Comic: comparison of PHI to phi (the golden ratio)


This interaction between a hosting consultant and client, a two-part installment of our “Real World Scenario” series, continues from the previous post. The client is getting answers to questions regarding an HIPAA compliant web hosted application environment.

Client: Our maximum number of users initially will not exceed 200 – we expect there to be very few users at the outset.

Consultant: This system will be able to handle 200 users with no problem and most likely twice that amount, depending how much total Storage Space you will require in the future. It is simple to add more Storage Space when you need it.

Client: Per our limited understanding of HIPAA, we expect that separate servers for the data (SQL) and the web server will be necessary (but correct us if that is not the case).

Consultant: You will have separate servers, but they will be set up as Virtual Machines on one physical server.

Client: We also understand that an SSL certificate is required on the web server for the web service and web application to encrypt data at the transport layer.

Consultant: That’s correct. We have included pricing for the SSL certificate. The certificate is $150.00. $125.00 of it is the annual fee for the certificate, and $25.00 is a setup fee. We use GeoTrust to provide the SSL certificate, but if you want to use someone else and can find better pricing, you are welcome to provide your own SSL. Either way, we will install the SSL certificate for you.

Client: Do we need to use Transparent Data Encryption on the database? Or do you believe that the server on which our SQL Server database resides will already be sufficiently protected with regard to HIPAA?

Consultant: We are unable to answer this question, because we are unaware of what security protocols your company has in place for their applications, databases, and systems. The majority of our clients do not use TDE on their DBs.

Client: What kind of connections/transactions should we track for the purposes of HIPAA? How much tracking can be done through the host’s provided system, and how much should be done through our own application code?

Consultant: We provide logs that are necessary for the devices within our HIPAA compliant systems.  However, we are unable to answer the question completely, because we do not have complete knowledge of your specific application. Please supply us with more information on your systems, and we will provide specific information that fits your needs.

These are the highlights of our proposal, and what we have proposed is the least expensive solution we can provide that will meet your requirements. HIPAA requires all of below components in order to host in a HIPAA compliant environment:

  1. Fully Managed Hardware Firewall with Intrusion Detection and Log Management / Log Monitoring. Also ( 5 ) encrypted managed VPN’s
  2. Fully Managed Daily Backup for all files and databases
  3. Private Server Hardware with 32 GB of RAM and 1 TB of Storage, configured in a mirrored RAID 10 configuration
  4. 10 TB of Monthly data transfer with a 100 Mbps Port
  5. 24 X 7 X 365 Technical Support by Phone or email
  6. 100% Uptime SLA (Service Level Agreement)
  7. Business Associate Agreement
  8. This Private HIPAA hosting platform will be in an SSAE 16 SOC II audited data center
  9. SSL certificate
  10. Kapersky Anti-Virus.

I have also attached the document that details our Fully Managed Hardware Firewall, Intrusion Detection System, and Fully Managed Daily Backup.

Client: How can you guarantee 100% uptime? Aren’t there situations in which the system will inevitably go down?

Consultant: Our 100% uptime SLA expresses two commitments:

  • Belief in our environments: We believe so strongly in our core infrastructure and the solutions we design for our clients – the levels of redundancy in our networks – that we know downtime will be an extremely rare occurrence.
  • Belief that any downtime is unacceptable: For any of our dedicated hosting solutions, if it takes us more than a short window of time to resolve any issue once a trouble ticket is opened, we will start refunding your monthly fee. Full details are available in our SLA.

Client: Thank you for answering all my questions. I will have the Business Associate Agreement to you later today. Take care.

Consultant: Thank you for using Atlantic.Net for your hosting needs. Please let us know if you have any further questions.


If you are looking for a HIPAA Compliant Hosting solution, Atlantic.Net has the expertise and conscientiousness to guide you through the process. We have many years of experience with healthcare compliance and a business track-record spanning three decades. Our solutions are characterized by  peace-of-mind, based on our extensive knowledge of IT hosting and 24/7 live support.

Comic words by Kent Roberts & art by Leena Cruz.