Can you expand on that? Everyone I've spoken with about HIPAA say that most companies don't even bother to comply and that nobody is enforcing it. Then again, these people work for companies that are small enough they've never had a breach.
That's rather scary to hear, and I can't imagine that they manage to secure access to any of the major datasets e.g. as contractors for hospitals or insurance companies.
You can basically self-certify, but most serious companies will bring in an outside contractor on an ongoing basis to certify compliance. Staff needs to be trained, computers need to be managed, software changes have to be very thoroughly reviewed, updates become slow. It makes it pretty unattractive to enter into for a lot of devs.
