HIPAA security requirements

[Matt Kenigson <president () sheergenius com>]

Howdy,

I've been lurking on the list now for over a year and wanted to start my 
first post by thanking everyone out there who has been answering 
questions and has contributed to all of the wonderful projects I've 
heard about on the list.  My hat is off to all of you for being such 
talented professionals and still managing to give back to the community 
with your efforts.

Now, on to the feature:

I was wondering if anyone has come across any specific requirements that 
are implicit or even implied by the security-related portions of the 
HIPAA act, including amendments.  As a web application developer, I have 
to assure my healthcare clients that we will strive to meet HIPAA 
requirements, but have never come across any document or analysis that 
tries to bring into focus what precisely that means in the context of 
database-backed web applications.  Some things are obvious:  If your app 
does absolutely anything that could expose patient information to the 
wrong eyes, that would fall astray.  Others are not quite as obvious.  
Also, after a contract has been completed, if new exploits are 
discovered, what are the developer's ongoing responsibilities?  Is the 
developer forever obligated to point out new security weaknesses so that 
the client can opt to hire someone to fix them?  If not, where does the 
liability end?

Does anyone know of any such document, discussion, or guidance?  Care to 
start one?  I'll help.

I should note that my thinking on this was jump-started by the 
interesting column currently featured on owasp.org by Jeff Williams.  I 
should also note that I could only read what was on that first page, as 
the link for more of the story seems to be broken right now.

Thanks,

Matt Kenigson
president () sheergenius com