HIPAA Security Requirements for sleeping (inactive) logon accounts

Posted on 2006-11-30
Last Modified: 2010-04-11
What is the rule for the logon accounts that are sleeping/inactive for a number of months?
I heard that if the account is in inactivity for over 90 days, the account is subject to deletion.
Any ideas/sources?

Question by:ethanjohnsons

Assisted Solution

overflow34 earned 150 total points
ID: 18051936
I am not 100% sure on the time frame for this. the US dept on helath and human services has a page that when searched show programs vary in their leniency according to Philosophies.  I am not a HIPAA expert.  I know what our company says but do not know if 90 days is the official rule.

Assets for Independence Act Evaluation:
Phase I Implementation Final Report
October 5, 2001

(2) (b) Programs vary in their leniency or stringency, according to organizations' philosophies. A program can be lenient or stringent in several respects: (1) the minimum deposit required; (2) attitude toward participants' unrealistic aspirations; (3) tolerance for emergency withdrawals; (4) tolerance for inactive accounts, or participants who appear unlikely to attain their saving goal; and (5) how closely saving deposits are monitored. One consequence of a relatively "lenient" program design may be a higher number of inactive accounts (because more individuals are accepted who may not succeed). Another might be saving requirements that are unrealistically low for the asset in question, especially for home purchase in tight housing markets.
LVL 13

Expert Comment

ID: 18055549
LVL 38

Accepted Solution

Rich Rumble earned 200 total points
ID: 18055592
The HIPAA are guidelines more than they are rules or laws, they are open and not set in stone.
If anything they are "minimum" requirement guidelines that are still up to interpretation. For instance:
Technical Safeguards - controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient
    * Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
    * Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
    * Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity.
The first point above basically says, use encrypted email/IM (it doesn't say use PGP for email or Jabber for IM specifically), it allows you to pick what will work for your users
The second says, try to ensure data integrity, that might mean backup's contain checksums, data is encrypted in the DB etc...
Point 3 is a recommendation to the issues above...
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 150 total points
ID: 18060547
If an account is sleeping/inactive for over 90 days, then it's highly possible that the account owner has left the company, or taken extended leave.  There should be a security policy, that, in conjunction with your HR department, ensures that anyone taking extended absence should have their account suspended, plus anyone who actually leaves should have it permantently deactivated.  These are the bits you'll trip up with on HIPAA, as there shouldn't be ANY reason accounts don't get used for this long! :)
If you've only just adopted HIPAA, then you'll need to link up with HR and ensure that they're records match IT's records.

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The 21st century solution to antiquated pagers.
With healthcare moving into the digital age with things like, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question