The best thing about HIPAA is that those of us who touch bare metal need at least a framework to build best practices. The further you are from the server, the less you care about what the computer does and the more you care about the number of billable hours it will cost to defend the decisions. I don't hate you so I won't quote it, but AWS has a series of white papers on cloud infrastructure and HIPAA guidelines. It can be done, there are groups doing it to comply with the 7 year mandates, but I do not have the budget to do so. We went with a vendor who runs the software, builds the apps, etc and I maintain the server farm, desktops, installs, windows updates, and the local security, accounts et al. The final rules are here if anyone lurking wants help sleeping As KB says below: Wave it all you want, you're wrong. What matters is billable attorney hours and what checks get written. as long as you are encrypting stuff, not backing up to your IPAD or Google Cloud Storage (shudder) or doing something otherwise outrageous, when the people come in to inspect they are, from the stories I've been reading and been told to me, looking for Medicare and Medicaid fraud more than encryption and email violations. The real dance is keeping all the players happy: the Docs, the Clinic Staff, the billing people, the management, the lawyers the government. (note the lack of patient in that list.) As long as you have vendors that tell you in writing HIPAA COMPLIANT, and I am getting the resources to stay on top of it we have the ammo to give the guys in suits.HIPAA compliance completely fucks with your network infrastructure.