The method you use to store the data is irrelevant. Access to your network. Logging. If you're encrypting the disk. How is the application presenting this data. What kind of ACLs are you using. Asking if PG is good to store HIPAA data is exactly as useful as asking if you can even store HIPAA data. There are so many more important things to consider.
RDS is a hosted service. They don't have all the guarentees you'd want for PHI. I'm sure they're MySQL engine probably has similar warnings. Jim On Fri, Jun 17, 2016 at 6:03 AM, Alex John <alex.j...@holmusk.com> wrote: > Hello, I have a few questions regarding the use of PostgreSQL and HIPAA > compliance. I work for a company that plans on storing protected health > information (PHI) on our servers. We have looked at various solutions for > doing > so, and RDS is a prime candidate except for the fact that they have > explicitly > stated that the Postgres engine is *not* HIPAA compliant. > > Users on the IRC channel generally say that the guidelines are more catered > towards building better firewalls and a sane access policy, but I would > like to > know if there is anything within the implementation of Postgres itself that > violates said compliance. > > If anyone works at a similar company and utilizes postgresql to store PHI, > please let me know. > > Thank you, > Alex > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general >
