

Ask HN: HIPAA Compliant Hosting Providers? - USNetizen

I have over a decade of experience in medical application development and support.  Recently, I've been exploring the possibility of establishing my own company based on an idea and prototype product I've developed for the medical community over the years.<p>Long story short, finding HIPAA-compliant hosting at reasonable cost with all of the features expected of a "cloud" provider is proving to be difficult.  It wasn't until recently that HIPAA amended it's rules related to hosting of PHI (protected health information) applications.  Though it did not state it directly, they now require Business Associate Agreements to be signed by hosting providers and they (providers) must also abide by certain standards and rules related to vetting staff and training and such (which isn't new, but the agreement is).<p>This is nothing really new, but it opens up the possibility of using "cloud" providers now, as far as I can tell.  Problem is, it appears Amazon won't explicitly state if they will sign the required BAA regarding their AWS platforms, which is a no-go as it could possibly be seen as an act of "Willful Negligence" on my part if that document is not signed by the hosting provider. They have "guidelines" on how to create HIPAA-compliant hosting setups with EC2 and S3 (http://d36cz9buwru1tt.cloudfront.net/AWS_HIPAA_Whitepaper_Final.pdf), but don't clearly state that they, themselves, are HIPAA compliant.  Apparently they even have their own interpretation of the guidelines and betting on them being right is not a risk I'm willing to take at this point.<p>So, tl;dr. That being said, Rackspace and Microsoft (when paid enough money) will sign the BAA, but is their Public Cloud, in anyone's (non-legal, obviously) opinion HIPAA compliant then?  Is there anyone out there with experience hosting HIPAA compliant applications using Amazon or another service?
======
nalods
There's www.firehost.com that offers HIPPA compliant hosting. It's amazingly
expensive (~$300/month for a 1GB cloud server), but the support is good and it
impresses CMOs/IT heads of potential when you they ask you about it.

~~~
USNetizen
Thanks for the advice. Yeah, my other option it seemed was to go with
Rackspace dedicated managed hosting at over $1,000 per month, which is a
little bit high for a startup's budget.

~~~
bmelton
Is it possible to just prototype the service with non-sensitive data during
development period and migrate to HIPAA compatible servers when you have
customers?

If you already have customers, bake the hosting in to the price. They're
almost certainly used to paying for things like that already, and I assume
that if your app has to be HIPAA compliant, that it probably already has a
$xx,000 price at a minimum anyway, so that should work out just fine.

~~~
USNetizen
That's a good point. I just wanted to have something lined up from the get-go,
but I see what you mean. Enterprise and health care customers are accustomed
to paying large fees for compliant environments, so baking it into the price
shouldn't be much of an issue. Thanks.

------
lemcoe9
Just use Amazon. [http://aws.amazon.com/about-aws/whats-
new/2009/04/06/whitepa...](http://aws.amazon.com/about-aws/whats-
new/2009/04/06/whitepaper-hipaa/)

~~~
USNetizen
That's the exact whitepaper I read, but it falls short of explicitly stating
that they are HIPAA compliant. You see, HIPAA requires a certain amount of
physical security (on premises at the data-center) on top of all of that
electronic security, and Amazon won't publish it all in detail. It also
requires the "hosting provider" to sign the aforementioned BAA, which Amazon
won't do. Amazon is of the mindset that they are providing an "infrastructure"
and not a hosting service, but that is a murky legal gray area that could see
me fined hundreds of thousands, even millions of dollars if they are wrong.

They even put it in the disclaimer: "AWS and its affiliated entities make no
representations or warranties that your use of AWS services will assure
compliance with applicable laws, including but not limited to HIPAA and
HITECH."

