HIPAA Compliant Web Hosting?

HIPAA compliance is part of my 'day job'.

If you don't have an in-house server/network you'll need to have a dedicated remote server that can meet the datacenter security regulations. The organizations that I've worked for or consulted with have always ended up using Sunguard. It isn't cheap though.

What kind of EPHI will you be processing or storing on the site?

Mark

All it's going to be is allowing the patients to fill out their paperwork online, then the nurses will be able to view the forms and print them out on their end. The patients will also be able to start their paperwork, save the current values, and then finish it at a later time.

It's not anything major, but I want to make sure that it's done properly from the beginning. Another company that gave a quote said that the hosting they would use is only about $700 per year, which seems awfully cheap. I know that at the very least it needs to be on a dedicated server, but I'm also concerned with data center security as well, because I don't want ANY part of this to be in violation.

I've ran several data centers and had a full time staff just to handle security and audits to prove to my co-located/dedicate/managed customers that we were compliant. My day job involves compliancy related activities. I agree that $700 a year sounds cheap to me too. You need to make sure the datacenter is SaS 70 compliant and/or at least has passed an audit recently. That's just the Datacenter.

Then you'll have to worry about your servers and network equipment and access. Next, like a lot of regulations, they live and die on your documented procedures - typically CoBit or ITIL inspired, and providing proof you follow your procedures.

uhm - 700$ might get you one server in a decent data center, but your customers will more than likely laugh all the way to your compliant competitors if you're not careful.

The biggest issues I've found in running datacenter were on the customer's side - getting their policies and procedures in place and in a condition to be audited. I could show any auditor on a moment's notice my polices and procedures, plus an audit trail proving we did them, and for those incidents where something went wrong, how we handle the issue and flowed that back into the process.

Sunguard I've used for disaster recovery - not hosting per sae. I believe they purchase inflow a while back for more business hosting. Out side of IBM etc, Sunguard is great for DR type work. If you're looking to do this right, definitely outsource - don't go trying to build a compliant data closet, er center, on your own. Find one that's local if possible. In the SE there's Hosted Solutions (highly recommended), Peak 10, and Sunguard. Hosted Solutions also has centers in Boston and DC.

If you have any questions please feel free to drop me a line.

--Jack