> -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth E Tomiak > Sent: Thursday, May 08, 2008 7:10 PM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Re: VSAM / COBOL question - redux (fwd) > > My understanding of HIPAA is access to data is not denied to > everyone, > knowing who accessed it is the requirement. For > 'confidential' data, logging > who accessed it even if they are AUTHORIZED is done in some > hospitals. Think > audit trail. And of course they try to limit access. But if > the developers have > access to production does it matter what file it is in, they > still accessed it. > Proper logging would then have to log everyone that accesses > the copies. And > th snowball starts rolling. Once you give access to someone, > it is hard to > control what they do with it. >
We do log all access to this data. We produced TONS of SMF data for this (RACF auditing). Actually, we UAUDIT every ID which has any possibility of accessing this data (e.g. TSO, ftp, HTTP, ...) -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html