This article looks at recent high-profile HIPAA violations and a discussion about a hosting solution for a HIPAA database using Windows SQL:

Major Violations in Hollywood & the New Year

HIPAA was recently in the news when it was discovered that some of the data compromised by the Guardians of Peace hackers who infiltrated Sony Pictures were protected health information (PHI). Becker’s Health IT & CIO Review noted that the PHI that was accessed “[included] claim appeals submitted to Sony such as diagnosis and disability codes, health plan member IDs, and any health or medical information provided outside of Sony’s health plans.”

Sony is not the only organization coming under scrutiny by the HHS OCR at the beginning of 2015. Elizabeth Snell of Health IT Security mentioned two major revelations already in January:

  • BlueCross BlueShield of Tennessee used the contact information of 80,000 TRH Health Plan subscribers for unauthorized marketing.
  • Safeway Inc. had to pay a $9.87 million civil fine for improper dumping of consumer information such as healthcare records and hazardous waste. The court found that more than 500 Safeway stores had disregarded lawful disposal.

Real-World Scenario – HIPAA Consultation

Consultant:

Tell us about your hosting needs.

Client:

We are investigating hosting solutions that are HIPAA Compliant Hosting. The solution needs to be a Windows-based Application Server, SQL Server, and Web Server. I see a starter option for $ xxx per month that looks like what we need for an application server. Does this include SQL Server and the Web Server? If not, what are the additions to this?

Consultant:

Thank you for contacting Atlantic.Net. The $ xxx package does not include MS SQL, and it also does not have enough RAM to create the ( 2 )  virtual machines we would need to create inside the dedicated server to provide you with SQL and web servers. Using the one dedicated server and virtualizing it following best practices would maintain HIPAA compliance at the lowest possible cost. We use Hyper-V to virtualize the dedicated server, and the Windows Standard Edition license allows for the creation of ( 2 ) VM’s on a dedicated server.

There is one other thing to consider when using MS SQL, and it is how fast you need the I/O to be on the hard drives. If you need a very fast I/O for the database work, we would have to add ( 2 ) more hard drives and create a RAID 10 configuration. We would also have to add a high-performance RAID card to the dedicated server. If you do not require a fast I/O for the database work, then you can go with the ( 2 ) hard drives and the hardware RAID card we include automatically.

This is the pricing if you DO NOT require the Fast I/O:

  1. MS SQL Standard 2008 R2 or MSSQL 2012 – $ xxx per month
  2. Add an extra 16 GB of RAM to the server – $ xxx per month

This would increase the total monthly pricing to $ xxx per month on a 12-month agreement with no setup fee.

This is the pricing if you DO require the fast I/O:

  1. MS SQL Standard 2008 R2 or MS SQL 2012 – $ xxx per month
  2. Add an extra 16 GB of RAM to the server – xxx per month
  3. Two extra 500 GB hard drives – $ xxx per month
  4. Upgrade to High-Performance RAID Card – $ xxx per month

This would increase the total monthly pricing to $ xxx per month on a 12-month agreement with no setup fee.

You do have the option of providing your own MSSQL License. If you do, it will remove the monthly charge of $ xxx per month for the license. Microsoft does not allow us to sell their licenses under our SPLA agreement; we can only lease them to customers under a monthly charge.

Client:

Thanks for the response. One other question: Do you provide SSL Certificates, or would this be something we would obtain and install?

Consultant:

You can purchase the SSL yourself and transfer it, or you can purchase it from us through our engineering department. I have attached the document that details the different SSL’s that we offer. If you purchase the SSL through us, then we will install it for you.

How AssistRX Meets its Compliance Needs

The above interaction is just one real-world example. We help healthcare organizations with their HIPAA-compliant needs every day.

One of our newest HIPAA partners is AssistRx. The company’s chief brand & business development officer, Edward Hensley, commented, “We see the unmatched potential and capabilities present in Atlantic.Net’s private hosting platform to build upon our latest innovations and services in a secure and efficient way.”

By Kent Roberts