We are not in USA so HIPAAA is not something we need to do. High security in our website and servers is a key advantage to our overall selling proposition and branding communication .
There are many security standards you can "certify" your datacenter with, such as NIST or ISO. You can read more about them here: http://en.wikipedia.org/wiki/Cyber_security_standards
In addition there are some SSL and Antivirus vendors who provide "security badges" that can be embedded to your website and prove that your DNS domain and SSL certificate are valid.
Having said that, If you are serious about security and want to leverage that as a competitive advantage you would probably have to implement deep security measures.
You could then publish these measures in a whitepaper that can be shared with your clients.
You can refer to what Amazon have published regarding their AWS product: https://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
Hi I have over 20 years experience in securing networks and devices with confidential healthcare data. Also, I am multi-certified and I am a Healthcare Certified Information Security Practitioner(HCISSP).
Even if HIPAA is not something you need to do, your first step is to identify a industry standard security framework such as the ISO27000. The framework will provide you with guidance and Best Practices on how you should be securing your environment. The ISO Standards are globally recognized as a strong foundation for security and should be a consideration to follow if you are interested in processing, transmitting or storing healthcare information.
I would be interested in hearing about your strategy and understanding your requirements based on your business needs. This will enable me to recommend the best path for you to go to appropriately secure your environment. I would be happy to have a conversation with you to do this and offer my professional guidance.
Best Regards, Steven