Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

What level of encryption does Mac OSX Server use? Is it HIPAA-compliant?

I'd like to setup a network in my private practice and need it to be HIPAA-compliant. It is needed for filesharing (primarily), but also for calendar/contact services, and VPN (remote access). Does anyone know the level of encryption? Also, would it suit my needs?


Can computers other than Macs utilize these services?

Do they need to be running a recent OS?

OS X Server

Posted on Jul 10, 2013 6:11 AM

Reply
4 replies

Jul 10, 2013 10:09 AM in response to DrMikeG

There is no such identifiable thing as "HIPAA compliant encryption" AFAIK, there is only what is considered best-practices, and that's an entirely locally-mandated discussion, and it's a moving target particularly with encryption.


This usually involves a discussion with somebody that specializes in regulatory compliance — the consultant or auditor that Linc Davis mentions would be an example — and what's then selected and approved by your regulatory compliance and lawsuit-avoidance folks (involving your "security official", whoever that may be), and usually what's recommended by an external entity with sufficient insurance coverage that's been formally retained in the organizational "backside covering" or "risk shifting" role.


Here's a summary of the regulations, and here are (some of) the specific details of the requirements.


Not running a current version of OS X in this particular context does seem ill-advised, however. While Best Practices is inherently a moving target, older software versions will not likely be considered Best Practice. Older versions tend to have errors and older encryption implementations, and these can be fixed or updated or replaced in newer versions, after all.


I'd tend to assume that FileVault2 or equivalent will be minimal here (particularly for mobile devices and to reduce the risk of data exposure due to wholesale device theft), though the access auditing and related is going to be central to the discussion. You may well want and will probably need to encrypt specific data, but you're definitely going to need accountability and auditing and access control atop the encryption.


Linc Davis is correct. Engage a specialist here.

Jul 12, 2013 6:47 PM in response to MrHoffman

I work on a HIPAA project. Encryption level is not the sticking point. Retention of records in what format for how long is HIPAA. Decisions about what specific data can identify a person (SSN, date of birth, doctor's name, hair colr, TV shows they watch ...) is HIPAA.


My project has one person whose sole job is to tell us what is or is not HIPAA compliant in communications and types of data we show without encryption.


Hire a consultant. Federal fines north of $10k per violation and federal sentences of 10+ years accompany violations sometimes.

What level of encryption does Mac OSX Server use? Is it HIPAA-compliant?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.