HI Tami, When you email notes that it is a "summary of the system requirements for Part 11 and HIPAA's security rule", does that mean that this summary is from HSS or another government source, or did some one compile this summary based upon their understanding of HIPAA requirements for data security?
Thanks, Tami, Bill _____ From: FileMaker Pro Discussions [mailto:[EMAIL PROTECTED] On Behalf Of Tami Williams Sent: Friday, December 05, 2008 12:19 PM To: [email protected] Subject: Re: need info about FileMaker 9 and HIPPA compliance Here's a summary of the system requirements for Part 11 and HIPAA's security rule. Does this cover everything? Is everything on this list required? 1. Access control - unique user identification login system with a method for identifying and tracking each user; require user-specific log-ins, no shared logins; define and follow processes which provide access only to authorized users (human or electronic); deny access to unauthorized users. (Access Controls, User Authentication, and Password Management) a. validation b. granting c. role-based d. function-based 2. Contingency Planning/Emergency Access Procedure - Follow reliable backup procedures, and develop a contingency plan appropriate to address the most likely emergencies. 3. Audit log, Access reporting, Incident tracking: track who logged in and when; track data modification-where appropriate and relevant-and system access, and provide a mechanism for review. (Audit log, Access reporting, Incident tracking) 4. Data integrity: Create a controlled environment where create, edit, and delete functionality is limited to authorized users under "proper" circumstances. (Incorporate Data Integrity via Role- and Function-based Access Controls, User Authentication, Password Management, and Audit Log) 5. User authentication: The system must be able to validate the unique identity of each user seeking access-including non-human connections. (Access Controls and User Authentication) 6. Transmission Security: Protect against unauthorized access during any and all network transmissions. (Incorporate Access Controls, Data-level Encryption, Network Encryption via FileMaker Server, and External Security Measures. ) ----- Are these also "required"? 7. Automatic log-off 8. Encryption/Decryption: All electronic protected health information (ePHI) must be protected with encryption, but not to the extent that is no longer accessible. A decryption mechanism must therefore be provided for the retrieval of encrypted ePHI; Apply an Encryption/Decryption schema to all fields containing ePHI. Encrypt ePHI. You may edit and view ePHI in a pre-encryption or decrypted state, but do not store unencrypted ePHI. 9. Mechanism to Authenticate ePHI: system must be able to substantiate that it has not permitted unauthorized alteration or destruction of ePHI. Use an audit trail to prove that only authorized alterations and deletions have occurred, but the auditing of activity does not prevent unauthorized activity. A combination of measures must be employed to ensure the failure of unauthorized attempts to alter or destroy ePHI. (Access Reporting, Incident Tracking, Access Controls, Auto Log-off, Encryption, User Authentication, and Password Management) 10. Integrity Controls: Protect ePHI during transmission (regardless of to whom) such that modification during transmission will be detected. Utilize Encryption and Access Controls to protect ePHI, and employ Data Authentication measures to verify Data Integrity. And these: 12. Password management 6. User documentation 10. Data authentication ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It's better to burn out than to fade away." Tami Williams Creative Computing Improve, manage and unify data with custom database and web applications. FileMaker and Lasso specialist. Tel: 770.457.3221 Fax: 770.454.7419 E-Mail: [EMAIL PROTECTED] Web: http://www.asktami.com FileMaker Solutions Alliance Associate | Lasso Professional Alliance Member
