Re:HIPPA Regulations - go with PKI (Score 1)

Anothe HIPPA issue is that the "responsible party" is liable for a $1,000 fine for each medical record released to the public, up to $250,000. This is not a corporate fine. This is a personal fine. Make sure you're not consider the "responsible person." As far as the strength of passwords, they're pretty good unless they're flying over the net unencrypted (which it sounds like they're not) or if the back-end password database is compromised. The advantage of digital certs is that the backend database only has the 'public key' part, so there's nothing to compromise. I'd still use two-phase though (user name and cert, for example). Another issue is that you can't just allow people to come into the system with their "membership number" and request a passworded account, or some such. You need verification that they're who they say they are before you hand them an online account.