Healthcare organizations often contact us for hosting solutions that are fully compliant with the parameters of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Particularly critical for this sector of companies – called covered entities within the law and comprising providers, plans, and clearinghouses – are the Privacy Rule, and Security Rule contained within the Act’s Title II. The two rules govern the methods used by business associates, such as hosting services to safeguard protected health information (PHI).
The following article is part of our Real World Scenario series, which details interactions between our hosting consultants and clients, anonymously and in edited form. (If you are looking for a fuller HIPAA resources directory, see our HIPAA Compliance Master Index.)
Initial discussion of a HIPAA Virtualization plan
Client: We need a HIPAA-compliant server running SQL 2012. We have a couple of databases and need to host some web portals.
Consultant: Thank you for contacting Atlantic.Net. Please provide us with answers to the following questions so we can provide you with a formal proposal:
- What version of MSSQL 2012 do you require?
- How much storage space do you require?
- We recommend separate virtualized servers for the web and database.
Client:
- I am looking at the versions, but I think standard would work.
- Initially, we will not have high storage needs. The databases will grow but will most likely be less than 50GB. As far as webspace, we would be looking at 10GB or less.
- I would prefer not to pay for two servers right now.
Consultant: We can take one Windows server and create ( 2 ) virtual machines inside it by using the Windows Standard 2012 license. We do not charge extra to virtualize the dedicated server that is part of the HIPAA hosting platform. So the total monthly charge would cover both the web and database servers.
What we do not have any control over is the cost of the MSSQL 2012 license, and our agreement with Microsoft only allows us to lease the license on a monthly basis. You have the option of providing the MSSQL license yourself instead of leasing it from us, and we will load it on the server for you.
Client: We will provide the SQL license. How fast can we get hosting set up?
Consultant: It takes three days or less to deploy the new hosting platform from the time we receive a signed agreement. Below is the information that we need to send you within the agreement. Also, if you can answer the questions concerning the VM’s, firewall, and VPNs (listed below the contact questions), it will expedite the deployment process.
-Full Company Name
-Billing Address
-Tax ID Number ( if available )
-State of Incorporation ( if available )
-Main Contact with phone number and email address
-Billing Contact with phone number and email address
-Technical Contacts with phone numbers and email addresses.
Please provide the following information concerning the VM’s:
- Amount of Ram required per VM
- Amount of Storage required per VM.
Please provide the firewall rules and ports you want set up.
We are providing you with ( 5 ) VPN’s. We need to know how many you want to set up initially and what you want the username and password to be for each VM.
Client: What are your recommendations for an SQL server and a Web server as far as RAM and storage?
We will need the following access to the servers:
* HTTP traffic to the webserver
* VPN connections:
> * User 1:
>> * Username: XXXXXXXXXXXXXX
>> * Password: XXXXX@XXXX
> * User 2:
>> * Username: XXXX
>> * Password: XXXXX
* VM Usernames:
> * User 1 (Administrator):
>> * Username: XXXXX
>> * Password: XXXXX
> * User 2 (Administrator):
>> * Username: XXXXX
>> * Password: XXXXXXX
Consultant: We are going to provide you with16 GB of total RAM for the same price because we need 4 GB of RAM for the overhead on the HyperV Hypervisor. This will leave you with 12 GB of RAM. Below is our recommendation for the Web and DB servers.
The processor has ( 4 ) virtual cores. You will have 500 GB of storage space, but we need to use 40 GB for overhead, leaving you with 460 GB of storage space.
Please see the server descriptions:
Web Server
- 2 Cores
- 4 GB of RAM
- 200 GB of Storage space
DB server
- 2 Cores
- 8 GB of RAM
- 200 GB of Storage space
If this looks good to you, we can move forward. Please let us know.
Client: That looks good.
Choosing strong HIPAA business associates
Understandably, healthcare companies are careful who they choose to enlist to set up HIPAA compliant hosting systems. Atlantic.Net has been a respected industry veteran in business since 1994 and the winner of numerous business growth awards from outlets including Inc. and Entrepreneur. See our HIPAA Compliance Hosting list for access to a broad range of compliance-related resources and to spin up an SSD Cloud Server.
By Moazzam Adnan