Hacker News new | comments | ask | show | jobs | submit login
Ask HN: How do I set up a HIPAA-compliant server?
68 points by th3o6a1d on Sept 21, 2014 | hide | past | web | favorite | 52 comments

It's not just the server - it's the storage, accessibility (compartmentalization), and transmission of sensitive data (PHI and PII) at all levels. There is a lot more to HIPAA/HITECH than just server configuration - there are legal agreements you have to enter into as well (BAA's), insurance requirements, and potentially a lot more.

I'd suggest you work with a company that has a lot of experience in this area before you inadvertently find yourself fined (or sued) into bankruptcy.

A lot of HIPAA complience also has to do with due dilegence. My organization recently when through a long period of training that covered everything from building access logs to the way we do employee password resets. Unfortunately there aren't hard, static rules that define it.

On the positive side- I've learned to love the compliance. Most of it is common sense things (like not giving out info over the phone to any random person) and has made our organization more efficient.

+1 do these things because they are actually good engineering practices. be a good custodian of any user's trust.

i think some companies try for the quick buck and in the name of cost savings run a shoddy operation. ymmv.

ps - do not try making said quick buck in health care. contrary to VC bets otherwise, it doesnt exist. plan for a very very long haul.

This exactly. It's not like there are just a few commands to run in Linux that gets you a HIPAA-compliant server. It is a pretty long and arduous process that involves several business-level requirements, in addition to the technical ones.

There are a few options if you want HIPAA compliance. Note that "HIPAA compliance" is somewhat of a loaded term in that there aren't many super-technical benchmarks to meet, but a general "do-good" attitude including (but not limited to) some of the following points:

- Physical server isolation: you cannot have other instances sniffing around in your deallocated garbage memory.

- Encrypted data stores: physical theft of the server should not provide access to your data.

- Server providers who can sign a Business Associate Agreement: many hospitals and firms with medical data require this in their stipulations.

- Audit trails for database modifications, access, etc. Basically, log everything, and this has to be encrypted too if it contains protected health information (PHI).

- All PHI over HTTPS if you have a webapp. NO PHI OVER EMAIL OR HTTP.

- "Soft" guidelines such as password complexity measures, auto session expiration, disallowed multi-sessions.

Again, this is not an exhaustive list. You really need to check with a lawyer who knows this stuff. The fines are enormous (read: business-ending) if you break the rules.

How do you work to implement these? Well, find a host who is willing to sign a BAA. Here are the two major contenders I'm aware of:

- Use Amazon AWS; they're willing to sign a BAA with you and provide you the physical server isolation you need. However, this doesn't come cheap. Expect >$2,000/mo in costs to keep this configuration. Also, you'd better be a network pro or willing to learn how to manage VPCs correctly to provide proper network-level isolation for the databases.

- Use aptible.com (they happen to be a YC company, and I don't know of anyone else doing this). Frank & Chas (the founders) are very responsive and aim to provide a comprehensive package, including backups, audit trails, and even employee training. The Docker-based and heroku-like interface is very appealing:


This option is still expensive. They host on AWS as well, so you're paying for the server costs + premium. However, this will still be a lot cheaper than hiring a competent sysadmin to make sure the execution is flawless.

Does HIPAA really require "physical server isolation"? I wasn't able to find anything specifying that in my reading. (Encrypting data at rest is definitely required. I suspect the S3 functionality was built to address the requirement.)

AFAICT the whole "can't do HIPAA in the cloud" meme arose from the reluctance of cloud services to sign BAAs, Google only got on board with that earlier this year.

I'm a lawyer, but not your lawyer. This is not legal advice. :)

The HIPAA Security Rule requires that you take "reasonable and appropriate" measures to safeguard the confidentiality, integrity, and availability of electronic regulated health data.

Physical server isolation is not prima facie required, meaning there is no requirement that literally states you must isolate servers down to bare metal. Your customers' judgments about what constitutes "reasonable and appropriate" safeguards may vary, though. That decision should be driven by your risk assessment.

Encryption is also not prima facie required, actually.[0] I can't imagine a case in which it would be reasonable for a cloud SaaS provider not implement it, so I'd say it is de facto required. MFA may be moving to the same category, for most web services.

[0]: http://www.law.cornell.edu/cfr/text/45/164.312

I think this might just be a stipulation to sign a BAA with Amazon, combined with my tendency to err on the side of safety. I can't find anything to cite either. On a slightly related note, lack of memory safety happens to be how Home Depot lost all those credit card numbers.

I am not a lawyer.

no it is not (i have passed VA/DoD audits without)

It's a big task on its own and it seems a bit in-transparent to me.

However, you may want to have a look at TrueVault[0] which has been featured on HN[1].

[0]: https://www.truevault.com/

[1]: https://news.ycombinator.com/item?id=7033188

As some people have mentioned here, there are other issues to think of besides the IT aspect. There is employee training, risk assessment, policy development, and the business account agreements. Accountable is a company that focuses on these type of issues to make them easier by providing things like employee training, ready to use policies and procedures, and business association agreements. I found them while learning about HIPPA compliance, and I have not actually tried the product but it looks like it could be useful for you, so I thought I would mention it here. http://accountablehq.com/index.html

Surprised no one has posted this. From the folks at TrueVault. https://github.com/truevault/hipaa-compliance-developers-gui...

@USNetizen -- You're right...I should have clarified that I want to know how to get an entire stack up and running, although I don't trust myself to do this unassisted.

I'm just surprised at how few resources there are that explain what it takes, and I hope that someday soon, healthcare startup CTO's will be referred to clearly documented open source solutions that are fairly fool-proof, rather than paid-for services (@sebst). Amazon's compliance page is unfortunately uninformative (@byoung2).

I'm the co-founder of Aptible, a HIPAA-compliant PaaS that just went through YC. I'd be really happy to talk to you and help figure out what kinds of resources we could publish, for free, that would help CTOs in your position figure this out. Email is in my profile.

You're absolutely right in that regard. I actually started my company to help out others in a similar situation, but there should be an easier way to go about getting set up initially. Even many small/mid-size medical offices don't know what it takes from a technology perspective to be fully compliant, let alone other startups.

The only reason I have been able to navigate HIPAA/HITECH is because I've worked many years previously as a software engineer and then a senior technology manager for a very large hospital network and dealt with these requirements daily.

If you want a HIPAA-compliant server setup for you: https://www.aptible.com/ (S14)

(Disclosure: I'm a co-founder of Aptible.)

As noted in other comments, most of HIPAA is not technical. Most of the requirements relate to risk assessment, policies, training, incident response, etc.

With that in mind, I'm going to quickly run down all of the major moving parts and then cover some of the technical considerations for setting up a server.

HIPAA has three main rules you need to comply with:

1. The Privacy Rule - Governs the use and disclosure of PHI (protected health information). Applies to all forms of PHI (verbal, written, electronic, etc.).

2. The Security Rule - Governs safeguards for electronic PHI

3. The Breach Notification Rule - Governs your responsibilities during a security or privacy incident

The Security Rule has a general security standard, some documentation/retention rules, and three sections of safeguards. They are:

1. Administrative Safeguards

2. Physical Safeguards

3. Technical Safeguards

Some of the safeguards are mandatory. Some are "addressable," meaning if you don't implement them you must document why you chose not to and what other safeguards you applied instead.

Most likely, you're going to start with something like the following for your servers:

1. Sign a BAA with any service provider who is going to touch PHI for you.

2. Restrict physical and logical server access to authorized individuals. Document how you restrict access and why the methods chosen are reasonable and appropriate given the risk posture of your organization. (There's a LOT packed into this step.)

3. Log all access and data modification events. If you use a logging service that isn't HIPAA-compliant, make sure you're not including PHI data you send them.

4. Encrypt data at rest and in transit, including inside the network perimeter. Document your network topology and access points.

5. Implement backups according to your organization's HIPAA contingency/disaster recovery plan. Document the backup scheme.

A few caveats:

- I haven't addressed application-level security. The same requirements apply, but the implementation differs.

- Your customers will demand additional safeguards that aren't in HIPAA.

At Aptible, we help with all of this, plus all of the other requirements (risk assessment, policies, training, etc.), so you can get a complete handle on your compliance status.

> $3500/month.

> $0.10/Hour Additional App/Database Containers $0.40/GB/Month Additional Storage.

¬°Ay, caramba!

Thanks for at least giving me a source to cite in grant applications!

Where I work at Catalyze, we offer a starting package beginning at $500/mo that includes one database container and one server. Or, if your application only required a secure backend, prices start as cheap as $100/month. We have a calculator here to compare prices: https://catalyze.io/platform-as-a-service/

We've been building applications with both startups and large healthcare organizations like the VA. I'd love to talk with you more to see what your needs are. Feel free to hit me with an email (mark@catalyze.io) with any questions.

Good luck!

Hmmm... 8GB max? That doesn't cut it for the amount of claims data I generally deal with. Any rationale behind that limit?

That's the most that we have on the calculator, but we can help you with whatever your need. Email me (mark@catalyze.io) and we can work with you to meet your infrastructure needs.

This is all great advise. I would just strongly emphasize that HIPAA compliance has significantly more to do with the soft guidelines than meeting technical specifications.

Part of what makes HIPAA compliance challenging from a techies perspective is that there are very few proscriptive rules. A lot of implementation is left up to the provider to provide flexibility but the justification for all those decisions needs to be defensible.

A couple last items I would add: Not only do you need a BAA with any service provider you use you will also need one for any contractor who has access to PHI you are responsible for. As of the latest set of rules this also applies to any subcontractors that your contractors may use.

You will also need named privacy and security officers who are responsible for the overall program and will be the first ones HHS and OCR will ask for should you be audited.

Depending on what function you are providing for HIPAA-covered entities, you may need to also deal with the Transactions and Code Sets rule, though the rules related to PHI are usually all people are aware of.

One should also note that the Breach Notification rule, through its definition of what constitutes unsecured PHI, actually sneaks in technical requirements that entities dealing with PHI probably should treat as near-mandatory for encryption, etc., since, even though they aren't strictly mandatory, significantly impact the likelihood of a reportable breach.

Curious-- do you define a running database system (e.g. MySQL) to contain "data at rest", "data in transit" or neither?

My reading says "neither". Conservative move is "encrypt everything" but curious if others have passed/failed a HIPAA audit with a standard MySQL or SQL Server system (assuming you have individual ID access & logging).

note that state privacy laws, or the use of creidt cards (PCI) will largely require most of this so in broad terms, if you comply with PCI and NY/CA privacy requirements, you pass HIPAA muster.

the rest is really basic good practice for any professional-grade service that is entrusted with customer data

i respect that someone is trying to market a prepackaged solution but i would advise against shortcuts. you (the developer/owner/cto) should take the time to understand your stack from bere metal up, and be able to explain the risks that are real vs academic, the financial impact of attacks or internal employee mistakes/theft, and the real cost and benefits of devops done right.

you owe it to your customers, your shareholders, your employees and yourself to invest the mental energy to really understand the nuances.

otherwise, dont go into health care markets.

(i like to think we take our work as seriously as the best MDs, so would you want your surgeoun taking shortcuts or trying to build a MVP?)

I came to this thread with the intention to say, "Call Chas and Frank at Aptible! They're nice folk with a product that does only exactly what you are asking for."

How are y'all? What's the latest?

Life is good, just hanging out on a Sunday afternoon, geeking out about HIPAA. What could be better? Pretty much normal for us :)

Considering what we know about deployed systems in general, is it likely that current systems actually comply, or are merely privacy disasters waiting to explode?


Thanks for all of your comments so far. Synopsis is...it's complicated. There are basically no straightforward guides and no reliable, tried-and-true open source solutions that can be deployed with minimal security expertise, at least with respect to the technical setup.

Options are to go with a service company like Aptible or TrueVault, or fumble through vast amounts of obtuse technical and legal documentation, then hire a security expert to audit your homemade system and hope that everything goes OK. Both options, as they currently exist, require a fair amount of $$$.

Isn't "no solutions that can be deployed with minimal security expertise" just about the whole point of this compliance?

If you have minimal security expertise, then you're supposed to be treated as noncompliant. There are two valid options: have the security expertise (and be prepared to legally vouch for it that you have, and get insurance for cases if it turns out that your expertise wan't enough), or get the security expertise from someone else. Oh, and the third option is to stop handling any sensitive data at all if you aren't equipped to handle it.

The reason why HIPAA (and similar compliance issues in other domains) exist is to try to eliminate what you're proposing. Random companies with minimal security expertise shouldn't be handling such data themselves, period.

This, +1000: 'Isn't "no solutions that can be deployed with minimal security expertise" just about the whole point of this compliance?'

If you aren't a trained, competent security analyst/engineer (or working with one) then don't accept sensitive information. PHI, credit card numbers, even contact lists: all of these are considered "sensitive" for a reason, and you are being reckless in the extreme if you accept them from your customers without the proper protections in place.

I have seen and even been responsible for (many years ago) the implementation of some horrifyingly bad "security controls" by people who simply didn't understand the field.

It's not just crypto, or disabling root logins via SSH, or preventing XSS on your web forms; you need to plan for a multitude of possible attack vectors, internal and external. Many of those aren't likely to be intuitive without some real training and exposure to best practices.

I'd just have someone else do it for me. There are many "enterprise" level hosting companies that can help you with that.

I believe that rackspace has a pretty program around compliance.


training-hipaa.net provides Server Disaster Recovery Plan Template which is the part of HIPAA Compliance.

This Server Recovery Plan documents the strategies, personnel, procedures and resources necessary to recover the server following any type of short or long term disruption. You can find more information about this over here http://www.training-hipaa.net/template_suite/Server_recovery...

If you are trying to set up a service for processing or storing PHI, you may be interested in DNAnexus (https://dnanexus.com/), which focuses on compliant high throughput data analysis and storage for genome information, but can be used to store other types of PHI data. (Full disclosure, I work at DNAnexus). Email in profile if you want to go into specifics.

Cool! I had not heard of dnanexus before. Looking forward to checking it out.

Here is some info about doing it on AWS


We have been very pleased with the True Vault solution and the responsiveness of the team when needed, worth looking into for your needs.

One missing point in this thread: there is no such thing as HIPAA compliant. There is no government organization that will sanction your set up as "compliant". The HIPAA legislation imposes fines if you leak data, but does not prescribe how you prevent that.

That said, the thread does have some great safe guards and industry best practices you should look at.

(Disclosure: I work at FireHost, not in sales!)

We sell cloud but focused on security, compliance, and performance. Check us out.


@voska "Starting at $3499/month with an annual contract" -- Seems like security experience comes at a price... That said, it's worth taking every precaution to protect patient data.

We have audited HIPAA compliant hosting, at a reasonable price:


As a potential customer, I want to let you know that you really should fix all the typos and the like on your website. It really gives a poor first impression when I see things like:

    * 5 X VPN's (no apostrophe needed; what does this even mean?)
    * 1 Dedicated IP Addresse
    * Header/footer links open in a new tab.
    * Some numbers are listed as 800, some as 1-800.
    * Data center addresses have a comma at the end of the first line. That's not how US addresses are written.
    * Headquarters address is all on one line.
All of these indicate, in my mind, a lack of attention to detail. This is absolutely the last thing I'd want in my compliance provider. (More charitably, it probably indicates a lack of familiarity with either English or certain US conventions, which is I'd forgive in some vendors, but not when it comes to HIPAA compliance.)

Please don't go and fix the specific things I listed and think you're done. You need to significantly rethink the impression you're giving.

I hope you point out to your customers that compliance is a lot more than just a hosting account. Everything from specifications of the design of your office network to policies for employees talking while on smoke breaks.

Agreed. Anyone that you choose for HIPAA-compliant hosting should be able to outline their policies. Where I work at Catalyze, ours are here:

https://catalyze.io/hipaa/ https://catalyze.io/policy/

And we've gone through a HITRUST audit to validate these claims:


We used to use a hosting company Layered Tech that had a HIPPA compliant offering. If you need HIPPA compoanxe I suggest getting it as a managed service.

If one big customer is demanding you be HIPAA compliant then they probably want to see a certification, and depending on size of customer they may be willing to provide funding for that certification. It takes months but the certifying service will provide consulting and training. Essentially it all about tight access controls, encrypting data at rest, and documenting everything and everyone who has access to the internals.

There is no such thing as a HIPAA certification.

correct but hospitals and other buyers dont seem to know that and some do insist on "certification"....you can try to convince them but in my first hand experience the (uninformed, misinformed) customer is always right so you do have to provide something that claims to be a "certified" solition...typically by providing an outside audit report

Microsoft biztalk server has strong HIPAA connector/accelerator, just have a look overthere.

It's not an easy process .

Check out TrueVault - HIPAA-compliant data store that is a YC grad.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact