[panorama]

I'm not too familiar with the field, but I'd also assess whether or not the data you're acquiring needs to be encrypted/handled in a certain way due to HIPAA-related compliance. That's potentially the most relevant worry you should have if your developer(s) are decent enough.

[sithu]

HIPAA is surprisingly vague about the minimum standards for compliance, calling encryption "addressable" instead of "required"[1]. I believe this goes for both data in transit(HTTPS), and data at rest. I've seen some say that HTTPS is required but I can't find this on the gov site. My understanding is that if you choose not to encrypt, the burden of proof is on you should anything bad happen, to prove that implementing it was not "reasonable and appropriate". Since I can't think of any circumstances where sending plain text patient info over the internet is reasonable, i'll choose to encrypt. The other things for HIPAA compliance are complete audit logging so you can see who has accessed anything, and training of staff who have access to protected health info.

Most HIPAA recommendations seem to be a good idea to do anyway.

[1] http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2001.h...

[brudgers]

Hire someone who has done HIPAA before.