Re: Oracle NULL vs '' revisited

From: DA Morgan <damorgan_at_psoug.org>
Date: Mon, 20 Aug 2007 14:04:27 -0700
Message-ID: <1187643864.737578@bubbleator.drizzle.com>

Serge Rielau wrote:
> DA Morgan wrote:

>> Consider this for example. In a US medical environment with patient data
>> HIPAA, federal law, requires that SELECT statements be audited. 

> At the risk of changing the topic.. You appear to be an expert on HIPAA.
> Does it actually state "SELECT statement"? Or does it say "data access"?
> Just wondering. You are always very SPECIFIC about exactly HOW any
> HIPAAA, SOX, .. requirement needs to be implemented. In my limited
> experience the HOW is typically open to interpretation (and rightly so)...
>
> Cheers
> Serge

Every request for record(s), by who, to where, and which records were retrieved. That is always implemented as a SELECT somewhere in the database. It will likely be from a third-party application or a reporting tool such as Crystal, people rarely play with medical data using SQL*Plus, but it will be a SELECT and it must, by law, be audited in that the medical facility must be able to prove who had access to the data on a record-by-record, patient-by-patient basis.

This is what the hospitals and medical centers out here are using as their internal guide. One medical center I work with has now enforced a printer access rule to keep unauthorized people from getting physical access to a printer that "might" contain patient information to which they are not entitled.

In the US the rules are made by lawyers for the benefit of lawyers. And we've got a lot of 'em.

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org

Received on Mon Aug 20 2007 - 16:04:27 CDT