This is a question that could fit into multiple categories, but I?m
hoping to get a good ?geeky? response from a knowledgeable web
security expert?.so here goes.  I am in the process of bidding on a
job in which sensitive patient information would be stored, accessed
and modified in an online MySQL database.  The data will be accessed
over the web by a group of scientists studying depression in this
group of patients.  One of the major current issues in biomedical
research in the US is HIPAA, a law that, among other things, sets
standards for protecting patient confidentiality and data such as
those in question.  Despite my efforts, I have not been successful in
determining a clear answer as to what the requirements for HIPAA
compliance are from a web security standpoint.  Obviously I would like
to appropriately address the client?s security concerns, but desire to
keep development costs down such as to offer a realistic, yet
competitive bid.  Any information as to what the precise HIPAA
requirements are from a web security standpoint would be appreciated. 
I would be particularly interested, however, in knowing whether or not
SSL is the standard for HIPPA compliance or if other (free or less
expensive) methods are also in accordance with HIPAA guidelines. 
Please be liberal with the references.  Bonus for an exceptionally
helpful answer.  Thanks.

As this is far from complete, I am adding it as a comment as opposed to an answer.

Interestingly enough, the web security (i.e., data transfer
protocol/encryption) aspect of HIPAA is only a small part of the total
picture. HIPAA compliance involves physical security of the server
hosting the data as well as extensive documentation of the policies
and personnel with access to the server/data. In most cases it is far
easier and more cost effective to contract your hosting to an
organization that has already met all the criteria and focus on the
application development portion of things.

First you need to go to this site:.http://www.wedi.org/  ---I am
offering this as an answer, though I think you need to research the
topic personally, as your question is limited to a very small venue in
a very large and complex arena involving politics, medical records and
billing, patient / doctor confidentiality, etc.  --When I first
started dealing with HIPAA Complience, I had the same idea as you -
that it mostly dealt with patient confidentiality.. The reality
however is that Health Insurance Portability and Accountability Act
was devised to protect patients and simplify the industry as a
whole.-- Basically - there are over 400 code sets that are used for
everything from billing to diagnostic info.  In short, it standardizes
the industry - and what you are really asking is- what are those
standards? -So, rather then post the hundreds of pages of legal text
here - I refer you to the site above, which has complete information
regarding what you are looking for- specifically how HIPAA pertains to
electronic data exchange.  -- I am going to paste this info
specifically on security standards however-- Security Standards



Overview: 
There is often confusion about the difference between privacy,
confidentiality and security. In the context of HIPAA, privacy
determines who should have access, what constitutes the patient. s
rights to confidentiality, and what constitutes inappropriate access
to health records. Confidentiality establishes how the records (or the
systems that hold those records) should be protected from
inappropriate access. Security is the means by which you ensure
privacy and confidentiality.

Background: 
One of the provisions of HIPAA calls for electronic data interchange
(EDI) transaction standards. The logic behind the set of requirements
was that it would facilitate the computer-computer exchange of
information throughout the care delivery system. Making these
transactions easier, however, may increase the risk of inappropriate
access to sensitive information. Consequently HIPAA also calls for
security standards.

Goal: 
The new security standards were designed to protect all electronic
health information from improper access or alteration, and to protect
against loss of records. Health plans,
health care clearinghouses, and health care providers would use the
security standards
to develop and maintain the security of all electronic individual
health information. The Security and Electronic Signature Standards
have set the minimum level or . Floor. of security for individually
identifiable health information maintained in or transmitted by health
care organizations. The electronic signature standard is applicable
only with respect to use with the specific transactions defined in the
Health Insurance Portability and Accountability Act of 1996, and when
it has been determined that an electronic signature must be used.

Specifics: 
The proposed regulation on Security standards has categorized the
requirements into six categories: administrative procedures; physical
safeguards; security configuration management; technical security
services, technical mechanisms, and electronic signatures. Although
the requirements in these categories overlap, they are intended to
help organizations understand the different types of requirements
needed for a comprehensive security approach.

Administrative Procedures: 

Certification 

Chain of trust Partner Agreements 

Contingency Plan 

Formal Mechanism for Processing Records 

Information Access Control 

Internal Audit 

Personnel Security 


Physical Safeguards: 

Assigned Security Responsibility 

Media Controls 

Physical Access controls 

Policy / Guidelines on Workstation Use 

Secure Workstation Location 

Security Awareness Training 


Security Configuration Management: 

Security Incident Procedures 

Security Management Process 

Termination Procedures 

Training 


Technical Security Services: 

Access Controls 

Audit Controls 

Authorization Controls 

Data Authentication 

Entity Authentication 
Technical Security Mechanism: 
Communication/Networking Controls 

Network Controls 
Electronic Signature: 
Digital Signature 


Each health care organization is also required to designate someone as
having the responsibility of ensuring that the company complies with
the minimal level of security as outlined in the regulations.

Impact: 
Whether your organization. s current security infrastructure meets the
minimum security standards or not, every organization covered by the
standards will need to have the ability to demonstrate that effective
management, operational, and technical controls are in place and that
they comply with the minimum level.

Benefits: 
This will ensure the confidentiality of individually identifiable
health care data.

Background papers courtesy of Walter Suarez, MD, Executive Director of
the Minnesota Health Data Institute and the Minnesota Electronic
Commerce Healthcare Users Group (MEHUG).

Finally: Here is your answer.. The HIPAA standard for electronic data
exchange is HTML (SSL) not being specifically required - however user
authentication is.
The way for you to do this, is simply set up a Windows 2003 Server,
with SQL and your prog.. Host the database from that server.. Setup
Terminal Services on that server, and let the 128bit encryption from
the Windows or SQL logons manage the security for you.. Definitely
check out that site though.