An innovative company recently contacted us for a hosting plan. The firm is a technology and customer service provider to the specialty pharma industry. They needed an architecture that would maintain the regulatory compliance of their new web marketing program for custom drug solutions.

When the firm came to us, their infrastructure was located at another hosting provider. That company did not supply the startup with a business associate agreement (BAA) or otherwise have the proper mechanisms in place for HIPAA compliance.

In this article, we will look at a few “big picture” topics and then discuss this specific “real world scenario”:

What is the specialty pharma industry?

According to the “Health Policy Brief” on the topic from the peer-reviewed Health Affairs, specialty pharmaceuticals is not a technical term. However, the typical description gives the drugs the following characteristics:

  • combination of medications and biologics (medicines that involve live cells);
  • sophisticated production process;
  • typically are high in cost, in excess of $500 per month;
  • often challenging for the patient to take;
  • often need additional patient follow-ups; and
  • often accompanied by specific FDA rules regarding usage.

Specialty pharmaceuticals, since they are custom drugs that are sometimes more vulnerable to environmental conditions, need to be distributed in more cost-intensive ways. For example, transport methods may need to be modified, and storage may have to incorporate climate control. Due to this developing need from the drug manufacturers, specialty pharmacies have been built to provide expertise in tailored distribution. These companies transport the drug to the doctor and collect payment from the patient’s health insurance plan.

Broader cultural context – The basic “issue” with specialty pharmaceuticals – per Health Affairs – is that they are often considered to be part of the reason that healthcare costs are skyrocketing. Some medicines in this category cost six figures for a 12-month supply. Generally, a generic form of the drug does not exist. Although cost is a matter of debate (how to handle rising costs and whether the drugs are unreasonably priced), the drugs often are the best hope for treatment and recovery of numerous debilitating health conditions.

The cloud and medical research

Many healthcare companies feel safer avoiding virtual infrastructures (virtual private servers), including distributed ones (cloud servers), when securing their protected health information (PHI). However, whenever discussing HIPAA compliance, it’s important to note the huge potential of the cloud for rapid-fire development and worldwide, real-time diagnostic systems.

Geoffrey Fox, Ph.D. of Indiana University, expressed the cloud compared to supercomputers since Big Red II at IU is one of the world’s most powerful computers. Dr. Fox said that because the cloud has high availability that outdoes any other technology, in many cases, it can accomplish a data processing rate that is “faster than a supercomputer.” For more on that topic, see the section here entitled “Introduction – Biotech and an ‘Aha’ moment.”

Common HIPAA compliance obstacles

Maintaining compliance with Health Insurance Portability and Accountability Act requirements is critical for all “covered entities” under the law – healthcare plans, healthcare clearinghouses, and healthcare providers.

It’s not always easy to stay compliant, though. According to organizational health and safety writer David Gitachu, five common HIPAA violations are as follows, based on actual mistakes made by healthcare organizations:

  1. Phone message with the wrong party – The patient must be contacted via the channel that is approved by them (e.g., office phone rather than home phone).
  2. Issuance of extraneous information – The provider should not accept makeshift forms from patients since they can result in disclosing details beyond what is acceptable to the patient.
  3. Lack of privacy document – Every patient must be given a document that outlines privacy details, including data to be ascertained and where they can retrieve it, prior to any examination or treatment.
  4. Failure to wipe data from equipment – Any machines that contain hard drives, such as photocopiers, must have all data removed prior to third-party exposure (as when returning leased equipment).
  5. Improperly secured web environment – Any PHI contained within web applications must be secured with technologies and protocols that meet standard business expectations, such as virtual private networks (VPNs), secure sockets layer (SSL) certificates, IPsec (Internet protocol security), and SSH (secure shell).

For more on that topic, see here.

Specialty pharma real-world scenario

Here is a short excerpt from our discussion with the customer, as we helped them deploy an architecture in which all their website data and backend was HIPAA compliant:

Consultant:

Do you need a Linux or Windows HIPAA hosting platform?

The Linux VPS Hosting Platform is $ xx per month on a 24-month agreement.

The Windows VPS Hosting Platform is $ xxx per month on a 24-month agreement.

Client:

We are interested in the Linux plan.

Consultant:

Okay, thank you. Will the customer need cPanel w/WHM? That will add $ xx per month to the hosting package.

Client:

Why would they need cPanel?

Consultant:

It’s for ease of use. Do they know how to operate a Linux Server using a command-line interface? If they do, they will not need cPanel.

Client:

Yes, they do.

Consultant:

Okay, I will not include cPanel.

Client:

Okay. We are ready to move forward. The signed BAA is attached.

Atlantic.Net is one of the leading companies in the world at HIPAA Compliant Hosting and HITECH compliant hosting. Explore our hosting options for life sciences research today.

By Kent Roberts