In our Real World Scenario (RWS) series, we review interactions between our consultants and clients considering various hosting options. One of our specialized focus points is healthcare IT, so our RWS articles have covered numerous situations in which medical organizations – practices, plans, or data clearinghouses – seek solutions that meet their needs.
Specifically, these companies need hosting environments that fully comply with the Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPAA. The vast majority of our information related to this topic is organized through a recently published (April 2014) HIPAA Server Master Index.
This Real World Scenario installment is in two parts/pages, outlining a client’s interest in a dedicated server infrastructure. A transcript based on the conversation between the client and our consultant appears below. Following the transcript (on the second page of the article), we will assess a few of the key terms used by the two parties.
In need of a HIPAA dedicated solution
Client: We are looking for dedicated servers for a HIPAA compliant service. Following are our specifications:
- Server: Dual Processor Quad Core Xeon 5520 – 2.26 GHz (Nehalem) – 2 x 8 MB cache w/HT
- Operating System: Windows Server 2012 R2 Standard Edition (64 bit)
- RAM: 12 GB DDR3 Registered 1333
- Disk Controller: RAID
- First Hard Drive: 150 GB SATA Raptor 10k
- Second Hard Drive: 150 GB SATA Raptor 10k
- (4) Hard Drives: 4.00 TB SATA III
- Public Bandwidth: 20000 GB Bandwidth
- Uplink Port Speeds: 100 Mbps Public & Private Networks
- Remote Management: Reboot / KVM over IP
- Primary IP Addresses: 1 IP Address
- Public Secondary IP Addresses: 8 Public IP Addresses
- Power Supply: Redundant Power Supplies
- Anti-Virus & Spyware Protection
- 100 Mbps Hardware Firewall.
Please send your quote ASAP. Thank you.
Consultant: Thank you for contacting Atlantic.Net concerning your hosting requirements. Attached you will find the official pricing proposal based on the specifications you have provided. We no longer use Dual Quad Core Xeon Processors because the Dual E5 Processors are of equal price and significantly more robust. We no longer provide Raptor Hard Drives, so we have included ( 2 ) Cachecade 240 GB SSD drives.
We have also included the supporting documents that will detail the following services for this HIPAA compliant platform:
- Business Associate Agreement (BAA)
- Fully Managed Daily Backup
- Fully Managed Hardware Firewall w/ Managed VPNs
- Intrusion Detection System with Log Management and Log Monitoring.
These are the highlights of our proposal:
- Fully Managed Hardware Firewall with Intrusion Detection and Log Management / Monitoring. Also ( 5 ) encrypted, managed VPNs
- Fully Managed Daily Backup for all files and databases
- Dual E5 Hex Core Xeon Processors w/ HT / 16 GB of RAM / 2 X 240 GB SSD Cachecade / 4 X 4 TB ES3 Enterprise SATA RAIDed
- 20 TB of monthly data transfer with a 1 Gbps Port
- 24 X 7 X 365 Technical Support by phone or email
- 100% Uptime SLA
- Business Associate Agreement (BAA)
- This Private HIPAA hosting platform will be located in an SSAE 16 audited data center
- Trend Micro Deep Security
If you would like to set up a call to go over our proposal, please send me the number to contact you; or send us any questions you may have concerning the proposal.
Client: Good afternoon. Thank you for sending us the pricing proposal. We have received the documents. Could you also send us copies of your audit reports for HIPAA and SSAE 16?
Consultant: Attached is a copy of our SSAE 16 report. I have asked our legal department to provide feedback concerning your question about the HIPAA audit report. I will send you their response as soon as I have it.
Client: I have received the SSAE 16 report, but it is for the period of July 1, 2012, to June 30, 2013. I just wanted to check if you have an updated one. Thank you very much.
Consultant: The SSAE 16 audits are completed in arrears. The next one will be completed by June 30 of this year. If a customer requires a certification that the data center is still in compliance while the new audit is being completed, we then issue a Bridge Letter. Bridge Letters can only be issued to existing customers.
[Client calls Consultant, and they further discuss options.]
Consultant: It was nice talking with you. I have updated the proposal based on our conversation. I added a second server, and I separated the bandwidth cost, demarcating it as its own line item.
[Continued on the second page.]
Conclusion
Atlantic.Net has been in business for 20 years and has been offering fully customizable healthcare HIPAA compliance solutions for half a decade. See our HIPAA Compliant Hosting options to learn more about this topic and how we can be of assistance.