I'm sketching out some plans for a project that would deal with medical data. From what I understand reading HIPAA, I would be subject to all the guidelines as an outside entity or 'healthcare clearinghouse'. Does anyone have any experience making a webapp HIPAA compliant?
The regulations and potential liabilities, while understandable from a patient perspective, seem daunting for a startup to tackle.
For one, you won't want to host the app on a standard VPS or cloud service. You'll either want a well-locked-down dedicated server, or to go with a hosting company that specializes in secure servers. We used http://www.secure-24.com/ for the web app I built. It was a huge pain in the ass, as we had to get special permission from the host everytime we wanted to install a ruby gem, and it usually took them at least an hour to get back to us.
Of course, you'll also want to make the entire site encrypted (a good practice anyway for any site with a login), and keep the database well locked-down.
The most difficult part for this app, though, was re-thinking some of the most common practices in web apps, such as the password reset. HIPPA-compliance says that, for example, a 16-year-old girl going to the gynecologist has a right to privacy from her parents, such that they should be able to know nothing about it. But some families monitor their children's email. So, if the girl belongs to a doctor's office, and they tell her to go to the site to manage her appointments, but then she forgets her password, we can't just automatically send the password reset to her email.
Likewise, be careful of things like what the failed login message says. If it indicates that the email does indeed exist, but that the password is wrong, that's not good, as it gives the user (who may or may not own that email address) some info about the person who owns that email: that they do have an account on your site.
One other thing is, you have to have a unique identifier for each person, a really unique identifier. At first, we were going to go with social security number, but you'd be surprised how un-unique that actually is. Aside from the fact that a lot of people in the US don't have an SSN, there are also duplicates from illegal immigrants and other people who obtained their number by some illegal means. I don't recall where, but there was some study done that showed that cell-phone number is much closer to being able to identify people 1:1 than SSN in the US.
Anyway, those are the things I can remember off the top of my head, it was a few years ago. I hope it helps. Just whatever you do, don't make it harder than it is, and skimp on any of the rules, this stuff is important and exists for a reason.