and will reach out to you as I know more.

Affordable solutions for healthcare IT

The necessity of healthcare organizations to achieve HIPAA compliance requires specialized care from a hosting service. In business for two decades and serving medical organizations with their regulatory concerns for five years, Atlantic.Net has the experience to meet your needs with an SSD Cloud Server so that your patients’ PHI data remain secure and private at all times.

By Kent Roberts; comic words by Kent Roberts & art by Leena Cruz.


Related Posts

Stay Connected With Us