Solved

HIPAA Security Requirements for sleeping (inactive) logon accounts

Posted on 2006-11-30
4
838 Views
Last Modified: 2010-04-11
What is the rule for the logon accounts that are sleeping/inactive for a number of months?
I heard that if the account is in inactivity for over 90 days, the account is subject to deletion.
Any ideas/sources?

thx
0
Comment
Question by:ethanjohnsons
4 Comments
 
LVL 2

Assisted Solution

by:overflow34
overflow34 earned 150 total points
ID: 18051936
I am not 100% sure on the time frame for this. the US dept on helath and human services has a page that when searched show programs vary in their leniency according to Philosophies.  I am not a HIPAA expert.  I know what our company says but do not know if 90 days is the official rule.  

http://www.acf.hhs.gov/assetbuilding/AFIreportPhase1summary.html

Assets for Independence Act Evaluation:
Phase I Implementation Final Report
October 5, 2001

(2) (b) Programs vary in their leniency or stringency, according to organizations' philosophies. A program can be lenient or stringent in several respects: (1) the minimum deposit required; (2) attitude toward participants' unrealistic aspirations; (3) tolerance for emergency withdrawals; (4) tolerance for inactive accounts, or participants who appear unlikely to attain their saving goal; and (5) how closely saving deposits are monitored. One consequence of a relatively "lenient" program design may be a higher number of inactive accounts (because more individuals are accepted who may not succeed). Another might be saving requirements that are unrealistically low for the asset in question, especially for home purchase in tight housing markets.
0
 
LVL 13

Expert Comment

by:marine7275
ID: 18055549
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 200 total points
ID: 18055592
The HIPAA are guidelines more than they are rules or laws, they are open and not set in stone. http://en.wikipedia.org/wiki/HIPAA#The_Security_Rule
If anything they are "minimum" requirement guidelines that are still up to interpretation. For instance:
Technical Safeguards - controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient
    * Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
    * Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
    * Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity.
The first point above basically says, use encrypted email/IM (it doesn't say use PGP for email or Jabber for IM specifically), it allows you to pick what will work for your users
The second says, try to ensure data integrity, that might mean backup's contain checksums, data is encrypted in the DB etc...
Point 3 is a recommendation to the issues above...
-rich
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 150 total points
ID: 18060547
If an account is sleeping/inactive for over 90 days, then it's highly possible that the account owner has left the company, or taken extended leave.  There should be a security policy, that, in conjunction with your HR department, ensures that anyone taking extended absence should have their account suspended, plus anyone who actually leaves should have it permantently deactivated.  These are the bits you'll trip up with on HIPAA, as there shouldn't be ANY reason accounts don't get used for this long! :)
If you've only just adopted HIPAA, then you'll need to link up with HR and ensure that they're records match IT's records.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
local DNS vendor. 4 67
Open Encryption Software Advice needed 4 66
Domain admin accounts get locked out 35 79
How to set IPSec under Server 2008 R2 and Server 2012 R2 3 42
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question