Below is the conclusion of our two-part series covering HIPAA compliance so that healthcare plans, providers, and clearinghouses have ample information. We continue by addressing the remainder of six common questions, followed by a couple of “snapshot tutorials” that address the needs of those preparing to deploy HIPAA Compliant systems.
5. What is the monthly cost of HIPAA-compliant servers?
A HIPAA compliant Server is available at a wide range of prices throughout the industry. A brief description of our affordable dedicated server packages will provide a sense of the basic technologies involved and the monthly price for their use. If you need multiple servers, you can divide a dedicated server into several private cloud servers, which maintains your compliance while lowering your cost.
As with any hosting, the two primary operating systems used for HIPAA compliant hosting environments are Linux and Windows. Of course, healthcare companies don’t always have the same needs. Still, the following technologies – with security features discussed separately – are included in our standard “starter” packages for each type of OS (within a fixed monthly plan, based on a 24-month agreement):
- Dedicated Server – Core I3-3220 Dual Core 3.3 GHz w/HT
- 4 GB of RAM
- 160 GB of Storage
- 10 TB of Monthly Data Transfer with a 100 Mbps Port
- 2 IP Addresses.
The following security features are included standardly in these packages (whether the Linux or Windows variety) as well:
- Total Private Hosting Environment
- Intrusion Detection System (IDS)
- Managed Firewall
- ( 5 ) Virtual Private Networks (VPNs).
Each system also includes a Business Associate Agreement (BAA), a contract described in the HIPAA legislation that stipulates our roles and responsibilities as a business associate (third party) handling data for a covered entity (healthcare organization).
The monthly price for the Linux system is $260.36 USD, while the monthly price for a Windows system is $275.69 USD. Trend Micro Deep Security and SSL certificates (GeoTrust) are available separately through our sales team.
6. How much should I pay for a HIPAA app server?
The above scenario (question #5) should give you an idea of a base price, and you could run a compliant application within either of those OS environments. An application server can be either dedicated or virtual (one of a few cloud servers – as detailed below). The fundamental concern is that the system should be 100% private and protected by the above security tools.
The standard design of a HIPAA virtual environment includes the following three machines: Web server, database server, and application server. You could also choose to have individual dedicated machines serve each of those functions, although that would be costlier. Due to the need for a totally private environment, the starting price will be the same as is listed above: $260.36 USD for Linux, $275.69 USD for Windows (see question #5 for details of the system and further pricing parameters).
Two Snapshot Tutorials
1. How to make a HIPAA compliant website
If you want your website to be HIPAA compliant, you need to protect all your data (specifically the protected health information, or PHI) with today’s standard security technologies. The best path is the following:
- Sign a business associate agreement (BAA) with a trusted hosting provider (see “Choosing a provider” below).
- Create your hosting environment so that the developer can have immediate access to install applications, upload files, test usability, and perform other tasks. The hosting environment must include secure sockets layer (SSL) certificates, encrypted virtual private networks (VPNs), a dedicated firewall, two-factor authentication, a managed intrusion detection system with log management, and anti-virus protection.
- Many healthcare companies prefer a 100% Windows environment for compatibility and proprietary maintenance with updates and security patches. Linux is popular as well, though, due to control and continual optimization via an open-source community. The typical basis for development within a Linux environment is a LAMP stack – a bundle of software containing Linux (operating system), Apache (Web server), MySQL (database), and PHP (coding language) – with general administrative control through cPanel or an alternative.
2. How to become HIPAA compliant with software
To ensure that all your software is compliant with HIPAA, your concern is essentially the same as when building a website (see #1 above): making sure that the patient data – the PHI (protected health information) – is fully secured. Your basic steps are as follows:
- Sign a business associate agreement (BAA) with a trusted hosting provider (see “Choosing a provider” below).
- Create your hosting environment, which must include secure sockets layer (SSL) certificates, encrypted virtual private networks (VPNs), a dedicated firewall, two-factor authentication, a managed intrusion detection system with log management, and anti-virus protection.
- Begin development. If the software is already in place, migrate your application and related data into the system – using secure protocols so that the PHI is safeguarded throughout.
Choosing a provider
When you select a HIPAA hosting service, it is wise to choose one that is both experienced and validated by a reputable independent certification organization. Atlantic.Net has been in business for 20 years, specializing in healthcare compliance for the last 5 years. We own and operate a data center in Orlando, Florida, audited to meet the SSAE 16 Type II standard established by the American Institute of CPAs (AICPA). We also offer a private Cloud Server with 100% uptime guarantee.