I have developed an application, for psyc patients.... they type in
very personal information in a web form to help them work through
problems in their lives. Once they enter the info, I encrypt the data
and store it in a MySQL database. Users can then print, edit, delete
or share the information they entered with their therapist. I'm not
happy storing this in the database for two reasons: (1) my host places
restrictions on my database size and number of queries. (2) the
information is very personal and sensitive, and I'd hate to find out
the database has been compromised or damaged (even with the
encryption). Also, currently I don't have any search capabilities, but
as patients fill out large numbers of forms, they may have a need to
search.
Is there a way for me to store the form information on the visitor's
computer.... say a cookie or text file, rather than on the server side?
How would I go about doing this?
Thanks!
Mike
7  1872 
Mike wrote:
I have developed an application, for psyc patients.... they type in
very personal information in a web form to help them work through
problems in their lives. Once they enter the info, I encrypt the data
and store it in a MySQL database. Users can then print, edit, delete
or share the information they entered with their therapist. I'm not
happy storing this in the database for two reasons: (1) my host places
restrictions on my database size and number of queries. (2) the
information is very personal and sensitive, and I'd hate to find out
the database has been compromised or damaged (even with the
encryption). Also, currently I don't have any search capabilities, but
as patients fill out large numbers of forms, they may have a need to
search.
Is there a way for me to store the form information on the visitor's
computer.... say a cookie or text file, rather than on the server side?
How would I go about doing this?
Thanks!
Mike
Hi Mike,
I am unsure if storing that info on the clientmachine is very safe.
The regular home PC has worse protection than a ISP machine.
So you must warn the users that you want to store the information on their
own machine, so they can make up their own mind.
Cookies? No, Cookies won't help you. They can only store a limmited piece of
data, and surely not long writing. Also cookies are easily deleted, and
then all the data is lost. So don't go cookie.
Clients filesystem?
If you want to store information on a clientmachine, you need something else
than PHP.
PHP typically only delivers the HTML to a browser, and doesn't exists on the
clientmachine, only on the server that delivers the pages.
So you;ll need another solution: Think Java-applets, maybe
VB-script/ActiveX.
In both cases you'll need extra privileges.
I don't know much on VB-script/ActiveX, and my Javaknowledge is getting
stale (since PHP). But if you go Java, you must first master that language,
and learn how to write applets, and also learn how to sign them, and ask
the user for permissions on some folder on the filesystem. It is not
rocketscience, but Java is surely more difficult to master than PHP.
Personally, if I were in your position, I would choose a provider that suits
your needs, and keep using a serverside database, that setup is just much
easier.
ISP's come in all tastes, so if you are seriously worried about your data,
put some serious time in finding a good one. You might want to hire some
expertise to check if things are set up the way you want them to.
just my 2 cent.
Good luck.
Regards,
Erwin Moller
Mike wrote:
I have developed an application, for psyc patients.... they type in
very personal information in a web form to help them work through
problems in their lives. Once they enter the info, I encrypt the data
and store it in a MySQL database. Users can then print, edit, delete
or share the information they entered with their therapist. I'm not
happy storing this in the database for two reasons: (1) my host places
restrictions on my database size and number of queries. (2) the
information is very personal and sensitive, and I'd hate to find out
the database has been compromised or damaged (even with the
encryption). Also, currently I don't have any search capabilities, but
as patients fill out large numbers of forms, they may have a need to
search.
Is there a way for me to store the form information on the visitor's
computer.... say a cookie or text file, rather than on the server side?
How would I go about doing this?
Thanks!
Mike
Mike,
If you're in the United States, it could be even worse than that. HIPAA
regulations are quite strict on medical information, and a violation
(even an inadvertent one) can land both you and your client in jail for
a few years. At the least there would be a very large fine.
About the only way you will be able to pass HIPAA regs would be to have
a physically secure server - meaning one locked in your clients office
or similar. Otherwise someone can get in there and access your programs
- which obviously have to have the key for encrypting/decrypting the
data someplace. Also, you would need to use SSL for all communications
with sensitive information, etc.
Additionally, before medical information can be shared, even with a
therapist, you must have a signed authorization. This has to be on real
paper - a web form doesn't work.
Right now this is a VERY touchy subject in the U.S.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Thanks for the insight... very well said, thanks!
Mike
Erwin Moller wrote:
I am unsure if storing that info on the clientmachine is very safe.
<SNIP>
Personally, if I were in your position, I would choose a provider that suits
your needs, and keep using a serverside database, that setup is just much
easier.
ISP's come in all tastes, so if you are seriously worried about your data,
put some serious time in finding a good one. You might want to hire some
expertise to check if things are set up the way you want them to.
Jerry,
Thanks for the reply.
I am, indeed in the US, and will check into HIPAA regs covering this.
I, nor anyone connected with the site are medical professionals. These
are visitors to my site, and not my clients. The forms are,
essentially, self-help questionnaires. They define a challenge in
their life, and use a structured process to make decisions about it.
So no actual medical information is contained in the form. It could be
something as simple as, "buy a blue car or a black one?", though other
times it can be much more personal and private. I do have warnings
prominently displayed reminding them that the data is stored on the
internet and is not guaranteed. Regarding e-mailing the form to their
therapist, they (and only they) can do that. My application simply
does what they request, with an "are you sure" message to confirm.
Still, you raise a good point, which I'll have to dig into a bit
further.
Jerry Stuckle wrote:
>
If you're in the United States, it could be even worse than that. HIPAA
regulations are quite strict on medical information, and a violation
(even an inadvertent one) can land both you and your client in jail for
a few years. At the least there would be a very large fine.
About the only way you will be able to pass HIPAA regs would be to have
a physically secure server - meaning one locked in your clients office
or similar. Otherwise someone can get in there and access your programs
- which obviously have to have the key for encrypting/decrypting the
data someplace. Also, you would need to use SSL for all communications
with sensitive information, etc.
Additionally, before medical information can be shared, even with a
therapist, you must have a signed authorization. This has to be on real
paper - a web form doesn't work.
Right now this is a VERY touchy subject in the U.S.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Mike wrote:
Jerry,
Thanks for the reply.
I am, indeed in the US, and will check into HIPAA regs covering this.
I, nor anyone connected with the site are medical professionals. These
are visitors to my site, and not my clients. The forms are,
essentially, self-help questionnaires. They define a challenge in
their life, and use a structured process to make decisions about it.
So no actual medical information is contained in the form. It could be
something as simple as, "buy a blue car or a black one?", though other
times it can be much more personal and private. I do have warnings
prominently displayed reminding them that the data is stored on the
internet and is not guaranteed. Regarding e-mailing the form to their
therapist, they (and only they) can do that. My application simply
does what they request, with an "are you sure" message to confirm.
Still, you raise a good point, which I'll have to dig into a bit
further.
Mike,
It doesn't matter if you are a medical professional or not. If you are
collecting personal medical information (which can include many
self-help questions), you are subject to HIPAA regulations. And when
you get to the point it gets "personal and private", you're almost
assuredly getting into this area. And the fact these may be emailed to
a therapist makes this even more critical.
It doesn't make any difference what warnings you have posted. HIPAA
regulations REQUIRES it be guaranteed. No exceptions.
For instance - your Doctor cannot hand you a statement saying they don't
guarantee the confidentiality of your medical records. That level of
confidentiality is required by law. And only a signed statement from
you can allow that information to be released legally. And I highly
doubt a "I approve" button will pass HIPAA scrutiny.
You really need to get with an attorney familiar with HIPAA regulations
before going any further. Unless you wish to spend a few years as a
guest of the government.
Jerry Stuckle wrote:
>>If you're in the United States, it could be even worse than that. HIPAA
regulations are quite strict on medical information, and a violation
(even an inadvertent one) can land both you and your client in jail for
a few years. At the least there would be a very large fine.
About the only way you will be able to pass HIPAA regs would be to have
a physically secure server - meaning one locked in your clients office
or similar. Otherwise someone can get in there and access your programs
- which obviously have to have the key for encrypting/decrypting the
data someplace. Also, you would need to use SSL for all communications
with sensitive information, etc.
Additionall y, before medical information can be shared, even with a
therapist, you must have a signed authorization. This has to be on real
paper - a web form doesn't work.
Right now this is a VERY touchy subject in the U.S.
--
============= =====
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@att global.net
============= =====
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Jerry,
Thanks for the feedback. I've disabled the e-mail option, just to be
on the safe side, and am looking for an attorney (hopefully pro-bono),
who can help.
Mike
Mike wrote:
Jerry,
Thanks for the feedback. I've disabled the e-mail option, just to be
on the safe side, and am looking for an attorney (hopefully pro-bono),
who can help.
Mike
Mike,
Chances are you won't find one pro bono - you're not a non-profit or
similar. And they need to make money, also.
But if you get one familiar with HIPAA it shouldn't cost you more than
an hour or two to discuss, depending on how in depth you feel you need
to go.
Of course, here in Washington, DC, 2 hours is about the same amount as
the National Debt :-)
Also, it isn't the email that will get you into trouble. It's the
collection of the data. The email just adds to the case should your
site be compromised.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== === This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Francisco |
last post by:
I have this problem:
I have a database with information about games, and users are able to vote
for them. Everytime a user votes for a game I store the unique game name
into a session variable (an array). So if they are in a page were they
already voted, they won't have the option to do so.
The idea is that the session cookie lasts "forever",...
|
by: gv |
last post by:
Hi all,
I need to store values in a client application then later when done send
them to SQL 2000.
I know there is several ways to do this but, looking for the fastest , and
most effient way to
do this? Would a global array be the best way to this and could I use this
with mulitple values for each question? There might be over 50...
|
by: bissatch |
last post by:
Hi,
I am currently writing a news admin system. I would like to add the
ability to add images to each article.
What I have always done in the past is uploaded (using a form) the
image to a folder on the server and then in the database table that I
INSERT the news article, I'll store the path of the uploaded image.
To me this seems a...
|
by: Zvonko |
last post by:
Hi!
I would like to get the clients date and time (his system time) and
store it somewhere so I can use it in my code later. (insert it to
database!).
Any ideas
Zvonko
|
by: Philippe C. Martin |
last post by:
Hi,
I am trying to change the data in a form field from python. The following
code does not crash but has no effect as if "form" is just a copy of the
original html form.
Must I recreate the form order to do that ?
My point is for the client to be able to re-read the modified data.
| | |
by: Együd Csaba |
last post by:
Hi All,
I use PG 7.3.2 an 7.4.1 on RH 7.1.
I'd like to store small (~ 100x100 px jpeg, or gif) images in a field in
binary format.
I tried to understand the documentation of the large objects but I'm afraid
I coluldn't.
I found some functions to import and export binary files into the db, but
these functions work on the server side.
How...
|
by: hfk0 |
last post by:
Hi,
I'm new to ASP.net, SQL Server and visual studio.net, and I'm having
problem inserting and storing data from a web form to a SQL database.
I created a simple ASP.NET web form, a simple SQL database, a database
connection (using the SQlDataSource Web Control from the Toolbox), and
created the following stored procedure in Visual...
|
by: Frankie |
last post by:
Using SQL Server 2005 and .NET 2.0; I'm creating a Windows Forms application
that will need to display photos of people, along with a bunch of
information about each person.
In a Web application, there is a generally accepted "best practice" of
storing only a string (the path to the .jpg file name), with the actual file
stored in an NTFS...
|
by: Annonymous Coward |
last post by:
I remember readng that BLOBs can be stored externally (with reference to
the BLOB file stored in tables instead).
Does anyone have any experience doing this ? I have a few questions:
1).what are the things to watch out for (apart from obvious ones like
'file not found' type errors).
2). How may a stored proc be written to fetch the BLOB...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
| | |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
