I agree with 95% of line items one, two, and three. The other 5% is in disagreeance with regard to most of what his application is dealing with is ultimately, "addressable". This all depends on what MCsolas and his team of lawyers determine as "reasonable" and "appropriate". Line item 4 maybe a little draconian but I haven't worked with the Navy's standards. ePHI (Electronic Protected Health Information) is sensitive, however take into consideration the scope of the information, it is just a hop, skip, and a jump away from being public knowledge. Really, think of how many individuals on a daily basis see your personal ePHI when you visit your doctor for a general checkup. Hundreds in not thousands. It's a serious issue and I am not stating that the information is not important to protect, but maybe not by CIA standards (I.e. "top secret classified eyes-only". )1. You MUST be on a dedicated server as access control MUST be tight and theres no way to guarantee access control on a shared server.
2. If the server is colocated or is leased as a dedicated server, you run into sticky situations. You cannot let ANYONE work on that server who isn't authorized to do so, including junkie data center techs. You must know at all times who is accessing that data or who may access that data. I recommend that you setup a server in-house and lock it up.
3. There MUST be some measure of secure authentication before any info is provided... preferrably multiple layers.
4. Treat HIPAA sensitive info as top secret classified eyes-only. Super secret CIA spooks will swoop in on you in the middle of the night if you aren't compliant. Better get a copy of Catcher in the Rye
5. Find another way to rtefer to patients than social security numbers. Create your own identifiers. Whatever. But SSNs should never be used. Even over SSL.
Oh, and line item five is good too. ;-) As long as you secure the store (database) of NewID# to SSN# moreso than you normally would.