Re: HIPAA security requirements

[Matt Kenigson <president () sheergenius com>]

David (and all):

First of all, thank you for all your great replies.  This is a great list. 

I think David's suggestion (quoted below) is a good one.  The language 
in my current boilerplate contract that I think will need to be modified 
is thus:

"Provider will work with Client to jointly ensure that all Services are 
performed in accordance with the Health Insurance Portability and 
Accountability Act of 1996, as amended, any applicable regulations 
(proposed or final) promulgated thereunder, and any other applicable 
laws and regulations."

I'm thinking that a better clause would be one that specifically 
mentions that we will take all reasonable measures to insure that the 
app will not be vulnerable to known attacks as of <date>.  Then again, 
part of me wonders whether such language should be in my boilerplate at 
all.  After all, if the client is lax about enforcing security 
compliance, why should I shoulder the burden for them?  (Other than it's 
the right thing to do -- but I'm thinking about contractual liability here).

Thanks,

Matt

> Looking into the future, I think that you can rest assured the if you do due
> security diligence now you should be safe.  Clauses such as "warrantied
> against volnerablities and exploits that are know as of <data>" would most
> likely cover you for most issues.  This way the customer does not get the idea
> that you are warrantying against what is unknown.
>