@larry - Yeah, those three items that are the minimum items necessary. Key word is minimum. After those three items, it gets into issues of risk-management.
Regarding encrypted data at rest; it’s not specifically spelled out in the HIPAA Act, and that’s the area where there’s a lot of fear and marketing hype. Network security professionals and datacenters keen on differentiating themselves will fearmonger about the risk of data breaches from hackers and/or disgruntled employees. Or even authorized employees simply looking at files they shouldn’t be.
But keep in mind that HIPAA was enacted in the days of DOS. Most modern operating systems… Linux, MacOSX, Windows NT, will offer operating-system level encryption for data at rest. All modern databases, including Mongo, offer an additional layer of password security. If you have a password policy to actually rotate the operating system and database passwords, you can make a reasonable claim in court that you were actively using the operating system and database level encryption, and that the data was encrypted at rest.
So then it becomes an issue of risk-management around discarded server disks and backup tapes, how those are managed, and whether a hacker or disgruntled employee would try to steal the disks, mount them on a rogue server, access and then sell that data. That’s an exceedingly rare event, with potentially disastrous consequences. How do you manage exceedingly rare catastrophic risks? It’s the same issue as asking how to manage the risk of a natural disaster. What do people do to prepare for an earthquake? Or a flood? Or nuclear meltdown? Or simply a fire in the building? You can either use a technical solution or a financial solution. Add smoke detectors and fire extinguishers and concrete walls as insurance for the risk of fire. Or purchase homeowner’s insurance from your local insurance company.
What are the technical and financial equivalents for data? Well, there’s packages like crypto-aes, or providers like TrueVault. So those technical solutions are the data equivalent of having a smoke detector or fire extinguisher. If you already have a house built of concrete, a fire extinguisher may not be needed. If not, they may be invaluable. Is the risk of avoiding a hypothetical data breach from discarded server drives and backup tapes sufficient to take the time to implement crypto-aes and possibly miss market opportunities? Maybe yes, maybe no. For a hospital it may be more important. For a personal health record or research group, maybe not. Maybe it can be put off until a hospital does becomes a client.
Regarding a BAA, keep in mind that it’s specifically care providers who have to comply with HIPAA. If your client is an actual clinic or hospital that accepts payment for primary care services, then they will be obligated to collect a BAA from you; but an application developer is not strictly speaking the one obligated to comply with HIPAA. It’s a subtle distinction, but in practice it means that you can let the client take the lead. If they want a formal BAA, sign it. If you want to sell to a hospital, prepare for something in depth. If you’re doing a project with an independent MD who’s acting as primary investigator, they might not even ask for one and substitute a series of emails instead.
BAAs are a good practice any which way. They will obligate you to certain behaviors and practices, and are a sign of good will and good faith and get everybody on the same page as to how they should be handling data. Sign your BAAs.
Anyhow, @chafey is correct… HIPAA is much more than simply software functionality. That’s why there’s only a few real technical requirements… SSL, user accounts, passwords, audit log. It’s a lot more about business process, controls, and risk management.
Long story short… sign BAAs when asked of you, use SSL, use user accounts and passwords at operating system, database, and application levels, have audit logs, have a risk management policy, and if you put all that together you’ll have the basics of a HIPAA compliance policy. When in doubt, if you’re not comfortable interpreting and enforcing HIPAA yourself, go with TrueVault or some other vendor advertising HIPAA compliance.