My consulting company is working with a client to make some changes to their webapp (it's a health-care-related app - details aren't super-relevant). One of the items on their wishlist is "make it HIPAA-compliant". We're working with the client's lawyer to determine exactly what that means in practice, but it's clear that one of the items will be "host it on infrastructure other than the $10/mo. WebFaction plan".<p>The app itself is (relatively) simple systems-wise, so we don't really need a dedicated box and all the sysadmin and security headaches that come with it. But from my basic read of the HIPAA Security Rule, shared hosting (which abstracts away a lot of the sysadmin issues) won't cut it. We're primarily developers, not sysadmins, and certainly don't want to get into the server admin business on something with regulatory requirements.<p>Does anyone here have suggestions for either a host that can make this less painful (not even sure what that would entail), or a firm that specializes in the sysadmin side of things? (Preferably with HIPAA experience).
HIPAA is more about documenting your intended process, and your actual actions, than it is about requiring any particular solutions provider. For example, it's entirely possible to build a HIPAA compliant web app on AWS:<p><a href="http://aws.typepad.com/aws/2009/04/white-paper-creating-hipaacompliant-medical-data-applications-with-amazon-web-services.html" rel="nofollow">http://aws.typepad.com/aws/2009/04/white-paper-creating-hipa...</a><p>My company is in the middle of this, and we haven't encountered any deal-breakers so far.
Had to research this before. Firehost is one of the names that came up often:<p><a href="http://www.firehost.com/secure-hosting/hipaa" rel="nofollow">http://www.firehost.com/secure-hosting/hipaa</a><p>Their plans start from $845 monthly.<p>No affiliation, just passing info along.<p>You can't just rely on the provider though. All the server hardening in the world wouldn't help with apps that don't comply fully. Some of the audit requirements are bound to be very specific to the nature of your app.
I work for a managed infrastructure firm that specializes in scaling out secure platforms for customers that require HIPAA compliance - might want to check it out.<p><a href="http://www.lightcrest.com/security/hipaa" rel="nofollow">http://www.lightcrest.com/security/hipaa</a><p>Ex Myspace/Microsoft folks - lots of in house experience building high-volume sites that get pounded with malicious traffic.<p>Cheers
The first company that gets to a certified HIPAA and PCI hosting cloud is going to have to figure out what to do with the buckets of cash they have lying around. I think for the enterprise PCI certification will be the event that gets the big (non-tech) guys out of running their own infrastructure. I would imagine that it would be the same for medical. As for you immediate question, I am sorry I can't help I don't know who if anyone is doing this. I am still looking for a PCI certified cloud as a portion of my customers are Public companies and not having to work on all their different infrastructures and being able to provide them a hosted solution would be great for me, but there is no way I could get into managing a PCI certified hardware infrastructure just to achieve that goal.
Depending on your fit/needs, it may be worthwhile to check out if the end client would like to maintain this box. That way, you are on their network. The disadvantage is of course the administration.<p>We did this on a pilot project with one of our clients with hipaa requirements. We asked for box with the minimum requirements with admin/firewall setup and used this server as our end point for our app. hope this helps.
One other issue to consider is that just because your hosting provider's infrastructure is HIPPA compliant doesn't mean your application is. There are still a ton of privacy issues within the application, plain text HTTP, user authentication, etc.
No shared hosting seems to imply that VPS won't cut it either--depends on what "shared hosting" really means. So you are left with looking for a dedicated hosting plan. I'd say check out a company like Rackspace (disclosure: I work there).