[unisog] HIPAA Security Audits?

H. Morrow Long morrow.long at yale.edu
Tue Jul 12 19:00:11 GMT 2005

Have any higher ed institutions decided how/if they are going to perform
audits of departments and/or systems to assess compliance with the HIPAA
Security regulations -- and if so what the audit assessment procedure(s)
would be?  I'm also interested in who would be performing these audits,
how often they would take place and what criteria would be used to
determined who/what/it would be audited (primary/secondary ePHI data,
etc.).   Have you received any advice as to what is considered to be a
reasonable policy/procedure from your legal or audit department (e.g.
is 'system activity review' of system logs for ePHI systems by the  
or department considered sufficient or is -- in addition -- a random  
check or regular audit of both physical and IT security of such systems
to be conducted?  Respond in public or private -- a summary of the
responses will be posted.

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20050712/4d4b00a0/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2946 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050712/4d4b00a0/smime.bin

More information about the unisog mailing list