[unisog] HIPAA Hybrid Entities and Active Directory

Chris Green cmgreen at uab.edu
Wed Oct 12 16:04:03 GMT 2005

On 10/12/05 9:59 AM, "McLaughlin, Bryan" <bmclaughlin at creighton.edu> wrote:

> For other Universities that have declared themselves as Hybrid entities under
> HIPAA and Microsoft¹s Active Directory as your Official directory service; how
> have you dealt with the covered and non-covered entities within your AD?  Have
> you created two separate forests, one for covered and one for non-covered
> entities; or have you simply created the separation via organizational units.

We are hybrid. We treat them as separate OUs, but we did that without
thinking about HIPAA.  Our OU's are for computers, groups, and policies
only, not for users.

Not everything we do is in AD. In our campus LDAP, we have marked "HIPAA
affected" employees with a flag and have a system that pesters them to get
their HIPAA security course taken care of.  This could be used in the future
if we needed to get further separation.

Separating them HIPAA users out doesn't make a lot of sense to me because we
need to worry about FERPA and other regulations just the same for other
units (and the HIPAA affected ones).

For HIPAA, what risk are you trying to avoid by placing them in a separate
forest?  What business processes does that get in the way of.  I think you
just need to be able to justify your position.
Chris Green
UAB Data Security, 5-0842

More information about the unisog mailing list