Keeping a log of all people who look at record level information could get to be a very large database in addition to the patient database. I have customers with 50-100 thousand patients online and millions of transactions in a single file. The transaction has the date of visit, provider seen, cpt & diagnosis code so it probably qualifies as a medical record. My company has a contract to supply software to EDS and companies they own and do business with. Some have Medicare contracts, ie, the entire state of California and the 4 New England states. I'm not sure how much of this is of interest to the UT people. I would be happy to email you privately and maybe compare notes.
>Ken,
>
>I don't have "medical records" as such, but I do have "identified medical data" and under the Administrative Simplification section of HIPAA all identified data comes under the regs.
>
>According to our management, the patient has a right to see their records, request corrections, and know who sees their information.
>
>In order to know who sees the information I need to make it so that it can only be seen through my application, and that each person coming in is uniquely identified. That to me means a password scheme with record-level logging of who sees each record, and a change log each time the record is changed. A password scheme is no good if the password is in an unencrypted FPW table! Even with network rights, UserA could easily see UserB's password and log in as UserB. So, I'll start by encrypting the passwords in the Users table.
>
>Second, this particular data is just a list of what patients had visits, the date, and the provider. It's to track whether the provider has filled out a form. For general use I could encrypt the patient's name (decrypt when the form prints) so that only the date and the provider were easily accessible outside of the application. Then it comes closer to being de-identified data.
>
>I'm new to all of this, and brainstorming while trying to get some $$ in the budget for next year (due 02/15) when I'll actually be re-writing this app.
>
>
>>I'm interested in what part of HIPAA you are referring to.
>>>I will be needing some encryption in order to be HIPAA compliant and would like to use Cipher if possible.
>>>