HIPPA compliance

I have not checked but I am almost sure that syncthing would not be HIPPA compliant. However, do you guys think that syncthing can become HIPPA compliant or provide a HIPPA compliant version (even with a fee)?

I am not an expert on HIPPA, but I came across idea while working today. Some potentially helpful links:

https://www.truevault.com/blog/how-do-i-become-hipaa-compliant.html and

I am sure that 99.99% of users don’t care about this, hence I personally don’t see why we should try to get this done.

Someone who needs this can make the relevant pull requests changing syncthing and go through the beurocracy of getting it blessed.


Yes, most current users wont care. It was just an idea.

I don’t really know what that means, but I suspect documents, procedures, safeguards and whatnot - so probably not feasible, no.

Right, neither I think that health insurance people is the right market we should target.

Only with a fee, more like, HIPA compliance is hugely expensive!

We have no chance - we can’t even spell it correctly. Literally.

:trolleybus: :japanese_ogre:

1 Like

While HIPAA is a US Health Care industry compliance standard, there also exists a much broader global ISO standard for Cloud Service Providers.

I recently discovered that Microsoft’s Azure service was first to achieve the ISO Privacy Standard for CSP’s. In case you are curious to know what is required to achieve the standard, here is an overview:

You can assume it costs a fortune, and doesn’t make sense for Syncthing to pursue this in the absence of a large revenue stream.

1 Like

Is that standard even relevant? Syncthing doesn’t collect personal data…

Also isn’t a cloud service. Well, the discovery server might be, given that the cloud is just someone else’s computer, in this case mine. Not going to get certified, I can guarantee. :wink: Here’s a box of Happy Hippos in the meantime:


and Syncthing is not even a health app or health related software…

It’s affected my psychological health, both positively and negatively. :hear_no_evil: :see_no_evil: :speak_no_evil:


:laughing: :smile:

ok - I vote against HIPAA certification.

Instead, I will settle for a box of the Happy Hippo cookies. Do they come with peanuts? - (I am allergic to hazelnuts)


I have to point out that, as far as I know, there is no certification for HIPAA. It is just a list of features, most of which syncthing already supports to some degree (encryption, data integrity, authentication, logging).

In which case someone who needs to get all the boxes ticked, can contribute whatever is missing. I did check it, most of it is already covered, but some of them make no sense in syncthings context. Such as logging out… It’s not a system which provides you with access to start with.

could be a closet :joy:

+1 for HIPPA alignment.

Here is what Boxsync did to become HIPPA “compliant”.


From what I learned, there is really no such thing as HIPPA “compliance”. You can only be HIPPA “aligned” since there is no government / private entities who is certifying you that you are HIPPA “compliant”. It’s really up to each individuals to come up with list of security / auditing measures to ensure that your software is in-lined with the goals of HIPPA and aware of HITECH.

However, on that page, there are mentions of all kinds of reports and addendums to be signed, as well as third party audits and things we probably don’t support such as granting read only access, etc. I think this is a nonstarter. At any rate, I’m not going to make any efforts toward it myself as I have zero interest in it. Someone else is welcome to, of course. I think that’s my last input on this subject. :smile:

I am not a lawyer and nothing that follows is to be construed in any way as legal advice.

For my purposes, when SyncThing is installed on a client’s system then the client or technician needs to consider it within the larger scope of the client’s security measures. With adequate security measures it may pass a HIPPA audit. The same is true for any software I install on client servers, workstations or mobile devices.

It is my understanding that there is no ‘certified HIPPA compliant’, there is only preparing for a audit by Health and Human Services. Any software offering, say Microsoft’s online office suite, can provide information invaluable to such an audit, and may be compliant with the statutes, but there is no certification of such by any government or private agency.

One of my clients is not required to be HIPPA compliant but they do hold personal health information (legal details, their decision, don’t ask). As a result of their situation I have done some research on the issue that may be relevant to this discussion.

First, if I were supplying software as a service (SAS) and want to serve clients who fall under HIPPA then I am in a position requiring extensive work to prove compliance with the statutes. One example of this is Voice Over IP (VoIP) providers where, to the best of my knowledge, only the SAS 8x8 VoIP is willing to provide a letter describing how they are HIPPA compliant.

Second, if I am providing technical support (in house or on contract) to a covered entity or their business associates I would do well to make sure either myself or they have done a security audit. The time may come when the entity or associate is required to have an official audit, at which time it would be best to have already done one to know ahead of time what security issues such an audit may uncover.

I consider that the software and hardware I recommend, install , and maintain for clients (this would include SyncThing) is okay if there is a security audit of the client’s systems that includes that software. As said in a previous post, I find no problems with SyncThing but your mileage may vary.

I use the two links below to give me adequate information to perform such an internal audit. I just want that stuff on file somewhere the office manager knows about so if there is an audit by Health & Human Servcies there is a place to start. It is a lot of work the first time around, updates less time consuming.

This first link, along with a good overview, provides an answer to the question, “What Should You Do to Prepare for the Phase 2 Audits?”

OCR to Begin Phase 2 of HIPAA Audit Program July 29, 2014

The following link provides a great chart of what’s involved in a risk management analysis (mentioned in the above link) and describes each of the main challenges. For me, responding to those descriptions is enough to prepare for a Health and Human Services HIPPA audit.

Security Risk Analysis and Management: An Overview (Updated)

Again, none of this is offered as legal advice. It is only information I have found to be invaluable.