Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HIPAA & Access

Status
Not open for further replies.
LarryDeLaruelle

LarryDeLaruelle

Technical User
May 19, 2000
1,055
0
0
US
Is anyone else faced with addressing the HIPAA security requirements on Access databases?

The specific areas I need to address are:

Log-in Monitoring: procedures for monitoring log in attempts and reporting discrepancies; and

Password Management: procedures for requiring password change and preventing 'weak' passwords.

Access does not provide a native way of addressing these two issues. Anyone have any ideas of how to manage this in code?

Thanks.

Larry De Laruelle
ldelaruelle@familychildrenscenter.org

 
Sort by date Sort by votes
Maybe if you ran your "login" procedures in Database1 before allowing anyone access to Database2, where your application is stored. This way, someone must type their username/password into YOUR form, which can then log an access attempt into a table. You can then also check to see how old a user's password is and force them to change it before they are allowed to log in to Database2. As for "weak/bad" passwords, you're pretty much on your own.

This is a somewhat bad solution, but it "works". It will at least look compliant, though ridden with security holes. Then again, Access is one large security hole in the first place.


As an alternate solution, consider a database server which would then track username/password information itself, thus easing the reliance on Access/JET security.
 
Upvote 0 Downvote
fookio12:

Thanks. That's kind of where my thinking has been taking me in the absence of any better solution.

I'm surprised that I haven't seen more posts on the HIPAA issue; I did a search for HIPAA and did not get a single result.

Am I the only one doing medical related db's? Kind of hard to believe. Larry De Laruelle
ldelaruelle@familychildrenscenter.org

 
Upvote 0 Downvote
I believe that logging into the network is sufficient enough. A user can't get to you application until he first logs in to Windows (network). At this level is where your security is tight.
 
Upvote 0 Downvote
Fancy:

Yes, we are using NT with user log ons. However, not everyone who has a network log-on has access to the databases.

Are you facing HIPAA issues as well? Larry De Laruelle
ldelaruelle@familychildrenscenter.org

 
Upvote 0 Downvote
Yes we are. Like I said, I don't see it as a problem. Your users must get past NT login to get to your database. NT logins, I'm sure, pass HIPAA guidelines.

However, here's a troubling problem. Since the users can view patient records in datasheet view (i.e. 20+ patients), how do you handle logging everytime someone sees a patient record? For example, the user can scroll down 1 page at a time and within seconds has potentially seen 200 patient records. Do we need to log that for each of the 200 patients? I can limit the user to form view, but they're not going to like that. I guess we'll see what happens...
 
Upvote 0 Downvote
If I understand corectly, doesn't HIPPA also require logging of a user who 'changed' informoation, vs. 'viewed' information?

I do write medical programs, mostly in Foxpro, where I actually have a UserTable which logs changing and viewing by LogOn name and datetime(). I am currently creating an app in Access and am not at all as familiar with it, but I would like to see continuation of this threat.

Rainer
 
Upvote 0 Downvote
Fancy:

We have a network of approximately 200 users spread out over five affiliate organizations. Three of the affiliates deal with patient information; I work for the residential treatment affiliate.

The problem is that only a limited number of the folks who have access to the network generally have a need to access the patient information. If I'm reading the HIPAA security regs correctly, access tracking needs to be at the database level not the network level.

Rainer:

I'm not sure that the requirement extends to 'viewing' information. The regs at 164.312(b) and (c)(2) do seem to require an audit trail; however, I don't think it is clear that we need to track individual data changes or just a record of who has log-on.

All in all I'm confused as hell. Fortunately, we are a member of a state organization that will provide us with some training on this.

Thanks guys. Larry De Laruelle
ldelaruelle@familychildrenscenter.org

 
Upvote 0 Downvote
Just to put in my 2 cents worth - we do Medical apps in Access as well - and are getting very little guidance from some sizable organizations on the HIPPA issue. I think many people are confused by HIPPA guidelines. I also would like to see more contributions to this thread. Anyone?
 
Upvote 0 Downvote
evalesthy:

There is a lack of specific direction from the feds regarding implementation of HIPAA. And, as I said in an earlier post, when I did a search of the Access Forums for HIPAA, I did not get a single hit.

I have picked up a few useful tips from here though on automatically closing a db after a period of inactivity and creating audit logs.

I'm in favor of continuing this thread or starting new ones as new issues arise.

The state group we are a member of will probably have it's security training sometime in mid-March. I'll pass along whatever I learn from that to the Tek-Tips folks. Hopefully others with HIPAA concerns will do the same.

Good luck. Larry De Laruelle
ldelaruelle@familychildrenscenter.org

 
Upvote 0 Downvote
Fancy Prairie,

The db i do here at work has the same sort of deal, where records are shown in datahsheet view. Only instead of datasheet I have a form with a list box. That way the viewable information is limited.

The list box has two linked child fields. One is for the user, the other is for a status of the patient. The list displays the patient name, city, followup date and last contact date. This way the user can see what they need to to follow up on, but not see the patients record. The user can click on the name of the patient in the list box they want to work on, and be taken to that patients record. It works well for up to about 100 to 150 records. It's further broken down by having the status filter out records.

People here really like it, they find it helps them stay on top of things. It's kind of like a real time report.

I also would like to see this thread continue. It seems like the new guidelines are designed to just put people on gaurd, although I bet they'll solidify it in the next 5 years. Imagine the force they'll have to have to go to a site, and evaluate it, given their extremely broad ecompassing guidlines: physical security, software, employee training, implementaion etc... HIPAA would need to send out a team of like 5 evaluaters to properly evaluate security measures.

What's annoying is, it seems like some vendors already had HIPAA compliance right when the rules changed.. We also use PACWare here and there weren't any changes that i was aware of, yet they are HIPAA compliant. Maybe they already met the guidelines. Mark P.

Bleh
 
Upvote 0 Downvote
Question for all:

How do you read the requirement for an audit log:

164.312(b) "Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."

and

164.312(c)2) "Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner."

Does this require a field level audit log of every addition/change/deletion? Or will a simple log of who accessed when and for how long suffice?

Ain't this fun? Larry De Laruelle
ldelaruelle@familychildrenscenter.org

 
Upvote 0 Downvote
I don't work on HIPAA, but other members of my team do. They work with HIPAA on the mainframe, where it ommunicates with other Health and Provider programs.

You were asking for more information on security and other information in general on HIPAA. I asked the lead analyst where they go for information and he gave me the following web sites. Hope they will help you.

Center for Medicare and Medicaid services: Utah Health Information Network: Washington Publishing Co: //
 
Upvote 0 Downvote
TCVance:

Thanks. I had already found two of the sites, but the Utah site is a new one to me and it looks interesting.

HIPAA is probably one of those Lawyers-Full Employment projects, but it looks like it may provide additional work for database developers. Assuming we can get past all the federal BS and headaches.

Thanks again. Larry De Laruelle
ldelaruelle@familychildrenscenter.org

 
Upvote 0 Downvote
hey, if anyone still is reading this post. i found a pretty easy method to do an audit trail that was posted on another forum. It's also in the access knowledge base apparently. Anyways, check this link ( if then link doesn't work you'll probably have to register with the site.)




Mark P.

Bleh
 
Upvote 0 Downvote
Mark:

Thanks for the post.

This example is similar to one I created from the same MS Knowledge Base article.

I took it a step further, though, and created it as a module which captures the form and control name and the old and new values and writes an entry to a separate audit log table. The module is called from the form's Before Update event.

I have it working pretty well except that it will sometimes choke on combo boxes. Haven't quite figured it out yet since the problem is sporadic and not, so far, reproducable.

The good news for HIPAA security is that this piece is not required until next year. Gives us a bit more time to procrastinate.

For anyone interested, here is the module I have:

'This procedure is used to provide an audit trail of all changes to a record entered
'in the Incident Report Database.
'All changes (add record, change record, delete record) are recorded in tblAudit
'Creation Date : 09/19/02
'Last Mod Date :
'Created by : Larry De Laruelle
'
Option Compare Database
Option Explicit
Public Sub AuditData(RecordID)

Dim frmActive As Form
Dim ctlData As Control
Dim dbTemp As Database
Dim rsTemp As Recordset

On Err GoTo NextCtl

Set dbTemp = CurrentDb
Set rsTemp = dbTemp.OpenRecordset("tblAudit")
Set frmActive = Screen.ActiveForm

If frmActive.NewRecord = True Then 'Tests for New Record. If true then
With rsTemp 'an audit record is created reflecting
.AddNew 'that fact and identifying the new
!FormName = frmActive.Name 'record's record ID
!RecNum = RecordID
!AuditStatus = "New Record"
!AuditDate = Date
!AuditUser = [CurrentUser]
.Update
End With
Else
For Each ctlData In frmActive.Controls
Select Case ctlData.ControlType
Case acTextBox, acComboBox, acCheckBox, acOptionButton
If ctlData.Name = "Updates" Then GoTo NextCtl
'Debug.Print "ctlData.Name: " & ctlData.Name
If ctlData.Properties(3) = "" Then GoTo NextCtl
'Debug.Print "ctlData.Properties(3): " & ctlData.Properties(3)

Select Case IsNull(ctlData.Value)
'Identifies deleted information
Case True
If Not IsNull(ctlData.OldValue) Then 'Original value was deleted
With rsTemp
.AddNew
!FormName = frmActive.Name
!FieldName = ctlData.Name
!RecNum = RecordID
!AuditStatus = "Deleted Data"
!OldValue = ctlData.OldValue
!AuditDate = Date
!AuditUser = [CurrentUser]
.Update
End With
End If
'Identifies changed information
Case False
If IsNull(ctlData.OldValue) And Not IsNull(ctlData.Value) Then 'A new value has been added
With rsTemp
.AddNew
!FormName = frmActive.Name
!FieldName = ctlData.Name
!RecNum = RecordID
!AuditStatus = "Data Added"
!OldValue = "Was Empty"
!NewValue = ctlData.Value
!AuditDate = Date
!AuditUser = [CurrentUser]
.Update
End With
ElseIf ctlData.Value <> ctlData.OldValue Then 'Data was changed
With rsTemp
.AddNew
!FormName = frmActive.Name
!FieldName = ctlData.Name
!RecNum = RecordID
!AuditStatus = &quot;Value Revised&quot;
!OldValue = ctlData.OldValue
!NewValue = ctlData.Value
!AuditDate = Date
!AuditUser = [CurrentUser]
.Update
End With
End If
End Select
End Select
Next ctlData
End If
rsTemp.Close
Set dbTemp = Nothing

Exit_Sub:
Exit Sub

NextCtl:
'Next ctlData

End Sub


Larry De Laruelle
ldelaruelle@familychildrenscenter.org

 
Upvote 0 Downvote
Thanks for the info guys -
I will also be looking at this soon.
 
Upvote 0 Downvote
Thought I would check back on this long dormant post. Does anyone have any additional insight into Access / HIPPA issues?

1. What have you done to comply in your Access app with HIPPA
2. Where does Access fall short of your HIPPA needs
3. What unresolved questions/issues do you have regarding your Access applications compliance with HIPPA.
4. Have you found more good resources for HIPPA clarification
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

grnzbra
  • Locked
  • Question
Using Access Database Without Having MS Access
Replies
9
Views
291
grnzbra
grnzbra
OCM
  • Question
Populate access table from excel
Replies
6
Views
233
OCM
OCM
TheresAlwaysAWay
  • Locked
  • Question
Can Access be used to generate and respond to text messages? 1
Replies
6
Views
168
TheresAlwaysAWay
TheresAlwaysAWay
Moss100
  • Locked
  • Question
Upgrading from Access 2013 - whats the best option
Replies
2
Views
142
Moss100
Moss100
lmcate
  • Locked
  • Question
How to Open ACCESS (MDB) from an HTML Page 1
Replies
2
Views
173
lmcate
lmcate

Part and Inventory Search

Sponsor

Back
Top