[THIN] Off Topic: HIPAA - my brain hurts

Sorry for the off topic post but after spending a few hours going =
through the Federal Register I am a little fried.

I am trying to find something in the HIPAA rules that spells out what =
makes an application "HIPAA Compliant" or not.  Mainly, I am trying to =
settle a dispute with a programmer.

The programmer has a user table that has all the users and passwords in =
it for his application.  He stores the password in this table as clear =
text.  Because he lets the users click on their user id form a list, all =
users have read access to this table.  That means anybody that wanted to =
could use Access or something and read the table and learn everyone's =
password for this app.  This is not my AD security.  Only application =
specific security.  He also gives them no way to change their password.  =
They have to call me and tell me what to change it to.  I don't want to =
know their passwords and think this is a bad idea too.

I think keeping a password as clear text is poor programming technique, =
reckless/stupid, and does not meet the specifications for patient =
confidentiality required by HIPAA.

I need to show my bosses something that says as much in the HIPAA regs.  =
They're backing me up (which is nice) but the programmer insists this is =
accepted practice and is ok to do.  I have done some digging in the =
HIPAA standards but the parts that aren't confusing as hell put me to =
sleep.

Has anyone been through any of this that could point me to the right =
place?

Thanks!


Greg
********************************************************
This Week's Sponsor - ThinPrint
Simply the best print solution for
Microsoft Terminal Services 
and Citrix Metaframe.
http://www.thinprint.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts: