Can anyone point me in the direction of a concise list/outline of HIPAA requirements for software apps.

We generally leave it up to our clients to determine the compliance of the apps that we customize for them, but we would like to know the true requirements.

McCue, Heather: FileMaker and HIPAA – A Tool of Compliance, 37 pages

FileMaker and HIPAA

See the description of PatientFM that claims to be "HIPAA Secure"

PatientFM

Overview in Wikipedia

HIPAA

[color:red]Accounts and Privileges:

Procedures should clearly identify employees or classes of employees who will have access to electronic protected health information (EPHI). Access to EPHI must be restricted to only those employees who have a need for it to complete their job function.

The procedures must address access authorization, establishment, modification, and termination.

Covered entities must also authenticate entities it communicates with. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems.

[color:red]Encryption / SSL (FileMaker Server 9):

Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.

[color:red]Audit trail / audit logging

Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.

Happy FileMaking Ralph Nusser

Sogetes Computer-Services

Thanks a bunch!