Table of Contents
Healthcare companies must be in full compliance with federal regulations to avoid fines. The Health Insurance Portability and Accountability Act (HIPAA) contains laws applicable to handling protected health information (PHI) by healthcare plans, clearinghouses, and practices. Title II of the act includes a Privacy Rule and Security Rule, which are of special concern to covered entities when working with business associates – such as web hosting companies – on their IT architectures.
Along with the general information we provide elsewhere on our site related to the act, we have previously reviewed requests for legal healthcare database hosting solutions in our Real World Scenario series. This series shares common situations experienced by our customers: we provide dialogues based on actual interactions between our hosting consultants and clients. The below installment will explore an additional HIPAA request to provide a further sense of the attainment of a 100% compliant system.
HIPAA hosting solution Q & A
Client: Hello, I need to obtain a price quote on a web/database platform that will be HIPAA Compliant and support the following resources:
Web Server
- Windows 2008 R2
- 1 CPU
- 4GB RAM
- Drive 1 – minimum 60GB HD
- Drive 2 – minimum 100GB HD
- SSL Certificate.
Database Server
- Windows 2008 R2
- 1 CPU
- 4GB RAM
- Drive 1 – minimum 60GB HD
- Drive 2 – minimum 100GB HD
- SQL Server 2008 R2.
Disaster Recovery
- Web/Database Server
- Windows 2008 R2
- 1 CPU
- 4GB RAM
- Drive 1 – minimum 60GB HD
- Drive 2 – minimum 100GB HD
- SSL Certificate
- SQL Server 2008 R2.
Consultant: Thank you for contacting Atlantic.Net. The only questions we have are as follows:
- Will you be providing the SQL license?
- Will you be providing the SSL certificate?
Client: Yes, we have a license for the SQL Server. We do not have an active SSL certificate, though. Please include one in the plan you are recommending.
Consultant: Attached, you will find our formal proposal. Note that the SQL license is not included, but an SSL certificate is. We have also attached a document detailing our hardware firewall and intrusion detection system (IDS), along with a copy of our business associate agreement (BAA) for your review. Here are the highlights of our proposal:
- Windows Enterprise 2008 R2 Operating System – which will allow for the creation of up to (4) virtual machines, one more than you require
- Dual-Core i3-3220 processor with Hyperthreading (which will provide you with 4 virtual cores to work with for the VM’s) / 32 GB of Ram / 1 TB of RAIDed Storage Space
- Fully Managed Hardware Firewall w/ 5 encrypted VPN’s
- Intrusion Detection System with Log Management
- Fully Managed Daily Backup – files/database / VM snapshots
- 3220 3.3 GHz Dual Core w/HT 32 GB of RAM – 2 X 1TB
- SATA 3 Black RAID 1
- LSI 9240 RAID Card 1
- 10 TB of Monthly Data Transfer
- 100 Mbps Port Multi-Homed Bandwidth
- SSL Certificate
- 16 IP’s
- Private Hosting Platform
- 24 X 7 X 365 Live Technical Support by Phone or Email
- 100 % uptime SLA on all of the services we are providing
- Business Associate Agreement (BAA) for HIPAA compliance (based on the inclusion of all the hosting components we have listed)
- 12- and 24-month term pricing.
Please let us know if anything needs clarified or you have any further questions.
Client: I’ve noticed that you have SSAE 16 (SOC 1) Type II certification listed as one of your HIPAA attributes. How is that relevant to healthcare computing?
Consultant: That certification is from the Statements on Standards for Attestation Engagements (SSAE), the protocols and parameters designed and revised by the American Institute of Certified Public Accountants (AICPA). It’s a set of auditing guidelines that verifies the integrity of our infrastructure and the mechanisms in place to avoid breaches and/or corruption. It generally validates our security.
Client: Okay, I’m also curious what type of SSL certificate you will purchase and install on our behalf.
Consultant: We use GeoTrust. A 2010 Netcraft survey revealed that SSL certificates provided by GeoTrust are used more than any other brand among the Alexa 1 million (the 1 million sites that receive the most unique visits annually). GeoTrust QuickSSL Premium certificates are also backed by a $500,000 USD warranty.
Client: Thank you for the assistance. I have submitted the BAA to our lawyer and will reach out to you as I know more.
Affordable solutions for healthcare IT
The necessity of healthcare organizations to achieve a HIPAA compliant database requires specialized care from a HIPAA hosting service. In business for three decades and serving medical organizations with their regulatory concerns for five years, Atlantic.Net has the experience to meet your needs with an SSD Cloud Server so that your patients’ PHI data remain secure and private at all times.
By Kent Roberts; comic words by Kent Roberts & art by Leena Cruz.