How do I create HIPAA compliant record audit trail in Access 2003?

I built a database in Access 2003 to track and recall medical patients for chronic disease managment.  My hospital IS gurus tell me that the application must track every time a user even looks at a patient record to be compliant with HIPAA.   My database has a front-end with the forms and interface, and separate back-end database to store the actual tables.   I have found ways to track record changes on this site.  But How do I set up a way to track each time a user even views a record (and does not change it)?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kelvin SparksCommented:
You ned to ensure that users cannot open the tables back end directly, you then need to ensure that they cannot see the database window in the front end.

THis then means they must use a form to see a record. Rather then navigation buttons, you need a combo or similar to select records to view. As part of the code to return that record, you can then write a record to a "view log" identifying who browsed what

czelnickAuthor Commented:
A major function of the database is to generate recall lists.  So the user would click a button to recall patients and get a list of overdue patients in a subform.  

So your solution to select records by combo won't work because record sets are returned in order to fulfill the functions.  HIPAA requires that we track this viewing. (e.g. Imagine the nurse is recalling patients who had positive gonorrhea tests for followup "test of cure" visits- sensitive information indeed.  If "Bill Clinton" and "Barak Obama" and "John McCain" are all in the list, I need a way to track that the nurse saw that all of these guys were positive for GC, in case they come back and wonder who spilled the beans to the press!)

I need a way that each time a record or a set of records is selected to the form or subform, I can track who viewed it.
Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:
First, you'll need to secure your database, otherwise anyone can open the backend and view your data. Access provides User Level Security (ULS) for this purpose, but ULS is easily cracked and may not be sufficient for your needs.

Assuming you can use Access for this, then after locking down the app, you would need to setup a tracking table that would store the UserID, Date/Time, and records viewed. You'd then write a record to this table each and every time someone opened a form, viewed a Report etc etc ... not an inconsequential task.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

czelnickAuthor Commented:
Can anyone be a bit more specific about how to track multliple records viewed in a subform- i.e. how do I write each record in to the tracking table when the user opens a query based subform-  there might be quite a few records returned once the database is populated...  IF I attach code to the process of sending the query, the results are not yet back to "track" in the tracking table...
Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:
You'd use the Load or Open event of your form to write those records to a table ... the form has a Recordset object that could be used to gather the ID values, then you could write those to a table. F or example:

Sub Form_Load()

Do Until Me.RecordsetClone.EOF
  CurrentProject.Connection.Execute "INSERT INTO MyTrackingTable(UserID, DateViewed, ViewType, RecNumber) VALUES('" & currentuser & "',#" & Now & "#, Patients," & me.recordsetclone("MyIDField") &")"

end Sub

Of course, you'll need to determine exactly what needs to be stored in order to accurately recreate the records a user is viewing.

In my opinion, doing this with a typical bound Access application is going to be pretty difficult, and will require a LOT of work to insure that you track every view ... and if you don't correctly secure the application (including removing the ability for user to actually view the tables, and instead provide data access through Run With Owner Permission - RWOP - queries only).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
czelnickAuthor Commented:
Thanks, I think that's the advice I was looking for.  May explain why I couldn't find much on making Access HIPAA compliant- its so hard to do correctly!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Access

From novice to tech pro — start learning today.