[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


HIPAA Security Requirements for sleeping (inactive) logon accounts

Posted on 2006-11-30
Medium Priority
Last Modified: 2010-04-11
What is the rule for the logon accounts that are sleeping/inactive for a number of months?
I heard that if the account is in inactivity for over 90 days, the account is subject to deletion.
Any ideas/sources?

Question by:ethanjohnsons
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

overflow34 earned 600 total points
ID: 18051936
I am not 100% sure on the time frame for this. the US dept on helath and human services has a page that when searched show programs vary in their leniency according to Philosophies.  I am not a HIPAA expert.  I know what our company says but do not know if 90 days is the official rule.  


Assets for Independence Act Evaluation:
Phase I Implementation Final Report
October 5, 2001

(2) (b) Programs vary in their leniency or stringency, according to organizations' philosophies. A program can be lenient or stringent in several respects: (1) the minimum deposit required; (2) attitude toward participants' unrealistic aspirations; (3) tolerance for emergency withdrawals; (4) tolerance for inactive accounts, or participants who appear unlikely to attain their saving goal; and (5) how closely saving deposits are monitored. One consequence of a relatively "lenient" program design may be a higher number of inactive accounts (because more individuals are accepted who may not succeed). Another might be saving requirements that are unrealistically low for the asset in question, especially for home purchase in tight housing markets.
LVL 13

Expert Comment

ID: 18055549
LVL 38

Accepted Solution

Rich Rumble earned 800 total points
ID: 18055592
The HIPAA are guidelines more than they are rules or laws, they are open and not set in stone. http://en.wikipedia.org/wiki/HIPAA#The_Security_Rule
If anything they are "minimum" requirement guidelines that are still up to interpretation. For instance:
Technical Safeguards - controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient
    * Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
    * Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
    * Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity.
The first point above basically says, use encrypted email/IM (it doesn't say use PGP for email or Jabber for IM specifically), it allows you to pick what will work for your users
The second says, try to ensure data integrity, that might mean backup's contain checksums, data is encrypted in the DB etc...
Point 3 is a recommendation to the issues above...
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 600 total points
ID: 18060547
If an account is sleeping/inactive for over 90 days, then it's highly possible that the account owner has left the company, or taken extended leave.  There should be a security policy, that, in conjunction with your HR department, ensures that anyone taking extended absence should have their account suspended, plus anyone who actually leaves should have it permantently deactivated.  These are the bits you'll trip up with on HIPAA, as there shouldn't be ANY reason accounts don't get used for this long! :)
If you've only just adopted HIPAA, then you'll need to link up with HR and ensure that they're records match IT's records.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question