HIPAA database requirements – who needs to meet them?