Educause Security Discussion mailing list archives
HIPAA Security Audits?
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Tue, 12 Jul 2005 15:03:19 -0400
Have any higher ed institutions decided how/if they are going to perform audits of departments and/or systems to assess compliance with the HIPAA Security regulations -- and if so what the audit assessment procedure(s) would be? I'm also interested in who would be performing these audits, how often they would take place and what criteria would be used to determined who/what/it would be audited (primary/secondary ePHI data, etc.). Have you received any advice as to what is considered to be a reasonable policy/procedure from your legal or audit department (e.g. is 'system activity review' of system logs for ePHI systems by the school or department considered sufficient or is -- in addition -- a random spot check or regular audit of both physical and IT security of such systems to be conducted? Respond in public or private -- a summary of the responses will be posted. - H. Morrow Long, CISSP, CISM, CEH University Information Security Officer Director -- Information Security Office Yale University, ITS
Attachment:
smime.p7s
Description:
Current thread:
- HIPAA Security Audits? H. Morrow Long (Jul 12)
- <Possible follow-ups>
- Re: HIPAA Security Audits? Penn, Blake (Jul 12)
- Re: HIPAA Security Audits? Sarah Stevens (Jul 12)