Because we've recently built a secure cloud storage backup for the Insight Notes iPad app, we thought it might be useful to lift the curtain and let our users see what happens behind the scenes. It is unfortunate but true: it is expensive to provide storage and security in a way that meets HIPAA standards. To our knowledge, no one provides it for free.* Here's why:
For vendors such as Insight Notes, it costs about 4-5X as much to provide the type of infrastructure that is required for HIPAA compliance. If you've done comparison shopping for the various cloud storage providers, you have probably noticed that when companies have both regular and HIPAA-compliant (i.e., they will sign a business associate agreement) storage products, the HIPAA-compliant storage products are often 4-5X as expensive as the basic non-HIPAA-compliant option. This is due to a number of factors.
When we first tested the server infrastructure for Insight Notes, we did so on an ordinary cloud server and we had access to highly elastic resources; we could use as much or as little memory, storage, and bandwidth as we needed on a per-minute basis. It was so inexpensive, in fact, that we could have provided the storage and data transmission for free or at a negligible cost. The problem with this, however, was that it would not have been HIPAA-compliant. This was because the same characteristics that allowed for elastic use and per-minute pricing also made HIPAA compliance problematic. When we moved our testing servers to our production servers we had to move off of the public cloud and onto a separate and private cloud solution.
By way of an oversimplified analogy: elastic use and functionality is a bit like having a rental car. If you don't use your car all the time it is very inexpensive to only have to pay for the car when you are using it. But this also means that a lot of people potentially get to use the car, which in turn raises some security considerations. They might have different destinations, but the things that are done with the car when you aren't using it, and the fact that you don't have ultimate control over the car could make your life more complicated. This is clearly an oversimplification, but the takehome message is that the cloud computing elasticity that is a boon to many regular tech companies doesn't translate as well for HIPAA-compliant tech companies because one of the hallmarks of HIPAA is strict access controls.
In terms of driving cost, the efficiency of computing resources is the most important factor. Ordinary cloud storage providers provide a tremendous amount of storage and on-demand computing, much of it for a very low cost. Hosting companies purchase massive amounts of bulk storage and utilize software to automatically subdivide and dynamically reallocate computing time in the most efficient way possible. In the public cloud, everyone's data might be separate, but the access to the data is controlled via on-demand computing resources that large numbers of users (or companies) share. Everyone shares processing resources, memory, bandwidth, etc. It is incredibly efficient and there is very little waste.
HIPAA-compliant storage, on the other hand, can't benefit from those same economies of scale or those shared resources. In fact, in some cases sharing resources and access controls with non-affiliated entities would be illegal. We can't leverage the same massive networks of shared computing resources that are used to service all of your other low-cost/free cloud applications. Thus, HIPAA-compliant providers usually have to pay for their own dedicated computing infrastructure with strict access controls. It costs more to get started and it costs more to run - often as much as 4-5X more. To protect user data and maintain strict control we need our own infrastructures, which includes firewalls, monitoring, transmission, security, backup, liability coverage, etc. When you add all these things up it turns out to cost quite a bit. So much, in fact, that it's impossible to give away.