{"id":572,"date":"2007-06-21T09:05:08","date_gmt":"2007-06-21T13:05:08","guid":{"rendered":"http:\/\/www.wehuberconsultingllc.com\/wordpress\/?p=572"},"modified":"2007-06-21T09:23:33","modified_gmt":"2007-06-21T13:23:33","slug":"hipaa-audit-the-42-questions-hhs-might-ask","status":"publish","type":"post","link":"https:\/\/wehuberconsultingllc.com\/wordpress\/2007\/06\/21\/hipaa-audit-the-42-questions-hhs-might-ask\/","title":{"rendered":"HIPAA audit: The 42 questions HHS might ask"},"content":{"rendered":"
\n

A document obtained by Computerworld<\/i> from a reliable source indicates that Piedmont was presented with a list of 42 items that HHS officials wanted information on within 10 days. Specifically, Piedmont was asked to provide policies and procedures for:<\/p>\n

    \n
  1. Establishing and terminating users’ access to systems housing electronic patient health information (ePHI). <\/li>\n
  2. Emergency access to electronic information systems. <\/li>\n
  3. Inactive computer sessions (periods of inactivity). <\/li>\n
  4. Recording and examining activity in information systems that contain or use ePHI. <\/li>\n
  5. Risk assessments and analyses of relevant information systems that house or process ePHI data. <\/li>\n
  6. Employee violations (sanctions). <\/li>\n
  7. Electronically transmitting ePHI. <\/li>\n
  8. Preventing, detecting, containing and correcting security violations (incident reports). <\/li>\n
  9. Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports. <\/li>\n
  10. Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring. <\/li>\n
  11. Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers. <\/li>\n
  12. Physical access to electronic information systems and the facility in which they are housed. <\/li>\n
  13. Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals’ databases that house ePHI data?). <\/li>\n
  14. Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software. <\/li>\n
  15. Internet usage. <\/li>\n
  16. Wireless security (transmission and usage). <\/li>\n
  17. Firewalls, routers and switches. <\/li>\n
  18. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas. <\/li>\n
  19. Terminating an electronic session and encrypting and decrypting ePHI. <\/li>\n
  20. Transmitting ePHI. <\/li>\n
  21. Password and server configurations. <\/li>\n
  22. Anti-virus software. <\/li>\n
  23. Network remote access. <\/li>\n
  24. Computer patch management.<\/li>\n<\/ol>\n

    HHS also had a slew of other requests:<\/p>\n

      \n
    1. Please provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI. <\/li>\n
    2. Please provide a list of terminated employees. <\/li>\n
    3. Please provide a list of all new hires. <\/li>\n
    4. Please provide a list of encryption mechanisms use for ePHI. <\/li>\n
    5. Please provide a list of authentication methods used to identify users authorized to access ePHI. <\/li>\n
    6. Please provide a list of outsourced individuals and contractors with access to ePHI data, if applicable. Please include a copy of the contract for these individuals. <\/li>\n
    7. Please provide a list of transmission methods used to transmit ePHI over an electronic communications network. <\/li>\n
    8. Please provide organizational charts that include names and titles for the management information system and information system security departments. <\/li>\n
    9. Please provide entity wide security program plans (e.g System Security Plan). <\/li>\n
    10. Please provide a list of all users with access to ePHI data. Please identify each user’s access rights and privileges. <\/li>\n
    11. Please provide a list of systems administrators, backup operators and users. <\/li>\n
    12. Please include a list of antivirus servers, installed, including their versions. <\/li>\n
    13. Please provide a list of software used to manage and control access to the Internet. <\/li>\n
    14. Please provide the antivirus software used for desktop and other devices, including their versions. <\/li>\n
    15. Please provide a list of users with remote access capabilities. <\/li>\n
    16. Please provide a list of database security requirements and settings. <\/li>\n
    17. Please provide a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple<\/a>, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI. <\/li>\n
    18. Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems. <\/li>\n<\/ol>\n<\/blockquote>\n

      Source: HIPAA audit: The 42 questions HHS might ask<\/a> <\/p>\n

      Jeff of the HIPAA Blog talks more about the questions here<\/a> and that the questions are pertinent to all firms with information security requirements.<\/p>\n","protected":false},"excerpt":{"rendered":"

      A document obtained by Computerworld from a reliable source indicates that Piedmont was presented with a list of 42 items that HHS officials wanted information on within 10 days. Specifically, Piedmont was asked to provide policies and procedures for: Establishing and terminating users’ access to systems housing electronic patient health information (ePHI). Emergency access to … Continue reading “HIPAA audit: The 42 questions HHS might ask”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[14],"tags":[131],"class_list":["post-572","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p4iN3d-9e","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wehuberconsultingllc.com\/wordpress\/wp-json\/wp\/v2\/posts\/572","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wehuberconsultingllc.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wehuberconsultingllc.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wehuberconsultingllc.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wehuberconsultingllc.com\/wordpress\/wp-json\/wp\/v2\/comments?post=572"}],"version-history":[{"count":0,"href":"https:\/\/wehuberconsultingllc.com\/wordpress\/wp-json\/wp\/v2\/posts\/572\/revisions"}],"wp:attachment":[{"href":"https:\/\/wehuberconsultingllc.com\/wordpress\/wp-json\/wp\/v2\/media?parent=572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wehuberconsultingllc.com\/wordpress\/wp-json\/wp\/v2\/categories?post=572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wehuberconsultingllc.com\/wordpress\/wp-json\/wp\/v2\/tags?post=572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}