OCA/vertical-medical
1
0
Fork 0
mirror of https://github.com/OCA/vertical-medical.git synced 2026-04-24 05:23:49 -06:00
Code Issues Projects Releases Packages Wiki Activity
Page: HIPAA Compliance
Pages
8.0 Incubator Objectives About OeMedical HIPAA Compliance Home Migration to 8.0
7 HIPAA Compliance
Dave Lasley edited this page 2015-08-11 12:26:08 -07:00
Unescape Escape
Table of Contents
This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

HIPAA Compliance Requirements

The following features need to be implemented before this system is HIPAA compliant. Some of these may be implemented already, I just haven't found it yet.

Security Rule §164.306 and Privacy Rule §164.530(c)

Logging required:

  • Account Management Success/Failure
  • Directory Service Access - Success/Failure
  • System Events - Success/Failure
  • Object Access Attempts Success/Failure
  • Object Deletions
  • Group Management
  • Password Reset Attempts by Users
  • Password Reset Attempts by Administrators or Account Operators
  • Computer Account Management
  • Directory Service Access Attempts
  • Logon Failures Active Directory
  • Logon Failures Local Logons

Data protection/Integrity

  • It would be nice to mark a field as ePHI, then provide seamless at-rest encryption. This will allow users to not have to encrypt the drive that the database is on (allowing for SaaS).
  • Force HTTPS?
  • Cannot send emails containing ePHI
  • Versioning on ePHI (addressable)

Access Control §164.312(a)(2)(iii)

  • Enforcement of strong passwords is a requirement
  • Expiring passwords
  • Session expire time
  • Pass reset key expire time