4 Replies Latest reply: Jul 12, 2013 6:47 PM by steve359
DrMikeG Level 1 Level 1 (0 points)

I'd like to setup a network in my private practice and need it to be HIPAA-compliant. It is needed for filesharing (primarily), but also for calendar/contact services, and VPN (remote access). Does anyone know the level of encryption? Also, would it suit my needs?


Can computers other than Macs utilize these services?

Do they need to be running a recent OS?

OS X Server
  • Linc Davis Level 10 Level 10 (178,350 points)

    HIPAA compliance is a very complex subject, and you're not going to find a simple answer here or anywhere else. Some features of OS X may be compliant, depending on how they're used, and some certainly are not. So you need to verify a complete workflow for patient data. That's a job for a consultant, in my view.

  • MrHoffman Level 6 Level 6 (13,570 points)

    There is no such identifiable thing as "HIPAA compliant encryption" AFAIK, there is only what is considered best-practices, and that's an entirely locally-mandated discussion, and it's a moving target particularly with encryption.


    This usually involves a discussion with somebody that specializes in regulatory compliance — the consultant or auditor that Linc Davis mentions would be an example — and what's then selected and approved by your regulatory compliance and lawsuit-avoidance folks (involving your "security official", whoever that may be), and usually what's recommended by an external entity with sufficient insurance coverage that's been formally retained in the organizational "backside covering" or "risk shifting" role.


    Here's a summary of the regulations, and here are (some of) the specific details of the requirements.


    Not running a current version of OS X in this particular context does seem ill-advised, however.  While Best Practices is inherently a moving target, older software versions will not likely be considered Best Practice.   Older versions tend to have errors and older encryption implementations, and these can be fixed or updated or replaced in newer versions, after all.


    I'd tend to assume that FileVault2 or equivalent will be minimal here (particularly for mobile devices and to reduce the risk of data exposure due to wholesale device theft), though the access auditing and related is going to be central to the discussion.   You may well want and will probably need to encrypt specific data, but you're definitely going to need accountability and auditing and access control atop the encryption.


    Linc Davis is correct.  Engage a specialist here.

  • rccharles Level 5 Level 5 (6,825 points)

    Mac OS X include Windows files sharing. 


    blue apple > System Preferences... > Sharing



    Best practices for security.

    http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operatin g_systems.shtml

  • steve359 Level 6 Level 6 (12,330 points)

    I work on a HIPAA project.  Encryption level is not the sticking point.  Retention of records in what format for how long is HIPAA.  Decisions about what specific data can identify a person (SSN, date of birth, doctor's name, hair colr, TV shows they watch ...) is HIPAA.


    My project has one person whose sole job is to tell us what is or is not HIPAA compliant in communications and types of data we show without encryption.


    Hire a consultant.  Federal fines north of $10k per violation and federal sentences of 10+ years accompany violations sometimes.