Well you can always 'hide' the name AND the ssn by simply using something like Blowfish encryption in the DB, and then when you display them on the web browser, don't display both :-) Then you don't have a piece of 'paper' that has both on it, and no one that has command line access to the DB can actually see either the patient name or the ssn, unless they're going through your app, and they can guess the key, and they write something to decrypt this stuff either from the command line OR write an app and run it in your app server... Not that it can't be done, but you know how hard that would be (of course providing your blowfish key is not 123 or something dumb like that), and even if they succeeded at getting at the key, wich if you had an obfuscated java bean it would be very hard , if not impossible, to do, by the time they write an app to get to your code in the DB, if you haven't noticed some funky activity on your machine by then... Well then I don't think HIPPA or anything else can help you.
Incidentally, this is why I also recommended the key fobs... No info about the person is stored anywhere except for the key fob which the user has in hand at all times. You unplug it, and wham you're logged out immediately. You walk away leaving it in the machine, it logs out auto within 5 minutes of inactivity, and if you're dumb enough to do that you deserve what you get. HIPPA sounds like a very cool law... I ought to check that out a bit more. R On 7/12/02 11:30 AM, "Campbell, Steve V." <[EMAIL PROTECTED]> wrote: > BINGO!!!!!!!!!!!! > > And you know, it's not too "new". It's coming and the scary part about > it is, I am having to re-examine all of my applications and how many > tiers of security I have on them. You basically can NOT have a piece of > paper with their name on it alone if it has anything to do with their > personal person as to who they are or their health status. > > HIPPA is going to be a Y2K with no clear definitions. Some of the > security regs alone are going to put people like us in 80 hour a week > jobs I am afraid. > > Well, glad to know someone out there is swimmy headed along with me. > > > > Steve Campbell > OU Physicians > Internet Software Developer/Web Manager > University of Oklahoma Health Sciences Center > 800 Northeast 15th Street > ROB #601 > Oklahoma City, Oklahoma 73172 > > > > CONFIDENTIALITY NOTICE: This e-mail, including any attachments, > contains information from The University of Oklahoma College of > Medicine, which may be confidential or privileged. The information is > intended to be for the use of the individual or entity named above. If > you are not the intended recipient, be aware that any disclosure, > copying, distribution or use of the contents of this information is > prohibited. > > If you have received this email in error, please notify the sender > immediately by "reply to sender only" message and destroy all electronic > and hard copies of the communication, including attachments. > > -----Original Message----- > From: Mark Bushaw [mailto:[EMAIL PROTECTED]] > Sent: Friday, July 12, 2002 10:13 AM > To: Multiple recipients of list witango-talk > Subject: Re: Witango-Talk: One more! > > My wife works in an HR department. I have heard a little about HIPPA > regulations. > The thing that really struck me was when she said there could be no > piece of > paper in any file with both a name and a social security number on it. > This > legislation is still too new, and many of the requirements still have to > go thru the > court system to determine compliance, but it is scaring the heck out of > me as I try > to design a database and program for employee tracking and scheduling > for a > new company. > Mark Bushaw > > On 12 Jul 2002 at 10:50, Dan Stein wrote: > >> Just to second that. I think the HIPPA guidelines actually require two >> levels or more of security so I am not sure the traditional login > system >> works. It may be different for data not transmitted across the > internet, but >> I would suggest a careful reading of the guidelines is in order. >> >> When JCHH comes around next year I am sure this is one of the things > they >> will look at. >> >> Dan >> >> -- >> Dan Stein >> Digital Software Solutions >> 799 Evergreen Circle >> Telford PA 18969 >> Land: 215-799-0192 >> Mobile: 610-256-2843 >> Fax 413-410-9682 >> FMP, WiTango, EDI,SQL 2000 >> [EMAIL PROTECTED] >> www.dss-db.com >> >> >>> From: Jason Pamental <[EMAIL PROTECTED]> >>> Reply-To: [EMAIL PROTECTED] >>> Date: Fri, 12 Jul 2002 09:46:56 -0400 >>> To: Multiple recipients of list witango-talk > <[EMAIL PROTECTED]> >>> Subject: Re: Witango-Talk: One more! >>> >>> Steve, >>> >>> This has certainly been an interesting thread - a lot of great ideas > have >>> been presented. One thing that got lost initially though is the > point of >>> needing the security: HIPAA regulations. The whole point of them is > to >>> provide security and privacy of medical records. Allowing doctors to > do an >>> end-run around having to log in with unique information defeats the > purpose >>> of the regulations. this exposes the patient's private medical > information >>> (and here is the point to bring up with hospital administration) > exposes the >>> hospital or medical group to HUGE liabilities and other legal > consequences. >>> >>> It may be beyond your control, but you might find that the > possibility of >>> lawsuits might make it suddenly more palatable for the doctors to > have to >>> 'lower themselves' to remembering passwords to log into the systems. >>> (although a bar-code added to the id badge they probably already > have would >>> be a nice solution as well). >>> >>> Just a little more fuel for the fire... >>> >>> Jason >>> >>>>> >>>>>> >>>>>> One more question. What can you capture without the user knowing > it's >>>>>> being captured. I know you can do normal stuff like, where they > came >>>>>> from, how long and that type of data, but, is there anyway to > capture >>>>>> their email address somehow without them knowing it? >>>>>> >>>>>> Any ideas? >>>>>> >>>>>> Steve >>> >>> -- >>> ____________________________________________________________________ >>> >>> Jason Pamental, President [EMAIL PROTECTED] >>> >>> Bathysphere Digital Media Services, Inc. http://bathyspheredms.com >>> ____________________________________________________________________ >>> >>> Tel: 401.490.6830 Fax: 401.490.6831 >>> ________________________________________ >>> >>> > ________________________________________________________________________ >>> TO UNSUBSCRIBE: send a plain text/US ASCII email to > [EMAIL PROTECTED] >>> with unsubscribe witango-talk in the message body >>> >> >> > ________________________________________________________________________ >> TO UNSUBSCRIBE: send a plain text/US ASCII email to > [EMAIL PROTECTED] >> with unsubscribe witango-talk in the message body > > > ________________________________________________________________________ > TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body > ________________________________________________________________________ > TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] > with unsubscribe witango-talk in the message body > ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
