HIPAA Security Requirements for sleeping (inactive) logon accounts

Posted on 2006-11-30
Medium Priority
Last Modified: 2010-04-11
What is the rule for the logon accounts that are sleeping/inactive for a number of months?
I heard that if the account is in inactivity for over 90 days, the account is subject to deletion.
Any ideas/sources?

Question by:ethanjohnsons
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

overflow34 earned 600 total points
ID: 18051936
I am not 100% sure on the time frame for this. the US dept on helath and human services has a page that when searched show programs vary in their leniency according to Philosophies.  I am not a HIPAA expert.  I know what our company says but do not know if 90 days is the official rule.  


Assets for Independence Act Evaluation:
Phase I Implementation Final Report
October 5, 2001

(2) (b) Programs vary in their leniency or stringency, according to organizations' philosophies. A program can be lenient or stringent in several respects: (1) the minimum deposit required; (2) attitude toward participants' unrealistic aspirations; (3) tolerance for emergency withdrawals; (4) tolerance for inactive accounts, or participants who appear unlikely to attain their saving goal; and (5) how closely saving deposits are monitored. One consequence of a relatively "lenient" program design may be a higher number of inactive accounts (because more individuals are accepted who may not succeed). Another might be saving requirements that are unrealistically low for the asset in question, especially for home purchase in tight housing markets.
LVL 13

Expert Comment

ID: 18055549
LVL 38

Accepted Solution

Rich Rumble earned 800 total points
ID: 18055592
The HIPAA are guidelines more than they are rules or laws, they are open and not set in stone. http://en.wikipedia.org/wiki/HIPAA#The_Security_Rule
If anything they are "minimum" requirement guidelines that are still up to interpretation. For instance:
Technical Safeguards - controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient
    * Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
    * Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
    * Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity.
The first point above basically says, use encrypted email/IM (it doesn't say use PGP for email or Jabber for IM specifically), it allows you to pick what will work for your users
The second says, try to ensure data integrity, that might mean backup's contain checksums, data is encrypted in the DB etc...
Point 3 is a recommendation to the issues above...
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 600 total points
ID: 18060547
If an account is sleeping/inactive for over 90 days, then it's highly possible that the account owner has left the company, or taken extended leave.  There should be a security policy, that, in conjunction with your HR department, ensures that anyone taking extended absence should have their account suspended, plus anyone who actually leaves should have it permantently deactivated.  These are the bits you'll trip up with on HIPAA, as there shouldn't be ANY reason accounts don't get used for this long! :)
If you've only just adopted HIPAA, then you'll need to link up with HR and ensure that they're records match IT's records.

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question