True on HIPPA rules but the only way to do that would be at an application level and if someone were to access all the same records using DFU and construct up the patients record with cut and paste operations you would not get that access recorded.
Since we are not covered by HIPPA I was actually thinking of enhancing the protection of some data elements like SSN and credit card numbers which I encrypt but would still like to be able to tell who read any file that has any of this type of data. I was thinking of moving this data to a file with only this data and journaling everything that accesses it so even if someone were to gain access (odbc, jdbc, dfu, etc, etc, etc) I know the db is recording everything. A trigger might work fine for this since the file is not accessed often and the overhead of the trigger processing would not be that great. I could also do some scans against the journals looking for activity I do not expect (ignore anything logged from one of our applications that are allowed to use the data) and send myself an alert
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Walden H. Leverich
Sent: Wednesday, August 20, 2008 6:32 PM
To: Midrange Systems Technical Discussion
Subject: RE: DB2/400 logging of read only access
We are not covered by HIPPA regulations but if we were would
be adding this to our own applications be the only way to
record record level access?
There are also read-triggers. Just like other update triggers, these are
database-level things that you can't get around. However, they're a
performance PIG!
Also, there's nothing in the HIPPA regs that require you to record read
access to every single record. You need to record access to
medical-records, not database-records. For example, if reviewing a
single "medical-record" results in 1 read to the patient table, 2 reads
to the address table (home/office), 5 reads to the phone table
(office/cell/home/emergency/other), 22 reads to the procedure table, 19
reads to the sub-procedure table, and 211 reads to the charges table,
you only have to record 1 access, not 261.
-Walden
--
Walden H Leverich III
Tech Software
(516) 627-3800 x3051
WaldenL@xxxxxxxxxxxxxxx
http://www.TechSoftInc.com
Quiquid latine dictum sit altum viditur.
(Whatever is said in Latin seems profound.)
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.