Ask HN: HIPAA Compliant Hosting Providers?

[USNetizen]

I have over a decade of experience in medical application development and support. Recently, I've been exploring the possibility of establishing my own company based on an idea and prototype product I've developed for the medical community over the years.

Long story short, finding HIPAA-compliant hosting at reasonable cost with all of the features expected of a "cloud" provider is proving to be difficult. It wasn't until recently that HIPAA amended it's rules related to hosting of PHI (protected health information) applications. Though it did not state it directly, they now require Business Associate Agreements to be signed by hosting providers and they (providers) must also abide by certain standards and rules related to vetting staff and training and such (which isn't new, but the agreement is).

This is nothing really new, but it opens up the possibility of using "cloud" providers now, as far as I can tell. Problem is, it appears Amazon won't explicitly state if they will sign the required BAA regarding their AWS platforms, which is a no-go as it could possibly be seen as an act of "Willful Negligence" on my part if that document is not signed by the hosting provider. They have "guidelines" on how to create HIPAA-compliant hosting setups with EC2 and S3 (http://d36cz9buwru1tt.cloudfront.net/AWS_HIPAA_Whitepaper_Final.pdf), but don't clearly state that they, themselves, are HIPAA compliant. Apparently they even have their own interpretation of the guidelines and betting on them being right is not a risk I'm willing to take at this point.

So, tl;dr. That being said, Rackspace and Microsoft (when paid enough money) will sign the BAA, but is their Public Cloud, in anyone's (non-legal, obviously) opinion HIPAA compliant then? Is there anyone out there with experience hosting HIPAA compliant applications using Amazon or another service?

[nalods]

There's www.firehost.com that offers HIPPA compliant hosting. It's amazingly expensive (~$300/month for a 1GB cloud server), but the support is good and it impresses CMOs/IT heads of potential when you they ask you about it.

[USNetizen]

Thanks for the advice. Yeah, my other option it seemed was to go with Rackspace dedicated managed hosting at over $1,000 per month, which is a little bit high for a startup's budget.

[bmelton]

Is it possible to just prototype the service with non-sensitive data during development period and migrate to HIPAA compatible servers when you have customers?

If you already have customers, bake the hosting in to the price. They're almost certainly used to paying for things like that already, and I assume that if your app has to be HIPAA compliant, that it probably already has a $xx,000 price at a minimum anyway, so that should work out just fine.

[USNetizen]

That's a good point. I just wanted to have something lined up from the get-go, but I see what you mean. Enterprise and health care customers are accustomed to paying large fees for compliant environments, so baking it into the price shouldn't be much of an issue. Thanks.

[lemcoe9]

Just use Amazon. http://aws.amazon.com/about-aws/whats-new/2009/04/06/whitepa...

[USNetizen]

That's the exact whitepaper I read, but it falls short of explicitly stating that they are HIPAA compliant. You see, HIPAA requires a certain amount of physical security (on premises at the data-center) on top of all of that electronic security, and Amazon won't publish it all in detail. It also requires the "hosting provider" to sign the aforementioned BAA, which Amazon won't do. Amazon is of the mindset that they are providing an "infrastructure" and not a hosting service, but that is a murky legal gray area that could see me fined hundreds of thousands, even millions of dollars if they are wrong.

They even put it in the disclaimer: "AWS and its affiliated entities make no representations or warranties that your use of AWS services will assure compliance with applicable laws, including but not limited to HIPAA and HITECH."