User-level security: This is slightly more secure than the above methods. The database creator or administrator can specify how much access each user has to tables, queries, forms, reports and macros. Information on a user's access level is stored in a file called "workgroup information."

Preventing users from replicating the database, setting passwords or setting start-up options: User-level security must be in place for this to work, but it would mean that only administrators would have the necessary permissions to change settings. This might be one change we can make, but it isn't enough.

Securing Microsoft Visual Basic for Applications code: You can copy your code into an Access MDE file and then password-protect it.

Securing data-access pages: This applies to data that is accessed via a Web page. The Web pages are stored in the file system, so only file system security applies.

In my view, these security measures are inadequate for protecting personal health information. Our responsibilities under HIPAA are one reason we outsourced our major information systems. But, with data everywhere, the problem has come home to roost.