WebApp Sec mailing list archives
Re: HIPAA security requirements
From: Matt Kenigson <president () sheergenius com>
Date: Fri, 16 Jan 2004 11:06:49 -0600
David (and all):First of all, thank you for all your great replies. This is a great list. I think David's suggestion (quoted below) is a good one. The language in my current boilerplate contract that I think will need to be modified is thus:
"Provider will work with Client to jointly ensure that all Services are performed in accordance with the Health Insurance Portability and Accountability Act of 1996, as amended, any applicable regulations (proposed or final) promulgated thereunder, and any other applicable laws and regulations."
I'm thinking that a better clause would be one that specifically mentions that we will take all reasonable measures to insure that the app will not be vulnerable to known attacks as of <date>. Then again, part of me wonders whether such language should be in my boilerplate at all. After all, if the client is lax about enforcing security compliance, why should I shoulder the burden for them? (Other than it's the right thing to do -- but I'm thinking about contractual liability here).
Thanks, Matt
Looking into the future, I think that you can rest assured the if you do due security diligence now you should be safe. Clauses such as "warrantied against volnerablities and exploits that are know as of <data>" would most likely cover you for most issues. This way the customer does not get the idea that you are warrantying against what is unknown.
Current thread:
- HIPAA security requirements Matt Kenigson (Jan 15)
- Re: HIPAA security requirements lakewood1 () copper net (Jan 16)
- Re: HIPAA security requirements Clint Bodungen (Jan 16)
- <Possible follow-ups>
- Re: HIPAA security requirements ONEILL David J (Jan 15)
- Re: HIPAA security requirements Matt Kenigson (Jan 16)
- Re: HIPAA security requirements David Nester (Jan 16)
- Re: HIPAA security requirements Matt Kenigson (Jan 16)