1 of 1 people found this helpful
For HIPAA, I think encryption of data at rest is not strictly necessary, just recommended. (I believe encrypting data in motion is required, which we have SSH and VPNs for.) Also know that with HIPAA, the underlying technology (FileMaker) is less relevant to satisfying the standards than the behavior of the application you build on it, the operating environment (restricted-access physical facilities, VPN, etc.), and the procedures for handling it documented and practiced by the "covered entity" (owner of the data). I'm less familiar with the requirements for solutions designed to be eligible for HITECH grants. Encryption plug-ins can do the job if you have the budget for the extra development effort to do everything through them. Certainly, back up to an encrypted drive if you can. I don't know if OS-level encryption of the drive live hosted FileMaker files live on is a good idea or not.
Thanks, Jeremy. I think this is a fishing expedition from the client's management (they're a primarily Microsoft shop), and I read the spec the same way you do - encryption is "addressable", not required. But I can't find the phrase "at rest" anywhere in the documentation, so I was hoping someone more familiar might be able to point me to something.