Atlantic.Net Blog

HIPAA Questions Answered – A Real World Scenario

Sam Guiliano
by Atlantic.Net (86posts) under HIPAA Compliant Hosting

HIPAA Questions Answered

Topics: Cyber Liability Insurance, Patching, Disaster Recovery, Encryption at Rest & Data Destruction

Healthcare companies around the United States know that they must meet the standards of two landmark pieces of healthcare legislation, HIPAA (Health Insurance Portability and Accountability Act of 1996) and HITECH (Health Information Technology for Economic and Clinical Health Act of 2009). Although of course many healthcare providers, plans, and data clearinghouses care about the privacy and security of their patient information, these regulations sought (in part) to make failing to protect sensitive medical data extremely unattractive.

With HIPAA, healthcare organizations now have an additional incentive beyond medical ethics to safeguard their patients’ data, especially in electronic form: avoiding fines. According to the American Medical Association (AMA), fines can be as much as $50,000 per violation, with total annual fines per organization capped at $1.5 million.

The statistics from the Health & Human Services (HHS) Department suggest a crackdown from this major branch of the federal government reminiscent of the huge quantity of car recalls in 2014, a record-breaking year for the National Highway Traffic Safety Administration (NHTSA).

A look at the numbers – total violations resolved by HHS

  • 2004 – 4799 resolutions
  • 2009 – 8106 resolutions
  • 2013 – 14,300 resolutions.

Clearly these numbers are rising. Furthermore, it’s just the beginning: Law360 reported on June 12, 2014, that a senior attorney with the HHS promised “aggressive punishment” for any violations. Jerome B. Meites, who is a top regional civil rights attorney for the agency, told attendees of an American Bar Association meeting held in Chicago that the HHS was planning to increase its efforts to police the healthcare industry and uphold consumer rights.

Regardless of anyone’s opinions on the law, healthcare companies should be concerned with HIPAA, and they should have lots of questions for any company they are considering as a business associate (such as a hosting service). Here is a real world scenario in which one of our clients, the CEO of a medical laboratory on the market for a HIPAA package, asked one of our hosting consultants for pertinent information.

Real world scenario – HIPAA for healthcare lab


I am the COO of a small laboratory. We currently have two Windows servers. One is running IIS and hosts around a dozen websites that use a maximum of 1-2 MB of throughput per day. We also have 3 SQL Server Express databases that will NEVER go beyond the 10GB limit. What would be our total monthly cost using the HIPAA Starter Package? Thanks.


Thank you for contacting Atlantic.Net. Based on your requirement for having a separate database SQL Express server, we will have to increase the amount of RAM in the dedicated server in order to create ( 2 ) VM’s inside the dedicated server.

I have attached the formal proposal. The pricing is the Starter Package pricing along with the extra RAM that is required to virtualize the server into ( 2 ) VM’s. Also attached are the following supporting documents:

  1. Fully Managed Hardware Firewall
  2. Encrypted VPN’s
  3. Intrusion Detection System
  4. HIPAA Business Associate Agreement (BAA).

An overview of the technology is as follows:

  • Fully Managed Hardware Firewall w/ 5 VPN’s
  • Intrusion Detection System / Log Management / Log Monitoring
  • Windows Standard 2012 R2
  • Hypervisor: HyperV
  • Core I3-3240 Dual Core 3.4 GHz w/HT
  • 24 GB of RAM
  • 2 X 160 GB SATA 3 RAID 1
  • LSI Hardware RAID Card
  • ( 2 ) VM’s
  • 10 TB of Monthly Data Transfer with a100 Mbps Port
  • 100% Uptime SLA (service level agreement)
  • MS SQL Server Express
  • 24x7x365 support by live phone or email.

Do you have any questions pertaining to this HIPAA Hosting proposal?


A colleague of mine has advised me to ask how Atlantic.Net handles the following:

  • Cyber Liability Insurance
  • Patching
  • Disaster Recovery
  • Encryption at Rest
  • Data Destruction.


Here are the answers to your questions:

Cyber Liability Insurance

We have cyber liability insurance through a major insurance carrier.


There are two options:

  1. You can do your own patching.
  2. You can purchase our fully managed hosting package, which is an extra $100.00 per month. We would perform the patches, along with additional managed services. I have attached the Managed Hosting Package document for your review.

Disaster Recovery

I have attached our DR plan for your review.

Encryption at Rest

Some customers require encryption at rest and others do not. The Starter Package has SATA (serial ATA) hard drives that are not encrypted, but you can substitute Encrypted At Rest hard drives for an extra charge. The smallest Encrypted At Rest hard drives are 1 TB SAS (serial attached SCSI) drives. Those drives would increase the cost of the Starter Package by $25.00 per month.

Data Destruction

All used or damaged equipment is destroyed, and all hard drives have the data removed before their destruction. This is in accordance with HIPAA regulations.

Choosing your business associates wisely

We love it when our customers and potential customers ask us questions. It’s an opportunity to provide evidence that we are widely knowledgeable on the protection of PHI (protected health information) and technology systems in general. We have been in business since 1994. One of our healthcare clients, Complete Healthcare Solutions, said they chose us for our “secure infrastructure and expertise in healthcare IT.” Explore your HIPAA Compliant Hosting options along with our full line of Cloud Hosting Solutions.


Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G2.1GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom