Greg, We have to deal with HIPPA where I work, too. The whole issue of "HIPPA Compliant" code/software is a big one for me. I've been asking for clarification as to how much we have to comply to it, but have never = heard. Probably a good part of why I haven't heard is because we've been = undergoing a change in management, and so other issues have come to the fore. Anyway, not that I claim to be any expert concerning HIPPA, but I do = think that they programmer you're referring to, is likely to be correct. I do = not believe that HIPPA would address the form in which users' passwords are protected (or not). Mainly because HIPPA addresses patient health = records, how they're stored, protected and transmitted; and a password is not a = part of the patient's health. (I'm just addressing the technical nature of HIPPA, to the extent that I understand not. I am not addressing the = lack of security with regards to the passwords themselves.) Personally, and professionally for that matter, I would agree with the programmer that passwords for users is not a part of HIPPA, since they are users' = passwords and not patients' passwords. I would doubt that patients even have passwords (in most organizations). As I've written the above, a thought occurred to me that might help you. = I still believe that, generally speaking, the saving of passwords for = users (who are not necessarily patients and probably in most cases are not) in plain text does not violate HIPPA requirements. However, if some (all?) = of those passwords could be used by anyone to access applications which = gives direct access to patients' protected health information, then by = extension of the HIPPA requirements I'd say that leaving passwords in plain text = could lean to the potential for violating HIPPA confidentiality.=20 Rod =20 > -----Original Message----- > Subject: [windows2000] Off Topic: HIPAA - my brain hurts > Date: Tue, 22 Apr 2003 15:31:08 -0400 > From: "Greg Reese" <GReese@xxxxxxxxxxxxxxxx> >=20 >=20 > Sorry for the off topic post but after spending a few hours going =3D > through the Federal Register I am a little fried. >=20 > I am trying to find something in the HIPAA rules that spells out what = =3D > makes an application "HIPAA Compliant" or not. Mainly, I am trying to = =3D > settle a dispute with a programmer. >=20 > The programmer has a user table that has all the users and passwords = in =3D > it for his application. He stores the password in this table as clear = =3D > text. Because he lets the users click on their user id form a list, = all =3D > users have read access to this table. That means anybody that wanted = to =3D > could use Access or something and read the table and learn everyone's = =3D > password for this app. This is not my AD security. Only application = =3D > specific security. He also gives them no way to change their = password. =3D > They have to call me and tell me what to change it to. I don't want = to =3D > know their passwords and think this is a bad idea too. >=20 > I think keeping a password as clear text is poor programming = technique, =3D > reckless/stupid, and does not meet the specifications for patient =3D > confidentiality required by HIPAA. >=20 > I need to show my bosses something that says as much in the HIPAA = regs. =3D > They're backing me up (which is nice) but the programmer insists this = is =3D > accepted practice and is ok to do. I have done some digging in the = =3D > HIPAA standards but the parts that aren't confusing as hell put me to = =3D > sleep. >=20 > Has anyone been through any of this that could point me to the right = =3D > place? >=20 > Thanks! >=20 >=20 > Greg ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm