Matt,
I work for a large institution that is also playing in the HIPAA
"playground". My one suggestion would be -- if you plan on writing a
contract, have it reviewed by your/a legal team. Protect yourself...Period.
Just a thought.
David
> From: Matt Kenigson <president_at_sheergenius.com>
> Date: Fri, 16 Jan 2004 11:06:49 -0600
> To: ONEILL David J <David.J.Oneill_at_state.or.us>, "webappsec_at_securityfocus.com"
> <webappsec_at_securityfocus.com>
> Subject: Re: HIPAA security requirements
>
> David (and all):
>
> First of all, thank you for all your great replies. This is a great list.
>
> I think David's suggestion (quoted below) is a good one. The language
> in my current boilerplate contract that I think will need to be modified
> is thus:
>
> "Provider will work with Client to jointly ensure that all Services are
> performed in accordance with the Health Insurance Portability and
> Accountability Act of 1996, as amended, any applicable regulations
> (proposed or final) promulgated thereunder, and any other applicable
> laws and regulations."
>
> I'm thinking that a better clause would be one that specifically
> mentions that we will take all reasonable measures to insure that the
> app will not be vulnerable to known attacks as of <date>. Then again,
> part of me wonders whether such language should be in my boilerplate at
> all. After all, if the client is lax about enforcing security
> compliance, why should I shoulder the burden for them? (Other than it's
> the right thing to do -- but I'm thinking about contractual liability here).
>
> Thanks,
>
> Matt
>
>> Looking into the future, I think that you can rest assured the if you do due
>> security diligence now you should be safe. Clauses such as "warrantied
>> against volnerablities and exploits that are know as of <data>" would most
>> likely cover you for most issues. This way the customer does not get the
>> idea
>> that you are warrantying against what is unknown.
>>
>>
>
>
Received on Jan 16 2004
Intro
