[snuxoll]

> I'd have to adopt a whole bunch of infrastructure above and beyond the couple of semi-managed VPSs I have now, not to mention paperwork and self-audits and so forth. (Or at least that's my understanding.)

HIPAA isn't that complex, the hard part with cloud hosting is the need to find somebody who is willing to sign a BAA with you since (contrary to the argument of some) they are, in fact, business associates if you are storing or processing any ePHI through their services. DigitalOcean can't seem to figure their shit out, Linode appears to have everything in place based on their compliance page but they don't have any detail on a BAA (so contact support, I guess). The big cloud providers like Azure, AWS and Google are willing to work with you on this, you just don't get the nice cheap servers like you do with DigitalOcean/Linode/Vultr/etc.

This is actually the most infuriating part, hosting providers should all have the bare minimum to operate as a business associate in place if they want you to trust them with any commercial workload in general - auditing, access control and breach notification. Yet so many don’t want to sign a BAA, because compliance/legal has no idea what it actually entails I guess. PCI has a more rigid technical standard than HIPAA for fucks sake.

All of the regulatory stuff beyond that is pretty easy - and most of the framework is rough guidelines instead of "you must do X". You need to have access control and auditing in place, properly secure systems, and deal with the breach notification rules in the (hopefully unlikely) event that you detect an intrusion or accidental exposure.

People make way too big of a deal about HIPAA compliance, it's not some certification you must obtain or a huge audited ordeal. Just don't take this to mean you can be lazy, you don't fuck around with PHI because the CMS will come and smack you upside the head.

[markolschesky]

I agree that some folks often exaggerate the danger in HIPAA, especially for someone like OP with a relatively small operation. But, for companies with larger operations and reach it's definitely a non-trivial problem. Our relatively small organization has two people dedicated to compliance (and plenty of ancillary support) and goes through hundreds of audits a year. Not having a locked down well thought out solution, both technical and operational, can really put growth at risk in healthcare. Of course, that's not "HIPAA compliance", but it is "what it takes to reach scale in healthcare".

[snuxoll]

> But, for companies with larger operations and reach it's definitely a non-trivial problem.

The more hands you have touching any given system the work required to ensure compliance in any regulated industry increases, that's certainly a given.

Technical compliance is the easy part in all honesty, all of the human elements (policy, procedure) requires constant attention and is the majority of what our compliance and QA teams deal with. This is the hardest thing to deal with, and it's not even just "don't expose PHI" but making sure you have everything just the way a certain insurance company likes things, that a chart has supporting documentation for a specific procedure, etc. Makes me glad I only have to deal with our applications and the systems they run on, props to the compliance team for all the headache they have to deal with.