>>Ken,
>>
>>I don't have "medical records" as such, but I do have "identified medical data" and under the Administrative Simplification section of HIPAA all identified data comes under the regs.
>>
>>According to our management, the patient has a right to see their records, request corrections, and know who sees their information.
>>
>I found this about HIPAA security requirements.
>

>http://www.netconsystems.com/implement_presentation.htm
>

>The way I read it is that you must have someone appointed to be in charge of security or you have no security. I believe they want something like a "sign in sheet" as opposed to something in the database. Besides, you could log in your workstation and when you stepped out for a minute, I could look up someone on your computer and no one would know I did it. Probably better to assume that anyone with access could look and make visitors sign in and record what they looked at.

Thanks Ken.

We have a "Security Officer" for the Med Center as a whole, and of course I'm sure the legal department is busy with a new thingy for the patients to sign. Of course I can think of all sorts of holes like what happens to the identified scheduling record when the patient hasn't been in yet to sign anything. ;-)

We will have rules/policies about making apps kick users out after an idle period, and using password screensavers and WinNT/W2K security and such.

Haven't digested the above article, but what about the reception area which is full of patients floating around - sign-in sheets aren't too practical there.