RE: Displaying Data in web browser. Indefinitely.

2003-03-17 Thread Gregory Park 




I believe 
the correct answer is more litigious than technical. Obviously this sounds 
like a area that is compromised, but maybe not...depending on your internal 
analysis. There are lots of questions here regarding WEB applications and 
security as a general question, but I think it would be little effort to place 
application time-outs in your code to eliminate "look over the shoulder 
breaches". 

But then 
again, these are patient's looking at their own data on their own computer 
systems mostly in their own homes? Probably you could make a case and say 
there is little to no risk of information leakage. 

I think 
maybe you would want application time-outs in your application above and beyond 
the security issue. From an application/serverperspective I would 
want those accounts off my server as soon as possible. 


Greg ParkProduct ManagerDB 
Technology Inc.Office: 
800-760-4096 
x117Cell: 
484-919-0392PA Office: 610-397-0288 
www.dbtech.com 

  -Original Message-From: Hipaa Learner 
  [mailto:[EMAIL PROTECTED]Sent: Friday, March 14, 2003 8:08 
  PMTo: WEDI SNIP Privacy Workgroup ListSubject: 
  Displaying Data in web browser. Indefinitely.
  
  We developed a web based application where in patient 
  data get displayed in end user browser. User ID is required to log in to web 
  site and it uses HTTPS to login. My question is, some one logs in,.view the 
  data.. walks away from computer. Since he has not logged out from our 
  website, patient sensitive data is still displayed on his computer. Does it a 
  violation of HIPAA security rule ?thanks for your 
  suggestion.
  
  
  
  Do you Yahoo!?Yahoo! 
  Web Hosting - establish your business online --- The WEDI SNIP listserv to 
  which you are subscribed is not moderated. The discussions on this listserv 
  therefore represent the views of the individual participants, and do not 
  necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. 
  If you wish to receive an official opinion, post your question to the WEDI 
  SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should 
  not be used for commercial marketing purposes or discussion of specific vendor 
  products and services. They also are not intended to be used as a forum for 
  personal disagreements or unprofessional communication at any time. You are 
  currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org 
  or send a blank email to [EMAIL PROTECTED] If you 
  need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

Re: Displaying Data in web browser. Indefinitely.

2003-03-17 Thread Doug Webb 



Gregory,
You make a good point.
If the Patient is accessing his/her own data, you are not 
respnsible for what he/she does with it.

If it's a CE or BA of a CE accessing Patient data, the CE is 
responsible for ensuring Privacy. Offering a process to make the CE's task 
easier might make good business sense.

Application time-outs for non-HIPAA reasons make a lot of 
sense, although how long they should be is another question. You 
definately don't want to keep a session on your server open indefinately 
(conections get dropped frequently, especially on dail-ups that 
forgot to disable Call Waiting). I've waited an awful long time (as long 
as 5 minutes) for the initial screen from my bank (there must be horrendous 
routing between AOL in Joliet and The Harris Bank (Chicago?)).

The opinions expressed here are my own and not necessarily the opinion of 
LCMH.

Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital  Health Care Centers[EMAIL PROTECTED]

"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s) named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately, 
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."



  - Original Message - 
  From: 
  Gregory Park 
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Monday, March 17, 2003 08:00 
  AM
  Subject: RE: Displaying Data in web 
  browser. Indefinitely.
  
  
  I believe 
  the correct answer is more litigious than technical. Obviously this 
  sounds like a area that is compromised, but maybe not...depending on your 
  internal analysis. There are lots of questions here regarding WEB 
  applications and security as a general question, but I think it would be 
  little effort to place application time-outs in your code to eliminate "look 
  over the shoulder breaches". 
  
  But then 
  again, these are patient's looking at their own data on their own computer 
  systems mostly in their own homes? Probably you could make a case and 
  say there is little to no risk of information leakage. 
  
  
  I think 
  maybe you would want application time-outs in your application above and 
  beyond the security issue. From an application/serverperspective I 
  would want those accounts off my server as soon as possible. 
  
  
  Greg ParkProduct ManagerDB 
  Technology 
  Inc.Office: 
  800-760-4096 
  x117Cell: 
  484-919-0392PA Office: 610-397-0288 
  www.dbtech.com 
  
-Original Message-From: Hipaa Learner 
[mailto:[EMAIL PROTECTED]Sent: Friday, March 14, 2003 8:08 
PMTo: WEDI SNIP Privacy Workgroup ListSubject: 
    Displaying Data in web browser. Indefinitely.

We developed a web based application where in patient 
data get displayed in end user browser. User ID is required to log in to web 
site and it uses HTTPS to login. My question is, some one logs in,.view the 
data.. walks away from computer. Since he has not logged out from our 
website, patient sensitive data is still displayed on his computer. Does it 
a violation of HIPAA security rule ?thanks for your 
suggestion.



Do you Yahoo!?Yahoo! 
Web Hosting - establish your business online --- The WEDI SNIP listserv 
to which you are subscribed is not moderated. The discussions on this 
listserv therefore represent the views of the individual participants, and 
do not necessarily represent the views of the WEDI Board of Directors nor 
WEDI SNIP. If you wish to receive an official opinion, post your question to 
the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These 
listservs should not be used for commercial marketing purposes or discussion 
of specific vendor products and services. They also are not intended to be 
used as a forum for personal disagreements or unprofessional communication 
at any time. You are currently subscribed to wedi-privacy as: 
[EMAIL PROTECTED] To unsubscribe from this list, go to the 
Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank 
email to [EMAIL PROTECTED] If you need to 
unsubscribe but your current email address is not the same as the address 
subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org---The WEDI SNIP listserv to which 
  you are subscribed is not moderated. The discussions on this listserv 
  therefore represent the views of the individual participants, and do not 
  necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. 
  If you wish to receive an official opinion, post your question to the WEDI 
  SNIP Issues Database at http://snip.wedi.org/tracki

Displaying Data in web browser……. Indefinitely….

2003-03-14 Thread Hipaa Learner 

We developed a web based application where in patient data get displayed in end user browser. User ID is required to log in to web site and it uses HTTPS to login. My question is, some one logs in,….view the data….. walks away from computer. Since he has not logged out from our website, patient sensitive data is still displayed on his computer. Does it a violation of HIPAA security rule ?thanks for your suggestion.
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org