Often when purchasing hosting services and online space, the product is similar between providers. Many hosting providers use the same virtualization technologies and differ only in their implementations and the physical hardware used to house the virtualized environments.
What does differ drastically between providers is the quality and array of managed services offered. In many cases, purchasing hosting from a provider is simply leasing the server space necessary for your application to live, with the promise only that the server will remain up (in terms of “uptime”) and available.
Technology service providers may only offer a set of managed services in which they are experts, whereas the client may not be. For HIPAA compliance, there are requirements for storing protected health information (PHI) per the HIPAA Security Rule.
For a HIPAA Compliant Hosting Provider, storing PHI is standard operating practice. Tasked with the often stringent rules defined by HIPAA, a typical web hosting provider won’t offer the services or documents (like a BAA) that are required for HIPAA compliance.
However, a company that specializes in HIPAA Compliant hosting should include such services as advanced monitoring of hardware/software, automatic operating system updates, log file management, unified threat management, security vulnerability scanning, and two-factor authentication.
The concept of managed services refers to the idea that these services will be included in the hosting environment and will be attended to, regardless of the client’s involvement in these aspects.
For example, HIPAA requires keeping detailed logs of access and changes; many HIPAA hosting providers manage a log-rotation software and keep gigabytes of log files in order, in a format where they can reply to answers to questions such as who logged in on this day and what did he do? In addition to log files, keeping up with system patching ensures that your data remains safe. With a HIPAA-managed solution, the patching is done for you and you can be assured that your system and PHI are safe.
In the event of a HIPAA audit, the heat is likely to be on, and learning how to utilize technologies that may have been put into place years prior is generally not an option. In a scenario such as that, a protected entity would likely have already purchased some degree of managed services from their host.
The onus of learning and familiarizing oneself with the intricacies of software required under the Security Rule is not on the protected entity itself but on the host. Many HIPAA clients pay a premium to have the peace of mind that an expert is attending to the complex technical matters of HIPAA. Oftentimes, purchasing managed services can be more cost-effective than hiring and training an IT professional to do the same job.
When it comes to remaining compliant, many people adopt a “set it and forget it” attitude. This type of attitude is especially poor practice when applied to a HIPAA task, but sometimes there is no other option and manpower must be expended elsewhere.
Rather than abandoning HIPAA best practices in order to accomplish other tasks, it’s better to make sure that your HIPAA host includes managed services with your hosting plan. The cost of these services is guaranteed to be negligible when compared to a monetary penalty for an inadvertent HIPAA violation.