In this episode of the HIPAA Insider Show, Adam & Gil delve into the critical differences between HIPAA-compliant hosting and regular hosting. The discussion covers the evolution of web hosting needs as healthcare organizations scale from simple marketing websites to complex public web applications.
Key topics explored include: An overview of HIPAA and its implications for web hosting Essential features of HIPAA-compliant hosting, including data encryption, access controls, and Business Associate Agreements.
The transition from basic informational websites to patient portals and telemedicine platforms Scaling considerations for growing healthcare web applications while maintaining HIPAA compliance Cost and complexity factors in implementing HIPAA-compliant hosting solutions Guidelines for selecting the right HIPAA-compliant hosting provider.
Whether you’re a small healthcare practice or a large provider offering digital services, this episode provides valuable insights to help you navigate the complexities of HIPAA-compliant hosting and protect sensitive patient information. Tune in to learn how to safeguard your organization from costly data breaches and compliance issues as you expand your online presence.
Transcript:
Adam
Hello and welcome to the HIPAA Insider show where we delve into all things HIPAA and cloud security. I’m your host, Adam Zeineddine. Before we dive in, please take a moment to hit the subscribe button and share this podcast with anyone interested in healthcare and cloud security. I’m joined today by the CTO and founder of HIPAA Vault, Gil Vidals. Hey, Gil.
Gil
Hey, Adam. Looking forward today’s podcast.
Adam
Me too. We’re going to be diving into an important topic today and the title of the topic is From Simple Sites to Secure Solutions. Navigating HIPAA Compliant Hosting versus Regular Hosting. It’s going to be a meaty topic to get into. Gil, are you ready for it?
Gil
I’m ready to go. I’m ready.
Adam
Awesome. Let’s start with a little bit about hipaa. Gil, what’s hipaa, if you don’t mind? And why does considering HIPAA when it comes to hosting matter?
Gil
Okay, yeah, good question. And it’s good to start with the basics. Sometimes time goes by, we forget the basics. It’s good to review them. So HIPAA stands for the Health Insurance Portability and Accountability act, which the federal government set up to ensure that a person’s patient information is protected. Interesting is when this act first came out, I don’t remember the exact year, but when it first came out, yeah, people were like, you know, another regulation, we don’t, we’re not going to pay attention to it. So they did something called the High Tech act, which means there’s going to be fines if the HIPAA act isn’t followed. So it is serious business. If there’s patient information that’s leaked out, then there are fines that are imposed. So people have to care about it now because of the fines.
Gil
And when it comes to the hosting platform that you’re asking about, well, that’s where the patient data is stored. That’s the golden egg. That’s what we have to protect. So the hosting is important because everything’s out on the cloud these days and you have to be very mindful of what, where the data is and how it’s protected. And that includes HIPAA compliant services like data transmission, storage and access management.
Adam
Yeah. Okay, so I’ve got a follow up question on that and it probably leads on to the next topic. How would a website owner or developer know whether they need to consider HIPAA compliant hosting or not for their website or application or whatever?
Gil
Yeah, that’s, yeah, that’s important. So a business owner, business manager has to determine if Their healthcare app is going to need to follow the HIPAA regulations. So the rule of thumb is that if you’re going to be handling protected health information phi, that’s patient records, then you need to be following the HIPAA guidelines. Now keep in mind it doesn’t have to be deep and extensive information. It could be as simple as you have an app, let’s say, that monitors a person’s blood pressure and basic heart rate, just some basic things like that. Well, that still qualifies as personal health information, Protected Health information phi. So in that case you would still have to follow them.
Adam
Okay, so if this phi, then HIPAA compliant hosting is needed and then if there’s no phi, then you could probably go with, you know, what’s termed regular hosting. So could you give us a brief kind of idea of what regular hosting is in the day to day for the listeners and viewers versus what a hypocrite hosting provider would look like?
Gil
Sure, sure. From the business point of view, let’s start with the non technical. A regular, non protected health information provider can just take your credit card, start hosting and off you go to the races. Whereas a HIPAA compliance service is going to first make sure that you have certain documents signed, including the business associate agreement. And that’s an important document. That BAA as we call it should be signed between the hosting provider and the customer that has the healthcare application. And essentially that document describes the relationship between the two. So that’s one difference that’s not technical. Technical differences would be a regular non protected provider doesn’t have to worry about encryption. Encryption at rest. And by that I mean if the virtual machine is powered off, there’s no requirement that the powered off system and the data be encrypted.
Gil
Whereas a HIPAA provider does have to ensure it’s encrypted at rest and also in transit. So those are a couple of couple ones I’d like to highlight. And also backup and disaster recovery. Now most hosting providers are going to give you backup, so that’s not anything new. I think what would be different with a HIPAA compliant provider is that the backups should cover enough time. So it can’t just be one or two days of backups. You have to be able to go further back and that’s important in order to keep the integrity of the system. Make sure you have enough backups that go back far back enough in history.
Gil
And then physical security, the hosting provider has to have physical security, which is many times when you say security, that’s what people think they Think of web cameras and they think of access cards to go in the data center. All those things are necessary as well.
Adam
Great. Okay, so at this point, I think this is going to be an overview episode. Gil, listeners and viewers, I’d encourage you any of those points. Data encryption, business associate agreements, backup, disaster recovery, any of those that Gil just mentioned. If you want to dive deeper into them, do check out our previous episodes where we have done more deep dives into those specific topics. And while you’re at it, you know, like the video and share it if you think it’s going to be useful to someone else and spread the word. Okay, Gil, so moving on from. So we’ve defined what HIPAA compliant hosting is versus a regular hosting. What about at the stage where a business owner has identified that they need a HIPAA compliant web presence, but they’re looking to identify how the scaling is going to happen from like a simple.
Adam
Sorry, from a simple marketing website to a more complex application. How, you know, how do you determine what you need from a simple website all the way up to a more complex application?
Gil
Yeah. So in the industry of hosting, there’s a term called brochureware and that essentially means just like a brochure in the old days, you flip through the brochure, see pretty pictures, and it’s just informational and websites. Some websites are like that today. Let’s say you’re a dentist, for example. Dentists may just have a brochure type site where they’re just showing pictures of people before and after their teeth are strayed and you know, their address and a map, but they’re not collecting any information from their constituents. So that would be at the simplest level, and that’s a very basic site. You don’t need much bandwidth or resources like RAM and CPU and so forth.
Gil
But as you go up to the next level, where it’s not just brochure, where you may have a patient portal or a web application of some kind, where there’s interaction between the patients, the end users and the platform. So in that case you have some kind of a backend application. Examples of this would be like telemedicine, right, where you sign into an application and next thing you know you’re seeing a doctor and you’re telling him what your ailment is. That would be considered a much more sophisticated one. What do you do as you grow and you have more traffic and a more sophisticated application? You have to have a lot of times a way for your resources to grow along with it. The Architecture of your platform, of the platform where you’re hosting begins to matter.
Gil
We could go into the nitty gritty, but suffice it to say for now that you have to have the appropriate architecture for your application. And by that I mean if you have a lot of traffic, that’s one dimension, but the other one, even if you don’t have a lot of traffic, but you have a complex application that requires a lot of CPU and RAM and other resources that you have to think about that. So I would say those are the principal things that people should consider.
Adam
Yeah. And as that scales, I’m assuming that the cost can scale with it as well. So can you talk a little bit about what, you know, what the cost considerations are when it comes to HIPAA compliant hosting from different aspects of security, but then also the infrastructure that you mentioned.
Gil
Yeah, I think at the low end, if you see again, brochureware where it’s just static content, you know, that’s something that a GoDaddy might cost you 30 to $40. And people should know this as well. Don’t, don’t get fooled by even the standard hosting. You’ll see hosting for $3, you know, but when you really, when you sign up for those accounts, you’ll notice that, oh, you want an email box, okay, that’s $4 more. Oh, you wanted more disk space, that’s another $10. So the real cost after you sign up is closer to, you know, 30, 40, $50 a month. So even the brochureware you can expect to pay at least that much. And if it’s in a HIPAA compliant host, you’re looking at least $100 a month. And I would say the mid range is about $500.
Gil
If you have a mid range system or application that you’re going to be looking at below $1,000 and.
Adam
Then Enterprise, maybe slightly beyond brochure.
Gil
Right? Yeah. Like for example, if you had, let’s say you had a website that you’re selling to your patients, certain items via E commerce, and you have a WooCommerce site with WordPress that’s a good example of a medium one where you have some traffic. But the WooCommerce itself is a heavy plugin. In other words, by heavy I mean it requires a decent amount of resources both on the database and the application. So WooCommerce with WordPress might be edging up toward the middle tier. So you have to consider how complex your application is as well as how much traffic it’s going to be getting and make sure that you have the right amount of resources. Of course, your provider, like HIPAA, can help you determine what is the appropriate level for my app.
Adam
What should our listeners and viewers most look out for when they’re researching the right HIPAA compliant hosting provider?
Gil
Yeah, I think there’s something that’s very important that’s really not technical and I think the listeners will appreciate what I’m about to say. And that is when you are consuming a service, a digital service in particular, which most of us are digital citizens. Right. Everything we do is online now, but in this case in particular, when you are dealing with an important healthcare application that you are generating revenue from, it is one of your, it is your business source of income that you need to have someone that is going to be your teammate. In other words, don’t go just strictly on the price or if it’s a slick platform. I mean, are you going to be able to call these people? Like, if you have an issue, you’ll get on the phone and say, hey, can we get on a meeting?
Gil
I need to talk to somebody. We’re having some kind of an issue and we need some help. So that is something I think is really important because if you do get into crisis mode, or not even crisis mode, but even planning mode, you know, you want to see, can I talk to somebody on the other side on the. Not just fill out a form and I’ll email you know, in a week or so, but, or in a day or so, but somebody that you can actually schedule a meeting, have a conversation. And I think that’s important. Now if you’re just starting off and you have brochureware and it’s something very simple, then what I just said probably isn’t as important.
Gil
But as you move up the scale and you have an application that’s growing in importance to you and to your organization, then you’re going to want to make sure that you can do that. Now how do you test that? This is interesting because of course when you’re talking to somebody, they always tell you, oh, of course we’ll help you. I mean, everybody’s going to say yes. But the way you can test it out is if you can’t meet with the sales team, like, you can’t even get a call with the sales team because you want to spend your money, then you know the support team is going to be terrible. So test it by, in the sales process.
Gil
If you cannot get a hold of the sales guy to give him your money, then guaranteed 99% chance of support is going to suck as well. Now if you get past the first level and you’re able to talk to somebody on sales and they seem very responsive and say, hey, can I talk to one of the resolution or solution engineers? You know, we have some technical questions. If they join a call schedule, then, you know, it’s like, oh, okay. These people seem to be available, they seem to be joining meetings and it seems to be pretty good. So that’s how you can, in a practical way find out if you’re going to have some good experiences there with support.
Adam
Yeah, no, they’re all great points. I, whenever I’m doing business on a, you know, a personal level, I always want to look out for like is the person that I’m doing business with of a similar size to me and wherever that’s possible, then I’ll, you know, I’ll try and go for that provider just because like you said.
Gil
Yeah.
Adam
Is that personal touch?
Gil
Right. And I, what last point I’d like to say is that too the time zone matters. So if you’re in the middle Midwest and you’re trying to talk to an engineer and you find out all their engineers are in India or the Philippines, then it would be difficult from a time perspective to be able to hook up a meeting. So, you know, those are all important considerations. I think when you’re looking to have a long lived partnership, you want to start off with the right foot and you want to make sure that you’re comfortable with that environment, that it seems to fit your business model.
Adam
Yeah, definitely. All right, great. Well, so we’ve covered fair bit today, Gil, anything else that you wanted touch on?
Gil
No, I think we cover the most important points and I do encourage our audience if they have any questions or they want to ask something about their app or something, we’d be happy to join on a call and do a review with them.
Adam
All right, yeah. Link in the description for all info on HIPAA Vault and how to get in touch with HIPAA Vault. So yeah, thanks for joining. Thanks for listening. Today we explored HIPAA compliant hosting, how it differs from regular hosting. I’d love to hear your thoughts on your experiences with HIPAA compliant hosting. If you’ve had any. If not, and you’re just looking to get into a HIPAA compliant setup, let us know what the most important aspects are for you. You can leave a comment, you can leave a comment below and we’ll get back to you. Remember, if your organization handles Phi, it’s crucial to choose a hosting provider that offers security, privacy, and compliance that you need to stay here for compliance. Thanks for tuning in today. Until next time, stay safe and stay secure.