Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is necessary for a wide variety of medical organizations. Covered entities to which the law applies include healthcare providers, healthcare plans, and healthcare clearinghouses. Covered entities have the option to work with third parties – termed business associates – to meet their HIPAA compliance needs.
We have written several blog posts on HIPAA compliance to spread knowledge on the subject. We also have a broad spectrum of HIPAA information elsewhere on our site. All of this information is intended to provide a general idea of how to achieve compliance. However, a real-world scenario can help to give you an idea of what the search for HIPAA Compliance Hosting is like for an individual organization. The below dialogue is based on an actual interaction between a new client and a hosting consultant.
HIPAA Compliance: healthcare firm seeks assistance
Client: I am looking for HIPAA-compliant hosting. My business is a startup and requires a bare-bones solution upfront. Then we will scale it as needed.
Consultant: Do you need Linux or Windows?
Client: Windows, outfitted with SQL Server Express.
Consultant: Below are the basics of our proposal for the smallest Windows HIPAA Compliant Server hosting we have available, which has 500 GB of storage. Note that Microsoft SQL Server Express is included with the package at no additional charge.
- Windows Based / Dual Core Processor w/ Hyperthreading / 4 GB of RAM (expandable to 32 GB) / 2 X 500 GB SATA Hard Drives set up in a RAID (redundant array of independent disks) 1 configuration
- Fully Managed Hardware Firewall with five (5) encrypted VPNs (virtual private networks)
- Fully Managed Daily Backup of all files and databases
- 10 TB of monthly data transfer with a 1 Gbps Port
- 100% uptime SLA (service level agreement)
- 24/7/365 Technical support by phone or email
- SSAE 16 (SOC 1) TYPE II audited data center (stronger security parameters than HIPAA).
Client: Your proposal lists two hard drives, each with 500 GB. Does that mean 1 TB?
Consultant: The two hard drives are set up in RAID 1 configuration, which is the standard configuration for Windows hosting. One of the drives mirrors the other for redundancy. That gives you a total of 500 GB.
Client: Can you provide a discount on the price? We only want a small package for now but will likely be increasing its size, possibly even next month.
Consultant: You can be billed each month if you want, but it is more cost-effective to choose a 12-month or 24-month term. Unfortunately, we cannot discount any month-to-month plan.
Client: What healthcare organizations currently use your HIPAA-compliant services? I’m concerned about credibility.
Consultant: We have been in business for two decades and have a wide variety of HIPAA clients. We are ultimately concerned with customer privacy, but a few of our customers have permitted us to use them as references. Complete HealthCare Solutions, one of the largest healthcare providers in the northeastern United States, is one such organization. You are welcome to contact them.
Client: To what extent will we be able to adjust the system’s resources as we grow?
Consultant: The hardware in the above proposal can be expanded to 32 GB of RAM and 3 TB of storage capacity. You can upgrade the bandwidth as well. However, keep in mind that 10 TB of monthly data transfer is equivalent to 30 Mbps (megabits per second), a substantial amount at the outset.
If you grow too big for this infrastructure, we will recommend a larger hosting environment. Don’t worry about contracts if you need to expand your system. We understand that customers need to grow, and we are always willing to work with them. With this plan, you can keep your cost low at the start without having to migrate to a platform that is too sizable for your immediate needs.
Client: Do you handle migration, or how does that work?
We can assist with the migration, but that is completed by our engineering department through an hourly consulting agreement. If you want, I can have them contact you to provide a quote for migration.
If you decide to proceed, this is the information I’ll need for the business associate agreement:
- Full company name
- Billing address
- Tax ID number (if readily available)
- State of incorporation (if readily available)
- Name, phone number, and email address for primary, billing, and technical contacts.
Client: I understand that we need to have a log of our activities to be HIPAA compliant. Does this package include log management?
Consultant: Yes, it does.
Client: Okay, I’m ready to move forward. I’m sending the BAA to my attorney to review. I will get back to you as soon as I hear back from him. How long does it take for you to set up the environment? Is one week good enough?
Consultant: Yes, that should be fine. Please let me know if you have any further questions.
Atlantic.Net can answer all your HIPAA compliance questions as well. Contact our highly trained and experienced team of consultants to request a quote for a HIPAA Hosting Server solution today.
Comic words by Kent Roberts and art by Leena Cruz.