Ken,

I don't have "medical records" as such, but I do have "identified medical data" and under the Administrative Simplification section of HIPAA all identified data comes under the regs.

According to our management, the patient has a right to see their records, request corrections, and know who sees their information.

In order to know who sees the information I need to make it so that it can only be seen through my application, and that each person coming in is uniquely identified. That to me means a password scheme with record-level logging of who sees each record, and a change log each time the record is changed. A password scheme is no good if the password is in an unencrypted FPW table! Even with network rights, UserA could easily see UserB's password and log in as UserB. So, I'll start by encrypting the passwords in the Users table.

Second, this particular data is just a list of what patients had visits, the date, and the provider. It's to track whether the provider has filled out a form. For general use I could encrypt the patient's name (decrypt when the form prints) so that only the date and the provider were easily accessible outside of the application. Then it comes closer to being de-identified data.

I'm new to all of this, and brainstorming while trying to get some $$ in the budget for next year (due 02/15) when I'll actually be re-writing this app.


>I'm interested in what part of HIPAA you are referring to.
>>I will be needing some encryption in order to be HIPAA compliant and would like to use Cipher if possible.
>>