Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle NULL vs '' revisited

Re: Oracle NULL vs '' revisited

From: DA Morgan <>
Date: Wed, 22 Aug 2007 09:06:17 -0700
Message-ID: <> wrote:

>> And I posted the link to Microsoft's own docs where they say that this
>> isn't true. So who's correct? You or Microsoft?

> Hmmm, you posted 2 links, one was a write up by an MVP(from 6 years
> ago) which documented that C2 in SQL Server 2000 would tell you who
> made a change(update) but not what the change was. The second link you
> sent was the to C2 summary, in that doc it lists the following;
> "...End User Activity (for example, all SQL commands, logins, and
> logouts).."
> Which I think is the bucket that selects are going to come under, I
> agree we could have made this clearer but the doc was not written with
> HIPAAs more exacting/different requirements in mind. Given that C2 has
> been superceded as a std and SQL Server is currently undergoing common
> criteria certification I don't think there is much chance of getting
> the page updated.
> Now trace was not that well documented in SQL 6.5/7/2000 so I am going
> to reference SQL2005 docs, most of what I reference also applies on
> older versions. Here is the list of events that can be audited by
> trace in 2005;
> To save time, here is the category of events that include all sql
> statements, hence would include select statements;
>> Perhaps the problem here is that you don't understand what HIPAA means
>> with respect to auditing SELECT statements. It isn't who issued it. That
>> is not the issue. It is which records, with which specific values, were
>> returned to which users?

> Ah ok now that makes sense, as I said I am no HIPAA expert so I was
> not aware of that requirement.
>> If you believe otherwise then please provide a link to the doc that
>> demonstrates that this capability exists in any database product other
>> than Oracle.

> I'm not aware of it existing in SQL Server at this time, I'm not going
> to comment on other DBs as I don't know them.
> However I have another question about HIPAA at this point, I thought
> that HIPAA was an end to end requirement, which means while Oracle
> makes this possible on the back end through built in features(I
> presume this is done through versioning somehow? How long is the audit
> trail kept btw) if the app tier does something thats not auditable
> then from a compliance perspective its a bust?
> -Euan

That is the statement ... but not what was returned. The statement, itself, in the context of HIPAA is meaningless because the data changes. A month later, during an audit, it is impossible to tell if 0, 1, or 1000 records were returned and which ones.

It may make a marketer happy to claim it as auditing but it does not comply with the law being discussed.

Daniel A. Morgan
University of Washington (replace x with u to respond)
Puget Sound Oracle Users Group
Received on Wed Aug 22 2007 - 11:06:17 CDT

Original text of this message