On 2016-06-17 14:09, Paul Jungwirth wrote:
> On 06/17/2016 03:03 AM, Alex John wrote:
>> RDS is a prime candidate except for the fact that they have explicitly
>> stated that the Postgres engine is *not* HIPAA compliant.
>
> More precisely, it is not covered by the BAA Amazon will sign.
>
> I've helped several companies run HIPAA-compliant Postgres on regular
> EC2 instances (which *are* covered by your BAA, as long as they are
> dedicated instances---which do cost more). So you just have to do some
> of the server work yourself. If you are making the rest of your app
> HIPAA-compliant anyway, it shouldn't add a large burden to do Postgres
> that way too. Make sure your access rules are good, use SSL for the
> connections, put it on an encrypted disk (easy these days with encrypted
> EBS volumes), etc.
>
> Slightly more effort but still very doable is handling requirements for
> auditing accesses and changes. How you do this probably depends on the
> rest of your stack.
>
> Yours,
> Paul
>
This is what we do, we have dedicated EC2 instances for PostgreSQL
storing PHI. From my point of view, it's the same as any other server
running Linux (I can SSH in, or tunnel my DB connection). To be honest
I'd rather have it this way than deal with the RDS interface.
Try to avoid those HIPAA compliance meetings though, they are terrible
and long.
-- Stephen