Questions[hipaa](server)

Our infrastructure is hosted on Google Cloud and uses postgresql instances via Cloud SQL

I need to configure logging for HIPAA compliance. I have read 2 articles from Google's documentation:

https://cloud.google.com/logging/docs/audit/configure-data-access#config-console https://cloud.google.com/sql/docs/postgres/pg-audit#overview

The first talks about enabling Audit Logs from within IAM, here I can select Cloud SQL and enable r+w logs for data and admins

The second talks about PgAudit and sets the following flag pgaudit.log=all

I have a couple of questions:

1. How do IAM logs and PgAudit differ, should I enable both or is there redundancy by doing so?
2. For HIPAA compliance using PgAudit, should I log all or is there another value that makes sense

I am dealing with electronic protected health information (ePHI or PHI) and HIPAA regulations require that only authorized users can access ePHI. Column-level encryption may be of value for some of the data, but I need the ability to do like searches on some of the PHI fields such as name.

Transparent Data Encryption (TDE) is a feature of SQL Server 2008 for encrypting database and log files. As I understand it this prevents someone who gains access to the MDF, LDF, or backup files from being able to do anything with the files because they are encrypted. TDE is only on enterprise and developer versions of SQL Server and enterprise is cost-prohibitive for my particular scenario. How can I get similar protection on SQL Server Standard? Is there a way to encrypt the database and backup files (is there a third-party tool)? Or just as good, is there a way to prevent the files from being used if the disk were attached to another machine (linux or windows)?

Administrator access to the files from the same machine is fine, but I just want to prevent any issues if the disk were removed and hooked up to another machine. What are some of the solutions for this that are out there?

At a small office, my clients' HR department needs to communicate with some vendors regarding HIPAA-covered material. How do most companies deal with securely sending e-mails regarding HIPAA. I would prefer to encrypt the e-mails themselves instead of requiring vendors to log into a secure messaging server, but I don't know if this is commonplace

Is the use of STARTTLS during communication between an internal email server and external recipient sufficient to meet HIPAA guidelines? If so, is it required that TLS be forced?

I am planning system upgrades at several Group Practice doctor offices.

I am asking them questions concerning what their RTO (Recovery Time Objective) and RPO (Recovery Point Objective) may be so I can balance their budget with those objectives.

What I am wanting to know from ServerFault, does HIPAA have rules concerning the RPO and RTO for patient medical data?

I understand that if an office is audited and a patient was billed for a procedure, but the medical record is missing, the office could be fined up to $10,000 per patient. I do not know if that is a real fine, but it does lead me to include in the calculations potential fines and not just the potential loss in revenue a typical business may have.

Thank you,
Keith