When choosing a HIPAA hosting plan, the difference in price between providers (and different plans offered by the same provider) is often driven by the features offered in that hosting environment. Not every hosting environment is the same. In fact, no two are exactly alike. Aside from the absolute minimum amenities required by HIPAA, every host is obliged to offer a variety of options to fit a variety of implementations.
For instance, HIPAA requires that logs are kept and rotated with regularity, and that passwords and certificates are frequently changed. In an entry-level solution, these requirements would be met, but perhaps the onus would be on the customer rather than the provider to implement them. In the instance where logs were not rotated frequently enough, or it were cumbersome to frequently change passwords, the covered entity would be liable, not the hosting provider.
However, at scale, it is sometimes worthwhile to purchase a higher tier of HIPAA hosting. Certain technical aspects of hosting, such as intrusion detection, OS updates, or manual firewall rules are something that a covered entity can do themselves, but are available as “managed services” at a higher level of hosting. In this case, the hosting provider is taking responsibility for these aspects of adhering to HIPAA Compliance. Obviously, this is a greater responsibility in terms of time and liability, so with managed services, the cost of the hosting increases rapidly. It is often possible to purchase certain services as managed and handle the rest of them by oneself.
In addition to the differences in services, the differences in HIPAA hosting plans are derived from the resource usage that the server or virtual machine (VM) is provisioned for. For example, paying for a low-level plan often means that one will have a diminished amount of RAM, CPU, or disk space. For this aspect, it often pays to pinch pennies. Many professionals think of “more is more” when it comes to a machine’s resources. In many cases, the bottleneck in a workflow is not caused by RAM or CPU, but external factors. Purchasing the minimum amount of RAM/CPU/Bandwidth initially is a great cost-saving measure that will not have any noticeable influence on user-experience. If doing so does have such an effect, it is possible to simply upgrade one’s plan or resources. Starting from the bottom and ratcheting up gradually is a smart choice in all hosting scenarios, and HIPAA hosting is no different.
When it comes to choosing a HIPAA hosting plan, it is important to figure out what services will need to be handled internally, and which can be purchased as managed services. In the early days of a startup, time is often at a premium, especially as manpower is minimal. Managed services are a great way to push the burden of HIPAA Compliance onto a skilled professional when the time or manpower is not available to handle these types of responsibilities.