Is Tiger Technologies HIPAA-certified?

The Health Insurance Portability and Accountability Act (“HIPAA”) is a U.S. law that imposes strict privacy and security standards for storing or transmitting medical information.

Among other things, it prohibits storing medical information on servers that aren’t certified to meet HIPAA rules, and it prohibits sending medical information through email systems that don’t meet similar rules.

Because of this, we’re occasionally asked if our servers and email systems are compliant with the HIPAA rules and certified to meet them. The answer is no: Like most general-purpose hosting and email providers, we do not meet the HIPAA requirements. You should not store or transmit restricted medical data using our services, and you should choose a different HIPAA-certified provider if you need to do so.

Why aren’t you certified? Does that mean your systems are insecure?

The HIPAA certification process forces companies to follow several rules that wouldn’t make sense for a general Internet service provider.

As an example, one of the rules would require that we force customers to only use certain email programs, instead of allowing any email program. Another rule would require us to return outgoing mail as “undeliverable” if the destination mail server didn’t support a certain kind of encryption. Those are reasonable rules for medical data, but they’re not reasonable for general email.

To become HIPAA-compliant, we would need to modify how our services work in a way that would cause problems or inconvenience for customers who don’t care about HIPAA, and we would need to charge all customers significantly more.

Because of that, companies in the general hosting and email business, like us, don’t usually try to become HIPAA-certified. It’s not because of a general lack of security: it’s because providing HIPAA-compliant services would require focusing on a different kind of business.