Support question

[Dave Warren]

On Wed, 29 Apr 2009 13:06:35 -0400, Ethan Blanton <elb at pidgin.im> was
claimed to have wrote:

>I think you misparsed my response.
>
>Asking the question is not unreasonable, the question is unreasonable.
>It cannot be answered.  If you prefer, you may replace "nonsensical"
>with "unreasonable".
>
>It is perfectly normal and common for people to ask unreasonable
>questions, if they simply do not understand the domain.  Not every
>person can be expected to understand every domain.  I feel like I
>provided a complete and meaningful response to the question.  If you
>have actual helpful input on this topic, please feel free to provide
>it.  :-P

The question itself isn't all that unreasonable and most definitely can
be answered.  Allow me to explain: 

A non-compliant application is never HIPAA compliant under any
circumstances, but it is generally expected that HIPAA compliant
applications need to be correctly configured to maintain HIPAA
compliance, it's not assumed that all configurations (or even default
configurations) are HIPAA compliant.

For example, a HIPAA compliant mail server may be capable of receiving
and transmitting unencrypted data, but if this functionality is disabled
or the server itself requires IPsec based security for inbound
connections to even reach the mail server, HIPAA compliance can be
maintained.

The first step is to confirm if it's possible for pidgin to be
configured in such a way that it is compliant, and then the second step
is to determine what configuration steps are required.  Lastly, I
believe there is some requirement to prevent users from making
non-compliant re-configurations, although I'm not clear as I primarily
work on the server side of things and don't directly interact with HIPAA
compliance, except that I've had to provide a number of answers
regarding our capabilities in a presales capacity for HIPAA driven
organizations.

On the server side there is no requirement that all possible
configurations are HIPAA compliance, only that the configuration in
operation is HIPAA compliant.  It's not required to pragmatically force
HIPAA-compliance configurations, but rather, it's part of the
administrator's job to maintain an appropriate configuration.

Pidgin's use of encryption would appear to be within HIPAA compliance,
but I'm not aware of other client-side requirements, so I can't speak to
whether or not it would be possible to build and deploy a HIPAA
compliant pidgin configuration without code changes, although I'd hazard
a guess that as long as logs were encrypted on disk (NTFS encryption)
and messages are encrypted in transit (via mandatory SSL on the server)
without any other connections being possible (due to firewall) then it
may be possible to roll out pidgin in a HIPAA compliant environment.

I'm far from an expert in certification, I've just provided technical
answers to assist a HIPAA compliance and certification expert.