My understanding of HIPAA is access to data is not denied to everyone, knowing who accessed it is the requirement. For 'confidential' data, logging who accessed it even if they are AUTHORIZED is done in some hospitals. Think audit trail. And of course they try to limit access. But if the developers have access to production does it matter what file it is in, they still accessed it. Proper logging would then have to log everyone that accesses the copies. And th snowball starts rolling. Once you give access to someone, it is hard to control what they do with it.
>What does HIPAA (or whatever the spelling is) say about having test >access to true production data? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html