Here's a summary of the system requirements for Part 11 and HIPAA’s
security rule.
Does this cover everything? Is everything on this list required?
1. Access control - unique user identification login system with a
method for identifying and tracking each user; require user-specific
log-ins, no shared logins; define and follow processes which provide
access only to authorized users (human or electronic); deny access to
unauthorized users. (Access Controls, User Authentication, and
Password Management)
a. validation
b. granting
c. role-based
d. function-based
2. Contingency Planning/Emergency Access Procedure - Follow reliable
backup procedures, and develop a contingency plan appropriate to
address the most likely emergencies.
3. Audit log, Access reporting, Incident tracking: track who logged
in and when; track data modification—where appropriate and relevant—
and system access, and provide a mechanism for review. (Audit log,
Access reporting, Incident tracking)
4. Data integrity: Create a controlled environment where create,
edit, and delete functionality is limited to authorized users under
“proper” circumstances. (Incorporate Data Integrity via Role- and
Function-based Access Controls, User Authentication, Password
Management, and Audit Log)
5. User authentication: The system must be able to validate the
unique identity of each user seeking access—including non-human
connections. (Access Controls and User Authentication)
6. Transmission Security: Protect against unauthorized access during
any and all network transmissions.
(Incorporate Access Controls, Data-level Encryption, Network
Encryption via FileMaker Server, and External Security Measures. )
-----
Are these also "required"?
7. Automatic log-off
8. Encryption/Decryption: All electronic protected health information
(ePHI) must be protected with encryption, but not to the extent that
is no longer accessible. A decryption mechanism must therefore be
provided for the retrieval of encrypted ePHI; Apply an Encryption/
Decryption schema to all fields containing ePHI. Encrypt ePHI. You
may edit and view ePHI in a pre-encryption or decrypted state, but do
not store unencrypted ePHI.
9. Mechanism to Authenticate ePHI: system must be able to
substantiate that it has not permitted unauthorized alteration or
destruction of ePHI. Use an audit trail to prove that only
authorized alterations and deletions have occurred, but the auditing
of activity does not prevent unauthorized activity. A combination of
measures must be employed to ensure the failure of unauthorized
attempts to alter or destroy ePHI. (Access Reporting, Incident
Tracking, Access Controls, Auto Log-off, Encryption, User
Authentication, and Password Management)
10. Integrity Controls: Protect ePHI during transmission (regardless
of to whom) such that modification during transmission will be
detected. Utilize Encryption and Access Controls to protect ePHI, and
employ Data Authentication measures to verify Data Integrity.
And these:
12. Password management
6. User documentation
10. Data authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"It's better to burn out than to fade away."
Tami Williams
Creative Computing
Improve, manage and unify data with custom database and web
applications.
FileMaker and Lasso specialist.
Tel: 770.457.3221
Fax: 770.454.7419
E-Mail: [EMAIL PROTECTED]
Web: http://www.asktami.com
FileMaker Solutions Alliance Associate | Lasso Professional Alliance
Member
