HIPAA Security Requirements for sleeping (inactive) logon accounts

Posted on 2006-11-30
Medium Priority
Last Modified: 2010-04-11
What is the rule for the logon accounts that are sleeping/inactive for a number of months?
I heard that if the account is in inactivity for over 90 days, the account is subject to deletion.
Any ideas/sources?

Question by:ethanjohnsons

Assisted Solution

overflow34 earned 600 total points
ID: 18051936
I am not 100% sure on the time frame for this. the US dept on helath and human services has a page that when searched show programs vary in their leniency according to Philosophies.  I am not a HIPAA expert.  I know what our company says but do not know if 90 days is the official rule.  


Assets for Independence Act Evaluation:
Phase I Implementation Final Report
October 5, 2001

(2) (b) Programs vary in their leniency or stringency, according to organizations' philosophies. A program can be lenient or stringent in several respects: (1) the minimum deposit required; (2) attitude toward participants' unrealistic aspirations; (3) tolerance for emergency withdrawals; (4) tolerance for inactive accounts, or participants who appear unlikely to attain their saving goal; and (5) how closely saving deposits are monitored. One consequence of a relatively "lenient" program design may be a higher number of inactive accounts (because more individuals are accepted who may not succeed). Another might be saving requirements that are unrealistically low for the asset in question, especially for home purchase in tight housing markets.
LVL 13

Expert Comment

ID: 18055549
LVL 38

Accepted Solution

Rich Rumble earned 800 total points
ID: 18055592
The HIPAA are guidelines more than they are rules or laws, they are open and not set in stone. http://en.wikipedia.org/wiki/HIPAA#The_Security_Rule
If anything they are "minimum" requirement guidelines that are still up to interpretation. For instance:
Technical Safeguards - controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient
    * Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
    * Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
    * Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity.
The first point above basically says, use encrypted email/IM (it doesn't say use PGP for email or Jabber for IM specifically), it allows you to pick what will work for your users
The second says, try to ensure data integrity, that might mean backup's contain checksums, data is encrypted in the DB etc...
Point 3 is a recommendation to the issues above...
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 600 total points
ID: 18060547
If an account is sleeping/inactive for over 90 days, then it's highly possible that the account owner has left the company, or taken extended leave.  There should be a security policy, that, in conjunction with your HR department, ensures that anyone taking extended absence should have their account suspended, plus anyone who actually leaves should have it permantently deactivated.  These are the bits you'll trip up with on HIPAA, as there shouldn't be ANY reason accounts don't get used for this long! :)
If you've only just adopted HIPAA, then you'll need to link up with HR and ensure that they're records match IT's records.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question