

Ask HN: Guide for HIPAA Requirements? - msencenb

I may be joining a medical related startup and was wondering if there are any good guidelines on how to become HIPAA compliant? I've read the AWS whitepaper about being compliant on their servers... but it wasn't terribly concrete and is two years old.<p>Also I would appreciate recommendations for where to host a HIPAA compliant web app as well.. AWS? Something else?<p>Thanks!
======
olefoo
The standards you will probably care about the most are known as HL-7
<http://en.wikipedia.org/wiki/Health_Level_7>

HIPAA compliant web hosting can be had, but it's outrageously expensive
compared to what you're used to; and the quality of the providers can vary.

Amazon has recently begun offering server-side encryption of data in S3
[http://aws.typepad.com/aws/2011/10/new-amazon-s3-server-
side...](http://aws.typepad.com/aws/2011/10/new-amazon-s3-server-side-
encryption.html) which means that you can use it for storing PII at rest and
be compliant.

Whatever you do don't do a half-assed compliant to the letter of the spec but
ignoring the spirit of it implementation; health care information is dealing
with peoples lives.

