HIPAA Compliant Servers? Don't rush to answer.
I've seen questions about *certified* HIPAA compliant servers posted
from 2012 and from 2017. The fact is, there is no such animal as a
"certfied HIPAA compliant server." Nothing is *certified* HIPAA
compliant. You can ACHIEVE compliance by meeting specific criteria:
1. An entity (Ex: inmotionhosting.com) must be willing to sign a Business Associate Agreement (BAA) agreeing to protect (not disclose) your data, notify of breaches, limit access of data to people who have a right to that data, etc. This could typically be a 2-3 page document, and for the most part it's really common-sense stuff. Even your janitorial staff signs a BAA with you.
2. Data in motion is encrypted (https).
3. Data at rest (sitting on a hard drive) should be encrypted. HIPAA requires healthcare organizations use data encryption technology for Protected Health Information (PHI). However, the law does not specify which types of protection to use in order to accomplish this task. Since HIPAA requires that you take steps to secure patients’ privacy—in particular PHI—organizations that experience a data breach run the risk of significant penalties under HIPAA. The most obvious and straightforward way to protect against unauthorized access of PHI is encryption for data at rest.
While it would be best if inmotionhosting.com employees have no access at all to encrypted data, the Business Associate Agreement covers their *appropriate* access.
4. Data audit logs. Who touched your data? When? For what purpose?
So, my question is two part: Is Inmotionhosting willing to sign a Business Associate Agreement? Do they have options to use encrypted transfer of data (https), provide encryption for data at rest, and provide audit logs for my information?