How do I create HIPAA compliant record audit trail in Access 2003?
I built a database in Access 2003 to track and recall medical patients for chronic disease managment. My hospital IS gurus tell me that the application must track every time a user even looks at a patient record to be compliant with HIPAA. My database has a front-end with the forms and interface, and separate back-end database to store the actual tables. I have found ways to track record changes on this site. But How do I set up a way to track each time a user even views a record (and does not change it)?
ASKER
A major function of the database is to generate recall lists. So the user would click a button to recall patients and get a list of overdue patients in a subform.
So your solution to select records by combo won't work because record sets are returned in order to fulfill the functions. HIPAA requires that we track this viewing. (e.g. Imagine the nurse is recalling patients who had positive gonorrhea tests for followup "test of cure" visits- sensitive information indeed. If "Bill Clinton" and "Barak Obama" and "John McCain" are all in the list, I need a way to track that the nurse saw that all of these guys were positive for GC, in case they come back and wonder who spilled the beans to the press!)
I need a way that each time a record or a set of records is selected to the form or subform, I can track who viewed it.
So your solution to select records by combo won't work because record sets are returned in order to fulfill the functions. HIPAA requires that we track this viewing. (e.g. Imagine the nurse is recalling patients who had positive gonorrhea tests for followup "test of cure" visits- sensitive information indeed. If "Bill Clinton" and "Barak Obama" and "John McCain" are all in the list, I need a way to track that the nurse saw that all of these guys were positive for GC, in case they come back and wonder who spilled the beans to the press!)
I need a way that each time a record or a set of records is selected to the form or subform, I can track who viewed it.
First, you'll need to secure your database, otherwise anyone can open the backend and view your data. Access provides User Level Security (ULS) for this purpose, but ULS is easily cracked and may not be sufficient for your needs.
Assuming you can use Access for this, then after locking down the app, you would need to setup a tracking table that would store the UserID, Date/Time, and records viewed. You'd then write a record to this table each and every time someone opened a form, viewed a Report etc etc ... not an inconsequential task.
Assuming you can use Access for this, then after locking down the app, you would need to setup a tracking table that would store the UserID, Date/Time, and records viewed. You'd then write a record to this table each and every time someone opened a form, viewed a Report etc etc ... not an inconsequential task.
ASKER
Can anyone be a bit more specific about how to track multliple records viewed in a subform- i.e. how do I write each record in to the tracking table when the user opens a query based subform- there might be quite a few records returned once the database is populated... IF I attach code to the process of sending the query, the results are not yet back to "track" in the tracking table...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, I think that's the advice I was looking for. May explain why I couldn't find much on making Access HIPAA compliant- its so hard to do correctly!
THis then means they must use a form to see a record. Rather then navigation buttons, you need a combo or similar to select records to view. As part of the code to return that record, you can then write a record to a "view log" identifying who browsed what
Kelvin