I am not a lawyer and nothing that follows is to be construed in any way as legal advice.
For my purposes, when SyncThing is installed on a client’s system then the client or technician needs to consider it within the larger scope of the client’s security measures. With adequate security measures it may pass a HIPPA audit. The same is true for any software I install on client servers, workstations or mobile devices.
It is my understanding that there is no ‘certified HIPPA compliant’, there is only preparing for a audit by Health and Human Services. Any software offering, say Microsoft’s online office suite, can provide information invaluable to such an audit, and may be compliant with the statutes, but there is no certification of such by any government or private agency.
One of my clients is not required to be HIPPA compliant but they do hold personal health information (legal details, their decision, don’t ask). As a result of their situation I have done some research on the issue that may be relevant to this discussion.
First, if I were supplying software as a service (SAS) and want to serve clients who fall under HIPPA then I am in a position requiring extensive work to prove compliance with the statutes. One example of this is Voice Over IP (VoIP) providers where, to the best of my knowledge, only the SAS 8x8 VoIP is willing to provide a letter describing how they are HIPPA compliant.
Second, if I am providing technical support (in house or on contract) to a covered entity or their business associates I would do well to make sure either myself or they have done a security audit. The time may come when the entity or associate is required to have an official audit, at which time it would be best to have already done one to know ahead of time what security issues such an audit may uncover.
I consider that the software and hardware I recommend, install , and maintain for clients (this would include SyncThing) is okay if there is a security audit of the client’s systems that includes that software. As said in a previous post, I find no problems with SyncThing but your mileage may vary.
I use the two links below to give me adequate information to perform such an internal audit. I just want that stuff on file somewhere the office manager knows about so if there is an audit by Health & Human Servcies there is a place to start. It is a lot of work the first time around, updates less time consuming.
This first link, along with a good overview, provides an answer to the question, “What Should You Do to Prepare for the Phase 2 Audits?”
OCR to Begin Phase 2 of HIPAA Audit Program July 29, 2014
The following link provides a great chart of what’s involved in a risk management analysis (mentioned in the above link) and describes each of the main challenges. For me, responding to those descriptions is enough to prepare for a Health and Human Services HIPPA audit.
Security Risk Analysis and Management: An Overview (Updated)
Again, none of this is offered as legal advice. It is only information I have found to be invaluable.