The Healthcare IT Guy gives some good food for thought when looking at your database administrator and the security of your database. Database administrators often have access to all of the medical information by looking directly at the database. This is often gone unaudited and unmanaged. As part of any HIPAA policy this issue should be addressed and documented. The best way I know how to do this is through implementing a strict policy with stiff penalties if it is ever breached. I think it would be hard to prove that they breached it, but at least it can insulate you from the “HIPAA police”. I’ll continue my research on the subject and post them here as I find them. Unfortunately, I expect that many of them will be database vendor specific.
More importantly, you should seriously consider who you’re hiring as your database administrator. They really have power to do all sorts of bad if they wanted.