Question: You touched upon compliance for BAs. I am that BA. Unfortunately, or fortunately, I am on the hook, as is the covered entity. Except the covered entity is clueless…they don't know, understand or are resigned to the fact that they have to obey the rules. BAs are responsible for maybe the technological end. I wish there was more clarity, as an IT professional, about the rules with specific technology, which should change as technology changes…IT people do well when they have specifics.

[See also: Health IT guru reflects back on data breach and the right way to respond.]

Rodriguez: I will still stand by the basic point, which is that we're technologically agnostic. I think that is a correct statement of our position. That doesn't mean that there is a complete absence of technological guidance out there…That's an important point for us to hear because we're on an ongoing discussion with the National Institutes of Standards Technology that has put out a list of acceptable encryption standards and, I think, is open to doing more if that's what turns out to be useful for the industry…I do return to my basic point: We are looking more at a process than a particular technological decision, and so I think we're far away from the day that we're going to say, 'Well, we don't like the particular technology you chose, and that's the basis of enforcement.' We're nowhere near that kind of environment at this point.