Rocket.chat: HIPAA Compliance (2019)
Hello,
We're investigating rocket.chat as a possible in-app chat collaboration feature in our social support platform. We're entering the healthcare market, with all the attendant security and privacy considerations, including HIPAA compliance.
I see that @engelgabriel asked in late 2015 whether rocket.chat was鈥攐r was on the road to becoming鈥擧IPAA compliant, and that, as of 9 months ago, @seanpackham closed that several-year-old request with a note that it was not on the short-term roadmap.
It's been 9 months since then: what's the likelihood that rocket.chat鈥攊n any of its manifestations, including self-hosted鈥攈as become or soon will be HIPAA compliant?
Dave Land
dmland
All 4 comments
Dave,
I'm not on the RC team, but IMO a self-hosted install of RC _could_ be HIPAA compliant if you configure it to be so. No piece of software can be designated HIPAA compliant, organizations are or are not HIPAA compliant. It's the combination of the organization and how they use and configure their IT assets and processes that determines their HIPAA status.
Assuming the discussion is around the Security Rule and only Required items then RC can be configured in such a way to meet HIPAA standards. (RC meets most Addressable items as well, but might require special config, or then again you can opt to paper them over, as such is HIPAA) The only place you'll need to convince auditors would be backups (its not in the administration UI, but can be done through scripting with Mongo) and encryption of data. You _can_ use TLS, you _can_ use e2e keys for everyone, but you currently can't have any transparent DB encryption (mongo doesn't support it). You'd have to use an encrypted storage medium as well, but this is also outside of RC's purvue.
For hosted, they'd likely have to sign off as a Business Associate and that's a whole other discussion done with lawyers and probably not something that would be best addressed in a github issue.
robertwessen
on 25 Jan 2019
Thank you @robertwessen for your detailed response. That is extremely good to know!
graywolf336
on 25 Jan 2019
@robertwessen Thanks for responding! This is my understanding also. We can make recommendations for becoming HIPAA compliant. But the most we can do from a software perspective is become what I like to call HIPAA friendly.
Hosted is for sure a different ball game and probably what was being referred to when responding. Because self hosted Rocket.Chat has always been pretty HIPAA friendly.
Feel free to contact sales for more info there. :)
geekgonecrazy
on 26 Jan 2019
Close due to @robertwessen's comment, please re-open if you feel this issue needs more attention or we, Rocket.Chat, can actually do something about it on our end. 馃槃
graywolf336
on 1 Feb 2019
Related issues
neha1deshmukh
路
3Comments
zeigerpuppy
路
3Comments
royalaid
路
3Comments
Kiran-Rao
路
3Comments
Buzzele
路
3Comments
Most helpful comment
Dave,
I'm not on the RC team, but IMO a self-hosted install of RC _could_ be HIPAA compliant if you configure it to be so. No piece of software can be designated HIPAA compliant, organizations are or are not HIPAA compliant. It's the combination of the organization and how they use and configure their IT assets and processes that determines their HIPAA status.
Assuming the discussion is around the Security Rule and only Required items then RC can be configured in such a way to meet HIPAA standards. (RC meets most Addressable items as well, but might require special config, or then again you can opt to paper them over, as such is HIPAA) The only place you'll need to convince auditors would be backups (its not in the administration UI, but can be done through scripting with Mongo) and encryption of data. You _can_ use TLS, you _can_ use e2e keys for everyone, but you currently can't have any transparent DB encryption (mongo doesn't support it). You'd have to use an encrypted storage medium as well, but this is also outside of RC's purvue.
For hosted, they'd likely have to sign off as a Business Associate and that's a whole other discussion done with lawyers and probably not something that would be best addressed in a github issue.