1. What would be involved in implementing Record/Field level security in a DB2 or MySQL database with either php or ColdFusion.
2. Is the security sufficient to handle HIPAA requirements for handling Protected Health Information?
1. The answer, I think, is "it depends".
It depends on whether it is possible to make authorization tests outside of the database (i.e., in the application) or whether they must be made by the db itself.
I can comment only wrt PHP.
If ColdFusion supports calls to an external program, as PHP does, then it ought to be ok.
Depending on the details, either calling dacscheck from within a PHP program or wrapping the PHP program with DACS (it the PHP program is run as a CGI) might be workable approaches.
For either approach, the main issue is usually whether it is possible to tell which record/field is being accessed (and how: read-only? create? update? delete?) simply by inspecting the arguments to the PHP program. If it is not possible, then the authorization checks must be made at a lower level than the PHP application, because it cannot know which underlying records and fields are being used; inserting calls to dacscheck at that level might work but would require some expertise with the particular dbms. If it is possible, then little programming (just call dacscheck as necessary from the application) or no programming (just configure DACS rules to look at the arguments to the PHP program) would be required.
2. I have no experience with HIPAA requirements.
Going only by the Wikipedia article, however, I don't see any particular issues with the technical safeguards that are listed under the Security Rule, provided DACS is used and configured in the recommended manner. In fact, DACS would seem to be the least of your problems wrt meeting HIPAA rules. I don't know if there is some kind of HIPAA certification process though.
Hope this helps.