Are your Paid Dedicated SSL certificates HIPAA compliant?

Avatar
  • updated
  • Answered

Hi, I am currently in process of moving a company's website from a paid service (ex. Wix or GoDaddy Site Builder) to their own hosting plan and will be developing/managing the site myself. One of the requirements is that they stay HIPAA compliant by having the correct encryption certificate installed. Now i am assuming the "Free SSL" provided by InMotion doesn't have the right amount of encryption/security but can you confirm that your "paid" dedicated SSL certificates meet HIPAA compliance. The only data that requires HIPAA on the wordpress site is a plugin called "Practice Forms" that sends over updated/current patient information. Thank you in advance.

Avatar
JT S.
Quote from Roland

Hi, thank you for your quick response. I did look through some of the attached links you mentioned. I will also forward over our convo to my admins who have the proper contacts for HIPAA validation. 


I do have one more question though, do you know the versions of your "free" and "dedicated (paid)" certificates. One of the articles mentions this below: 

  • SSL v2 and v3 must never be used,
  • TLS v1.0+ is okay.
    • Support TLS 1.0, 1.1, and 1.2+
    • Use all of the non-DES ciphers from BOTH the NIST 800-52r1 and 800-52r2 lists

Also, the article goes on in stating that PCI compliance for credit transactions is more strict so if you know that one of the certificates you offer is PCI compliant, that should be good enough for use.

thank you again.

- Roland

You can set the SSL version settings on a VPS or Dedicating Hosting plan via WebHost Manager (WHM) > Mailserver configuration. You can use online tools such as SSL Labs for testing your current SSL configuration. HIPAA compliance seems to mainly require having an SSL - domain or extended validation. But again, we're not subject matter experts on this topic.

Avatar
Roland
Quote from JT S.

Hello and thanks for contacting us. Our Free AutoSSL is domain-validated. However, for the latest information regarding requirements for an SSL, I recommend asking your points of contact for checking HIPAA compliance and referencing reputable websites covering the topic such as LuxSci. You can also check our HIPAA server thread.

I'll ask around and update you if I find a better answer. Also, email our Live Support for further information.

Hi, thank you for your quick response. I did look through some of the attached links you mentioned. I will also forward over our convo to my admins who have the proper contacts for HIPAA validation. 


I do have one more question though, do you know the versions of your "free" and "dedicated (paid)" certificates. One of the articles mentions this below: 

  • SSL v2 and v3 must never be used,
  • TLS v1.0+ is okay.
    • Support TLS 1.0, 1.1, and 1.2+
    • Use all of the non-DES ciphers from BOTH the NIST 800-52r1 and 800-52r2 lists

Also, the article goes on in stating that PCI compliance for credit transactions is more strict so if you know that one of the certificates you offer is PCI compliant, that should be good enough for use.

thank you again.

- Roland

Avatar
JT S.
  • Answered

Hello and thanks for contacting us. Our Free AutoSSL is domain-validated. However, for the latest information regarding requirements for an SSL, I recommend asking your points of contact for checking HIPAA compliance and referencing reputable websites covering the topic such as LuxSci. You can also check our HIPAA server thread.

I'll ask around and update you if I find a better answer. Also, email our Live Support for further information.