On 06/17/2016 03:03 AM, Alex John wrote:
> RDS is a prime candidate except for the fact that they have explicitly
> stated that the Postgres engine is *not* HIPAA compliant.
More precisely, it is not covered by the BAA Amazon will sign.
I've helped several companies run HIPAA-compliant Postgres on regular
EC2 instances (which *are* covered by your BAA, as long as they are
dedicated instances---which do cost more). So you just have to do some
of the server work yourself. If you are making the rest of your app
HIPAA-compliant anyway, it shouldn't add a large burden to do Postgres
that way too. Make sure your access rules are good, use SSL for the
connections, put it on an encrypted disk (easy these days with encrypted
EBS volumes), etc.
Slightly more effort but still very doable is handling requirements for
auditing accesses and changes. How you do this probably depends on the
rest of your stack.
Yours,
Paul