I'm writing healthcare software for web and mobile clients. Recently, I come across another new HIPAA rule about Access Control- App Session timeout.
My question is, is it possible to give application setting option from where user can enable-disable security level, instead of forcing them.
Any suggestions?