From: David W. Fenton on
Banana <Banana(a)Republic> wrote in news:4BA51A3B.8040301(a)Republic:

> Douglas J. Steele wrote:
>> I think you'll find the general consensus is that Access is not
>> appropriate for HIPAA.
>>
>> And no, Access security cannot be integrated with Active
>> Directory.
>>
>> On the topic of Access security, be aware that the new ,accdb
>> file format in Access 2007 (and Access 2010, which is currently
>> in beta) does not support Access security (although it's still
>> supported in those versions of Access if the file is left in the
>> older .mdb file format)
>
> FWIW, I did use to work for a company that was bound by HIPAA and
> I know of couple others who did likewise.
>
> The way I understood it, it was OK as long you used Windows
> filesystem permissions to keep out the non-users and thus only
> those employees who were authorized to work with confidential
> documentations. No different from emails containing the same
> content, really. This works OK on a user-level. When there's a
> question of needing a different access security for data, a
> different backend may be a better solution, but that doesn't
> preclude Access as a front-end client.

This was my understanding, too.

Nonetheless, I still wouldn't recommend a Jet/ACE back end for an
app that had to comply with HIPAA.

--
David W. Fenton http://www.dfenton.com/
usenet at dfenton dot com http://www.dfenton.com/DFA/
From: David W. Fenton on
Banana <Banana(a)Republic> wrote in news:4BA51B0D.5090208(a)Republic:

> Have a look at www.accesssecurityblog.com

So Tom, when are we going to get more on the blog?

--
David W. Fenton http://www.dfenton.com/
usenet at dfenton dot com http://www.dfenton.com/DFA/
From: Arvin Meyer [MVP] on
While Access cannot be integrated with Active Directory, it can be
integrated with windows login.

I do have an Access app which uses a Terminal Server to allow connection to
Jet data. It is HIPAA compliant, and has been certified as such by a 3rd
party auditor. It is virtually impossible (notice I said "virtually") to get
to any data that you are not allowed to see. At least no one including the
MCSE that helped me set it up, and the auditors have been able to get in.

When logging in the app opens to your data. If you close Access, there's a
single shortcut to reopen it. Nothing else, and no way to get anywhere else.
Ten minutes of inactivity, shuts down the app and boots you out of the
system. It has been used successfully for about 2 years now.

This app happens to be an MDE, but would probably work just as well as an
ACCDE. That hasn't been tested though. It does not use Access security at
all, but does make heavy use of Active Directory security and Group
Policies.
--
Arvin Meyer, MCP, MVP
http://www.datastrat.com
http://www.accessmvp.com
http://www.mvps.org/access


"Douglas J. Steele" <NOSPAM_djsteele(a)NOSPAM_gmail.com> wrote in message
news:e6hMJVFyKHA.2552(a)TK2MSFTNGP04.phx.gbl...
>I think you'll find the general consensus is that Access is not appropriate
>for HIPAA.
>
> And no, Access security cannot be integrated with Active Directory.
>
> On the topic of Access security, be aware that the new ,accdb file format
> in Access 2007 (and Access 2010, which is currently in beta) does not
> support Access security (although it's still supported in those versions
> of Access if the file is left in the older .mdb file format)
>
> --
> Doug Steele, Microsoft Access MVP
> http://I.Am/DougSteele
> (no e-mails, please!)
>
>
>
> "frank" <frankjlinden(a)yahoo.com> wrote in message
> news:b1bf4277-a22a-4618-959c-5e1a6f3d6b56(a)q21g2000yqm.googlegroups.com...
>>I have just begun work for a health care entity which uses MS Access
>> for all their client data.
>> The User interfaces are all standard Access Forms and Pages deployed
>> over the Lan using Share Permissions.
>> I will soon begin the task of consolidating and securing these various
>> databases and the solution must be compliant with HIPAA regulations
>> for securing Private Health Information. Can anyone please offer any
>> basic suggestions that I can pursue to properly secure my Access
>> databases in this environment?
>> Also, can Access security be integrated with Active Directory like
>> MSSQL?
>>
>> Thank You.
>


From: kc-mass on
Thought I sent this earlier but don't see it so:

Two years ago I worked a contract with a company that processed tons of
HIPAA data. They wanted everything in Access. Two weeks after I got there
some outside auditors showed up. Very quickly we moved all back ends to SQL
Server Express. Access security is fine for the usual curious user but is
not for fending off criminals.

There is a lot of info on the web on what HIPPA dictates vis a vis info
security. You will want to look at that before you start down an access or
any other path with the data. If it is Medicare or Medicade data it's even
more stringent. Some suggest that you need to log every view of any med
record by user.

Be Careful

Regards

Kevin
"frank" <frankjlinden(a)yahoo.com> wrote in message
news:b1bf4277-a22a-4618-959c-5e1a6f3d6b56(a)q21g2000yqm.googlegroups.com...
>I have just begun work for a health care entity which uses MS Access
> for all their client data.
> The User interfaces are all standard Access Forms and Pages deployed
> over the Lan using Share Permissions.
> I will soon begin the task of consolidating and securing these various
> databases and the solution must be compliant with HIPAA regulations
> for securing Private Health Information. Can anyone please offer any
> basic suggestions that I can pursue to properly secure my Access
> databases in this environment?
> Also, can Access security be integrated with Active Directory like
> MSSQL?
>
> Thank You.


From: david on
Users should not have access to Windows Explorer, or the
Command Line, or any general-purpose software, on the
system which allows them access to the data. You can do
that by using Terminal Services, or Virtual PC, or dedicated
workstations.

Those are general rules for HIPAA anyway, but this stuff is gradually
being tightened up: 10 years ago you would have gotten away with just
having policies about proper workstation use, now it's back to
expecting enforceable 'green screen' security, not just supervision.

I wouldn't expect everyone to have 'green screen' style workstation
security at this point, but the world is heading that way, so if you
are thinking about security now, now is the time to put in place
the correct systems.

(david)



"frank" <frankjlinden(a)yahoo.com> wrote in message
news:b1bf4277-a22a-4618-959c-5e1a6f3d6b56(a)q21g2000yqm.googlegroups.com...
>I have just begun work for a health care entity which uses MS Access
> for all their client data.
> The User interfaces are all standard Access Forms and Pages deployed
> over the Lan using Share Permissions.
> I will soon begin the task of consolidating and securing these various
> databases and the solution must be compliant with HIPAA regulations
> for securing Private Health Information. Can anyone please offer any
> basic suggestions that I can pursue to properly secure my Access
> databases in this environment?
> Also, can Access security be integrated with Active Directory like
> MSSQL?
>
> Thank You.