[windows2000] Re: Off Topic: HIPAA - my brain hurts
- From: "Rod Falanga" <rjfalanga@xxxxxxxxxxxxxx>
- To: <windows2000@xxxxxxxxxxxxx>
- Date: Wed, 23 Apr 2003 06:44:26 -0600
Greg,
We have to deal with HIPPA where I work, too. The whole issue of "HIPPA
Compliant" code/software is a big one for me. I've been asking for
clarification as to how much we have to comply to it, but have never =
heard.
Probably a good part of why I haven't heard is because we've been =
undergoing
a change in management, and so other issues have come to the fore.
Anyway, not that I claim to be any expert concerning HIPPA, but I do =
think
that they programmer you're referring to, is likely to be correct. I do =
not
believe that HIPPA would address the form in which users' passwords are
protected (or not). Mainly because HIPPA addresses patient health =
records,
how they're stored, protected and transmitted; and a password is not a =
part
of the patient's health. (I'm just addressing the technical nature of
HIPPA, to the extent that I understand not. I am not addressing the =
lack of
security with regards to the passwords themselves.) Personally, and
professionally for that matter, I would agree with the programmer that
passwords for users is not a part of HIPPA, since they are users' =
passwords
and not patients' passwords. I would doubt that patients even have
passwords (in most organizations).
As I've written the above, a thought occurred to me that might help you. =
I
still believe that, generally speaking, the saving of passwords for =
users
(who are not necessarily patients and probably in most cases are not) in
plain text does not violate HIPPA requirements. However, if some (all?) =
of
those passwords could be used by anyone to access applications which =
gives
direct access to patients' protected health information, then by =
extension
of the HIPPA requirements I'd say that leaving passwords in plain text =
could
lean to the potential for violating HIPPA confidentiality.=20
Rod
=20
> -----Original Message-----
> Subject: [windows2000] Off Topic: HIPAA - my brain hurts
> Date: Tue, 22 Apr 2003 15:31:08 -0400
> From: "Greg Reese" <GReese@xxxxxxxxxxxxxxxx>
>=20
>=20
> Sorry for the off topic post but after spending a few hours going =3D
> through the Federal Register I am a little fried.
>=20
> I am trying to find something in the HIPAA rules that spells out what =
=3D
> makes an application "HIPAA Compliant" or not. Mainly, I am trying to =
=3D
> settle a dispute with a programmer.
>=20
> The programmer has a user table that has all the users and passwords =
in =3D
> it for his application. He stores the password in this table as clear =
=3D
> text. Because he lets the users click on their user id form a list, =
all =3D
> users have read access to this table. That means anybody that wanted =
to =3D
> could use Access or something and read the table and learn everyone's =
=3D
> password for this app. This is not my AD security. Only application =
=3D
> specific security. He also gives them no way to change their =
password. =3D
> They have to call me and tell me what to change it to. I don't want =
to =3D
> know their passwords and think this is a bad idea too.
>=20
> I think keeping a password as clear text is poor programming =
technique, =3D
> reckless/stupid, and does not meet the specifications for patient =3D
> confidentiality required by HIPAA.
>=20
> I need to show my bosses something that says as much in the HIPAA =
regs. =3D
> They're backing me up (which is nice) but the programmer insists this =
is =3D
> accepted practice and is ok to do. I have done some digging in the =
=3D
> HIPAA standards but the parts that aren't confusing as hell put me to =
=3D
> sleep.
>=20
> Has anyone been through any of this that could point me to the right =
=3D
> place?
>=20
> Thanks!
>=20
>=20
> Greg
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
