Re: HIPAA security requirements

[David Nester <david () icrew org>]

Matt,

I work for a large institution that is also playing in the HIPAA
"playground".  My one suggestion would be -- if you plan on writing a
contract, have it reviewed by your/a legal team.  Protect yourself...Period.

Just a thought.

David



> From: Matt Kenigson <president () sheergenius com>
> Date: Fri, 16 Jan 2004 11:06:49 -0600
> To: ONEILL David J <David.J.Oneill () state or us>, "webappsec () securityfocus com"
> <webappsec () securityfocus com>
> Subject: Re: HIPAA security requirements
>
> David (and all):
>
> First of all, thank you for all your great replies.  This is a great list.
>
> I think David's suggestion (quoted below) is a good one.  The language
> in my current boilerplate contract that I think will need to be modified
> is thus:
>
> "Provider will work with Client to jointly ensure that all Services are
> performed in accordance with the Health Insurance Portability and
> Accountability Act of 1996, as amended, any applicable regulations
> (proposed or final) promulgated thereunder, and any other applicable
> laws and regulations."
>
> I'm thinking that a better clause would be one that specifically
> mentions that we will take all reasonable measures to insure that the
> app will not be vulnerable to known attacks as of <date>.  Then again,
> part of me wonders whether such language should be in my boilerplate at
> all.  After all, if the client is lax about enforcing security
> compliance, why should I shoulder the burden for them?  (Other than it's
> the right thing to do -- but I'm thinking about contractual liability here).
>
> Thanks,
>
> Matt
>
> > Looking into the future, I think that you can rest assured the if you do due
> > security diligence now you should be safe.  Clauses such as "warrantied
> > against volnerablities and exploits that are know as of <data>" would most
> > likely cover you for most issues.  This way the customer does not get the
> > idea
> > that you are warrantying against what is unknown.
> >