Hello everyone,
We use a hosted PBX on our platform. When phones register to the PBX using TLS, would a LetsEncrypt certificate be compliant with HIPPA or HITRUST?
Thank you
1 Like
Hi @TACSupport, and welcome to the LE community forum 
Why wouldn't they be?
That said, certs can be misused in plenty of ways:
- bad/weak protocols
- insecure/weak ciphers
1 Like
I'm just going to restate what @rg305 said a bit differently:
A LetsEncrypt certificate should not cause any compliance issues itself. Many HIPPA compliant organizations leverage LetsEncrypt certificates.
How you leverage the LetsEncrypt certificate, however, can cause issues.
1- You will need to adequately protect the PrivateKey for the certificate to maintain compliance.
2- The Certificate is merely used to validate identity. The connection itself is secured by ciphers and protocols. You must use compliant ciphers and protocols.
I can't speak to HITRUST requirements as that is a commercial certificate service. I don't see why they would have concern with a LetsEncrypt certificate, as LE is a valid member of the CA/B forum with trusted roots.
3 Likes
@jvanasco and @rg305
Thank you both for the replies! Our team thought this might be the case and we really appreciate the confirmation.
3 Likes
@TACSupport FYI, here are some docs that people with various certification concerns have relied on:
4 Likes