-
-
Notifications
You must be signed in to change notification settings - Fork 279
HIPAA Compliance
Dave Lasley edited this page Aug 11, 2015
·
7 revisions
The following features need to be implemented before this system is HIPAA compliant. Some of these may be implemented already, I just haven't found it yet.
- Account Management – Success/Failure
- Directory Service Access - Success/Failure
- System Events - Success/Failure
- Object Access Attempts – Success/Failure
- Object Deletions
- Group Management
- Password Reset Attempts by Users
- Password Reset Attempts by Administrators or Account Operators
- Computer Account Management
- Directory Service Access Attempts
- Logon Failures – Active Directory
- Logon Failures – Local Logons
- It would be nice to mark a field as ePHI, then provide seamless at-rest encryption. This will allow users to not have to encrypt the drive that the database is on (allowing for SaaS).
- Force HTTPS?
- Cannot send emails containing ePHI
- Versioning on ePHI (addressable)
- Enforcement of strong passwords is a requirement
- Expiring passwords
- Session expire time
- Pass reset key expire time