Atlantic.Net Blog

HIPAA Compliant Hosting: A Real World Scenario

Hybrid hosting comic

Most healthcare organizations – including plans, providers, and clearinghouses – must be fully compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). One aspect of compliance is contracting with outside specialists that can handle specific data-related responsibilities. These technology partners are experts at hosting compliant websites and applications, serving as business associates (via business associate agreements, or BAAs) for healthcare clients and their affiliates.

To deliver the type of content that will be the most useful to our audience, we (the blog staff) are sent interactions from the sales and customer support departments, which we then convert into articles. These articles, which find common points of interest in day-to-day situations, comprise our Real World Scenario series.

The interaction is between an Atlantic.Net hosting consultant and client (protected for anonymity) interested in HIPAA compliant .NET Web-based application hosting. (Took place during May 2014).

Ultra-secure application hosting for PHI

Client: We are looking for HIPAA compliant .NET web-based application Cloud Hosting.

Consultant: Thank you for contacting Atlantic.Net. We need to know how much storage space you require for the data in order to send you a formal proposal.

Client: At this point, the database is small. Can additional storage be allocated on the fly, as we need more?

Consultant: The smallest storage space we can provide to start is 160 GB, and it is very easy to add more storage space when you require it. Attached you will find the formal proposal for the smallest HIPAA compliant hosting platform we can provide. There are three different pricing options: Month to Month / 12 months / 24 months. The following supporting documents are also attached: Fully Managed Hardware Firewall, Fully Managed Daily Backup,  Encrypted VPNs, Intrusion Detection System, and Business Associate Agreement for HIPAA.

These are the highlights of the proposal:

  1. Windows Standard 2008 R2 or 2012 R2
  2. Dual-Core Processor / 4 GB of RAM / 160 GB of RAIDed Storage
  3. Fully Managed Hardware Firewall
  4. ( 5 ) Managed VPNs
  5. Intrusion Detection System with Log Management / Log Monitoring
  6. Fully Managed Daily Backup
  7. Anti-Virus Software
  8. 24 X 7 X 365 Live Technical Support (Phone / Email)
  9. 100% Uptime SLA
  10. 10 TB of Monthly Data Transfer with a 100 Mbps Port.

Client: Thanks for your quick response. Can you provide a quote with two servers, one with MS SQL Server Web edition?

Consultant: We can provide ( 2 ) physical servers, or we can provide ( 1 ) physical server with ( 2 ) Virtual machines on them. The Windows Standard edition 2012 R2 license allows us to create ( 2 ) Windows virtual machines inside the ( 1 ) physical server using HyperV. This would keep down the cost of the platform because we only need ( 1 ) physical server. The Virtual Machines can be either Windows Standard 2008 R2 or 2012 R2. Are you okay with this solution, or do you require ( 2 ) physical servers?

Client: I would prefer the virtual approach. Can I have a little more powerful server with maybe 8 GB of RAM? Can you create one virtual machine with half the RAM for the Web server and put the SQL server on the base server (physical)?

Consultant: The server will have 16 GB of RAM. 4 GB of RAM is allocated for the Hypervisor, and the rest can be used for the virtual servers. We can assign 8 GB to the virtual database server and 4 GB to the Web server. Because we will be hosting a virtual database server, we will need to create a RAID 10 configuration for the hard drives, and we will need to use a more powerful RAID card. This will provide you with superior performance for the database server.

This is still less expensive than adding another physical server. The updated proposal is attached. Our pricing includes the creation of the ( 2 ) virtual servers but not the ongoing management of the virtual machines. If you want us to manage them on an ongoing basis, the charge is an extra $100.00 per month (regardless of the term of the agreement).

I have attached the document that details the Virtualization hosting package for your review.
Client: I like this. What would be performed for the ongoing management of the virtual machines?

Consultant: Management includes:

  • System networking and virtualization environment – “Up-to-OS” management and support
  • VM Provisioning – VM creation, cloning, and removing
  • System Updates
  • Clustering
  • Replication and Manual Failover
  • Advanced Monitoring
  • Advanced Certifications
  • Additional Virtualization Management Services.

Attached is a PDF document with the information on the Managed Virtualization package. Also attached is the formal updated proposal with the Managed Virtualization Hosting package added to it.

Client: Thanks for your help. I will review with the business internally and let you know when we want to move forward.


Why Atlantic.Net?

Atlantic.Net, in the Internet infrastructure business for 20 years, has won numerous awards since its inception, including acknowledgment from Inc. and Entrepreneur. Developing HIPAA Compliant Hosting solutions for healthcare companies for the last five years, Atlantic.Net can also answer all your questions, just as you see above, through our 24/7 phone and email support staff.

Get a $250 Credit and Access to Our Free Tier!

Free Tier includes:
G3.2GB Cloud VPS a Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year