Private Internet Access (PIA) is not HIPAA compliant. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by the US Congress and signed into law in 1996.
If you collect, process, store, or transmit Protected Health Information (PHI), including medical records, you must pass an audit to meet HIPAA compliance. Specific technologies and procedures are recommended for those who handle PHI, even if they are not explicitly stated in HIPAA standards.
The Code of Federal Regulations (CFR) dictates that businesses dealing with PHI must:
Protect data: Ensure the availability, integrity, and confidentiality of PHI.
Establish agreements: Have Business Associate Agreements (BAAs) with clients who possess PHI.
Report violations: Report any misuse of PHI to the Office of Civil Rights (OCR), which audits and charges companies for HIPAA violations.
Data Retention and the No-Logs Conflict
HIPAA guidelines regarding data retention state that access and activity logs, along with documentation proving adherence to the HIPAA Security Rule, must be retained for six years. This regulation mandates the retention of records for essentially any interaction with patient PHI and Personally Identifiable Information (PII).
If a breach occurs or is alleged, an entity must prove it followed the Security Rule and other HIPAA facets. HIPAA requires regular internal audits of this data. Furthermore, in the event of a breach, federal law requires that the covered entity produce this information when subpoenaed.
Because PIA maintains a strict no-logs policy, the company cannot provide the required information if subpoenaed under HIPAA laws. Consequently, PIA cannot comply with HIPAA requirements and cannot provide VPN services for HIPAA-compliant operations.