BAA Signing for HIPAA Compliance

Portal Home > Knowledgebase > Articles Database > BAA Signing for HIPAA Compliance

Posted by rcaseybw, 01-20-2017, 06:49 PM
Hi folks Just wondering if anyone can recommend a dedicated server provider on the US west coast that provides BAA signing for our own HIPAA compliance? TIA
Posted by Alec, 01-20-2017, 11:46 PM
Outside of HIPAA compliance, do you have any specific requirements for the server? Hardware, licensing, managed services, off-site backups, VPN, etc?
Posted by gone-afk, 01-20-2017, 11:56 PM
Rackspace; https://www.rackspace.com/information/legal/hipaabaa They have data centers in Chicago, Dallas, Northern Virginia, London, Hong Kong and Sydney.
Posted by Alec, 01-21-2017, 12:00 AM
OP has specific location requirements.
Posted by rcaseybw, 01-21-2017, 01:49 PM
We do have some specific requirements for hardware (e.g. HBA card with LSI 2308 chipset on storage nodes) and networking (/26 or /27 public range and minimum gigabit LAN). Last edited by Postbox; 01-21-2017 at 02:48 PM.
Posted by Alec, 01-21-2017, 04:30 PM
Those requirements shouldn't be an issue with any providers that specialize in compliance. I was looking more for things like: Trusted platform module(TPM) Self encrypting drives Specific hardware firewalls Or if you need to obtain certificates of destruction for decommissioned storage media used for PHI (crypto-erase usually is satisfactory, when available). These types of specific details are helpful to make sure potential providers understand your needs, and you are aware of some of the more specific options.
Posted by rcaseybw, 01-23-2017, 01:21 PM
Certificates of destruction for decommissioned storage media would be required but that would probably be it in terms of any of the other options you had set out.
Posted by hiabhilash, 01-26-2017, 08:26 AM
Why don't you use AWS dedicated instances. They are already HIPAA compliant since 2009 or so and is being trusted by many Hospitals. The blog post detailing the FAQs would be helpful in setting your servers w.r.t HIPAA compliance. https://aws.amazon.com/about-aws/wha...tepaper-hipaa/ https://aws.amazon.com/compliance/hipaa-compliance/ There is FAQ towards the end of the page.
Posted by Alec, 01-26-2017, 09:27 AM
Dedicated per-region fee of $2/hr, is approximately $1,460/mo PER REGION, before the cost of Dedicated Instance(s).
Posted by hiabhilash, 01-27-2017, 02:43 AM
I agree with you on cost aspect @Alec . Based on my very little experience those who are looking for HIPAA compliance, hardly look for $$ involved. I knew AWS has West Coast Region (Oregon) and for others, I was lazy to go through each of them where the DCs are And they had a requirement of dedicated instance/server also. Except for managed RDS SQL service, they have HIPAA compliance for all the major services one may need in cloud. @rcaseybw I got these two URLs on Googling, but couldn't find who all gives in CA/WA/OR. All I could find was VMRacks having their DC in San Deigo. http://arkenea.com/blog/top-hipaa-co...sting-servers/ https://www.hipaahq.com/hipaa-compli...ting-providers
Posted by NortheBridge, 01-27-2017, 03:27 AM
That's where I have to say "ouch" but if you're running a HIPAA compliant company you have to understand that the compliant measures taken do cost time and money. Even so, I didn't even know AWS charged that per-region fee for HIPAA. Aside from the fees associated with certification of copies of particular documents and sending it to Amazon, AWS doesn't charge a fee to access and use the AWS Gov. Cloud. I know Rackspace does HIPAA but does Microsoft? I know Microsoft has a "Gov. Cloud" of their own also and Government compliant infrastructure for nearly all of their cloud services but I'm not sure if Azure has HIPAA. I know Office 365 Enterprise and related features have a HIPAA option but I can't speak to the process as we've only done the government processes.
Posted by XavierM, 01-27-2017, 01:20 PM
HIPAA inherently requires qualifying hardware and network infrastructure, not just for the server you provide. You would need to inquire with the provider.
Posted by Alec, 01-27-2017, 05:45 PM
Agreed. I'm just saying AWS really isn't the best option for one HIPAA compliant dedicated server, it's more than it needs to be, and the OP mentioned specific hardware requirements.
Posted by dash-jacob, 02-12-2017, 05:50 PM
Hi OP, I thought I would share a couple of thoughts. As others have mentioned you could go the AWS route, but that requires the $2 per hour dedicated per-region fee (~$1,400). If you are looking to manage your own servers, storage, and environment you may want to consider Google Cloud. They have a list of services that are covered under BAA, at a lower price. I don't know what your tech needs are, but you could launch virtual machines (VMs) on Google Cloud and scale out from there. <> If you don't need to need to manage your own environment, maybe consider looking at the HIPAA compliant backends and datastore services that are out there. Last edited by anon-e-mouse; 02-12-2017 at 06:18 PM.
Posted by funkywizard, 02-20-2017, 06:06 PM
Not all BAA agreements are the same. It's a contract where the customer tries to shift as much liability as they can to their vendors, and the vendors try to modify it to do the opposite. There is no "standard BAA". My understanding is the Amazon BAA doesn't cover much -- it should meet a company's legal requirement to have their vendors sign a BAA, but doesn't put Amazon on the hook for much that a BAA normally guarantees. In that light, it seems like a poor value given the extraordinarily high fees. Someone else mentioned google -- they are at least willing to publish their BAA agreement, so you can decide if it works for you before chasing down their salespeople. The terms in the google agreement looked fairly reasonable for both parties, provided you can limit yourself to the services they are willing to cover with it. Good luck on the search, it's a tough topic!