Displaying Data in web browser . Indefinitely .
We developed a web based application where in patient data get displayed in end user browser. User ID is required to log in to web site and it uses HTTPS to login. My question is, some one logs in, .view the data .. walks away from computer. Since he has not logged out from our website, patient sensitive data is still displayed on his computer. Does it a violation of HIPAA security rule ? thanks for your suggestion. Do you Yahoo!? Yahoo! Web Hosting - establish your business online --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: Displaying Data in web browser... Indefinitely..
IMHO, Yes, it is a violation, but not yours. The client who accessed the web site is guilty of the violation unless the proper protection is taken to blank the screen at the client's site. You might offer a process to blank the web screen after it has been displayed for a certain interval as a courtesy. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. WebbComputer System EngineerLittle Company of Mary Hospital & Health Care Centers[EMAIL PROTECTED] "This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s) named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately, delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." - Original Message - From: Hipaa Learner To: WEDI SNIP Privacy Workgroup List Sent: Friday, March 14, 2003 07:07 PM Subject: Displaying Data in web browser . Indefinitely . We developed a web based application where in patient data get displayed in end user browser. User ID is required to log in to web site and it uses HTTPS to login. My question is, some one logs in, .view the data .. walks away from computer. Since he has not logged out from our website, patient sensitive data is still displayed on his computer. Does it a violation of HIPAA security rule ? thanks for your suggestion. Do you Yahoo!?Yahoo! Web Hosting - establish your business online --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Displaying Data in web browser. Indefinitely.
I believe the correct answer is more litigious than technical. Obviously this sounds like a area that is compromised, but maybe not...depending on your internal analysis. There are lots of questions here regarding WEB applications and security as a general question, but I think it would be little effort to place application time-outs in your code to eliminate "look over the shoulder breaches". But then again, these are patient's looking at their own data on their own computer systems mostly in their own homes? Probably you could make a case and say there is little to no risk of information leakage. I think maybe you would want application time-outs in your application above and beyond the security issue. From an application/server perspective I would want those accounts off my server as soon as possible. Greg ParkProduct ManagerDB Technology Inc.Office: 800-760-4096 x117Cell: 484-919-0392PA Office: 610-397-0288 www.dbtech.com -Original Message-From: Hipaa Learner [mailto:[EMAIL PROTECTED]Sent: Friday, March 14, 2003 8:08 PMTo: WEDI SNIP Privacy Workgroup ListSubject: Displaying Data in web browser. Indefinitely. We developed a web based application where in patient data get displayed in end user browser. User ID is required to log in to web site and it uses HTTPS to login. My question is, some one logs in,.view the data.. walks away from computer. Since he has not logged out from our website, patient sensitive data is still displayed on his computer. Does it a violation of HIPAA security rule ? thanks for your suggestion. Do you Yahoo!?Yahoo! Web Hosting - establish your business online --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: Displaying Data in web browser. Indefinitely.
Gregory, You make a good point. If the Patient is accessing his/her own data, you are not respnsible for what he/she does with it. If it's a CE or BA of a CE accessing Patient data, the CE is responsible for ensuring Privacy. Offering a process to make the CE's task easier might make good business sense. Application time-outs for non-HIPAA reasons make a lot of sense, although how long they should be is another question. You definately don't want to keep a session on your server open indefinately (conections get dropped frequently, especially on dail-ups that forgot to disable Call Waiting). I've waited an awful long time (as long as 5 minutes) for the initial screen from my bank (there must be horrendous routing between AOL in Joliet and The Harris Bank (Chicago?)). The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. WebbComputer System EngineerLittle Company of Mary Hospital & Health Care Centers[EMAIL PROTECTED] "This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s) named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately, delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." - Original Message - From: Gregory Park To: WEDI SNIP Privacy Workgroup List Sent: Monday, March 17, 2003 08:00 AM Subject: RE: Displaying Data in web browser. Indefinitely. I believe the correct answer is more litigious than technical. Obviously this sounds like a area that is compromised, but maybe not...depending on your internal analysis. There are lots of questions here regarding WEB applications and security as a general question, but I think it would be little effort to place application time-outs in your code to eliminate "look over the shoulder breaches". But then again, these are patient's looking at their own data on their own computer systems mostly in their own homes? Probably you could make a case and say there is little to no risk of information leakage. I think maybe you would want application time-outs in your application above and beyond the security issue. From an application/server perspective I would want those accounts off my server as soon as possible. Greg ParkProduct ManagerDB Technology Inc.Office: 800-760-4096 x117Cell: 484-919-0392PA Office: 610-397-0288 www.dbtech.com -Original Message-From: Hipaa Learner [mailto:[EMAIL PROTECTED]Sent: Friday, March 14, 2003 8:08 PMTo: WEDI SNIP Privacy Workgroup ListSubject: Displaying Data in web browser. Indefinitely. We developed a web based application where in patient data get displayed in end user browser. User ID is required to log in to web site and it uses HTTPS to login. My question is, some one logs in,.view the data.. walks away from computer. Since he has not logged out from our website, patient sensitive data is still displayed on his computer. Does it a violation of HIPAA security rule ? thanks for your suggestion. Do you Yahoo!?Yahoo! Web Hosting - establish your business online --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opini