> HIPAA has strict standards for storage and transmission.

If only. HIPAA barely has technical standards (much less strict ones) at all, essentially, the only ones are backed into through the HITECH Act breach notification requirements (and, because of that, there's some debate as to the extent to which they are requirements, since technically the HITECH act standards aren't requirements for how data has to be treated, they are standards for determining, once a breach occurs, whether the breach was of "unsecured" PHI); HIPAA's standards are mostly administrative rather than technical.

Lots of vendors sell particular technical solutions as being HIPAA compliant or even required-under-HIPAA, but that's mostly marketing bafflegab rather than a reflection of those products following clear and strict technical standards laid down in HIPAA and its implementing regulations.

Yep, we can't fedex a server with HIPAA data unless it has encrypted drive. Or mail backup tapes for that matter. But that banker box full of claim statements? Go right ahead.

To be fair, a backup tape can have a couple TB worth of claims whereas a banker box has got maybe 5000 if you pack'em real tight.

As far as I know virtually no one has ever been "convicted" of a HIPAA violation. It's pretty much a nothing threat. My employer back a few years just paid off some audit firm despite a complete lack of interest in securing our production servers.

you can fax over POTS lines because common carriers (telcos, basically) are considered secure. But HIPAA's 'standards' are anything but strict. It doesn't spell out any standards other than noting the difference between data in flight and data at rest and that both should be secure. In some ways this is probably a good thing, in that it doesn't keep the industry locked to standards that are broken on down the road. On the other hand, because HIPAA does spell out lots of nasty penalties for breaking the rules, it would be nice to have some clarity about what the rules are.