I'm not subject to the HIPAA regulations but as a programmer and system admin I would NEVER store unencrypted passwords in any form. It smacks of laziness or lack of programming ability to me. -----Original Message----- From: Greg Reese [mailto:GReese@xxxxxxxxxxxxxxxx] Sent: 22 April 2003 20:31 To: thin@xxxxxxxxxxxxx; windows2000@xxxxxxxxxxxxx Subject: [windows2000] Off Topic: HIPAA - my brain hurts Sorry for the off topic post but after spending a few hours going = through the Federal Register I am a little fried. I am trying to find something in the HIPAA rules that spells out what = makes an application "HIPAA Compliant" or not. Mainly, I am trying to = settle a dispute with a programmer. The programmer has a user table that has all the users and passwords in = it for his application. He stores the password in this table as clear = text. Because he lets the users click on their user id form a list, all = users have read access to this table. That means anybody that wanted to = could use Access or something and read the table and learn everyone's = password for this app. This is not my AD security. Only application = specific security. He also gives them no way to change their password. = They have to call me and tell me what to change it to. I don't want to = know their passwords and think this is a bad idea too. I think keeping a password as clear text is poor programming technique, = reckless/stupid, and does not meet the specifications for patient = confidentiality required by HIPAA. I need to show my bosses something that says as much in the HIPAA regs. = They're backing me up (which is nice) but the programmer insists this is = accepted practice and is ok to do. I have done some digging in the = HIPAA standards but the parts that aren't confusing as hell put me to = sleep. Has anyone been through any of this that could point me to the right = place? Thanks! Greg ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm