I have a local design client who has asked me to find a reliable web host for them for a dedicated server. This client is a major hospital and they plan on maintaining some sensitive patient info on the server. So privacy is an obvious concern.

If the server is physically located in the US, their concern relates to any implications with The Patriot Act. They need to be assured that all info is private and will always remain so. Otherwise, I will need to source out a host who uses a Canadian datacenter.

Any wisdom you can share on this? Aside from your own thoughts, I would greatly appreciate any links to verifiable sources that actually address this issue.

Vito

The hospital in question is in Canada?

Edit: If found this:
From here:
http://www.grahamhospital.org/About/legal.htm

Thanks, John. But that hospital is in the US, my client is in Canada. Sorry, I should have been more specific.

Vito

Vito, as far as I am aware, the hospital has no legal obligation to release any information whatsoever.

Under the Patriot Act, only US citizens are subject to it. In addition, the hosting provider does not have to grant access to any privacy sensitive materials, such as passwords, etc. This would be the only information the server provider would have.

The server provider is only obligated to release the information obtained on the client, such as address, name, phone number, and IP. Passwords, and usernames are not included under the Patriot Act. The client you're hosting, if in the US, would then be obligated to supply information on their clients/patience. However, as stated, since they are not located within the US, they are not governed by US law, and thus do not have to comply. They can of course comply upon their own wishes, but are certainly not obligated to do so.

We for example have to follow the Patriot Act, as does any business in the US now. However, the information we're obligated to provide is only the information we obtain on the client, not including username and password information.

Heads up however, regardless of country or if the username/password is supplied, the United States Government can and will retrieve the data if they want... (This is what I used to do in the Army as a Special Forces Operator.) If they feel the information is that much of a threat to National Security, they will ask for the information up front. The host however is not obligated to provide it. At that point they will enlist Ops/CIA/NSA to crack anything, do it silently, and obtain the information on their own. Unfortunately no computer is safe from that.

Damn nasty world we live in lol However, feel safe in knowing that they typically will not do the above unless they feel the information is of tremendous National Security importance.

Thanks for the explanation, Mark.

I guess what I'm having trouble finding is a reference to an authoritative source that I can send to my client. It's one thing to elaborate in an email about it. It's quite another to back it up with supportive references. And the latter is what my client will be looking for.

Vito

In that case, give me a few hours, and I'll have it for you

And here you go:
http://www.epic.org/privacy/terrorism/hr3162.html

Section 215, Amendmant 501

Also note, that by the end of this year they are adding a sunset provision to this article that says internet service providers may release information, voluntarily only. In other words, if the ISP notices something suspicious, they can determine on their own, to contact the FBI and release that information.
http://www.fbi.gov/page2/may05/hulon050905.htm

Until then, there have been provisions that state that the authorities must only request records within an ongoing investigation, in which the records are suspected of being linked to terrorist activity. They are not permitted any longer to simply "sneek a peek" they must show due cause now, and must provide documentation to the business (host).

SO there is some safety for you, with more to come by the end of the year.

Hey, thanks very much, Mark! I will take a look at the links tomorrow morning, and then pass the info on to my client.

Thanks again.

Vito

Vito, just wanted follow up and see how this worked out for you.

It's still all up in the air. It's a bit frustrating dealing with this customer, as there are so many people trying to give input on what the content should be, it changes every week. As it stands now, they no longer wish to have patient info on the site. Now it's just down to some Continuing Education stats and scores.

Who knows what it'll be next week?

Vito

Hi Vito...

You should be aware there was a very significant amount of controversy raised here in BC regarding our provincial government contracting out Medical Services Plan/Pharmacare services to a US-based company. It sounds as though you may have a problem hosting in the USA.

Links are as follows... You may have particular interest in the last two:

http://vancouver.cbc.ca/regional/ser...ame=bc_maximus

http://vancouver.cbc.ca/regional/ser...rivacy20041028

http://www.bcgeu.ca/bbpdf/040806_executive_summary.pdf

http://www.bcgeu.ca/2440

http://vancouver.cbc.ca/regional/ser...rivacy20041029

http://www.oipcbc.org/sector_public/...%20summary.pdf

http://www.oipcbc.org/sector_public/...vacy-final.pdf

Thanks for the info, Reece.

The customer has secured hosting based here in Canada so we're good to go.

Vito

Thank goodness