![]() ![]() Medical records do not need to be retained in this way. The types of data that need to be retained include records related to the actions, activities, and assessments required by HIPAA. The most important administrative safeguard is the implementation of the HIPAA-required data retention period of six years. Tamperproof logging – Automated logging that cannot be modified needs to be in place to create reliable audit trails.User account control – User accounts and groups need to adhere to the principle of least privilege enabling only authorized users to access HIPAA data.Access controls – MSPs must enforce robust security measures to protect all hardware including workstations and mobile devices. ![]() Access to the data center must be limited to authorized individuals. Datacenter security – Data centers must be resilient and maintain a 24/7/365 manned security presence.Physically protecting HIPAA data is mandatory and includes the following physical safeguards. Backup monitoring – Monitoring with automated logging must be implemented to ensure backups are running successfully and alert support teams to issues that need to be resolved.Data restoration – The MSP or covered entity must have the capability to restore data to its original or a different location.Ideally, one set of data should be stored offsite for use in a disaster recovery exercise. Three copies provide the onsite production data, regular backups, and disaster recovery media. Data redundancy – There needs to be at least two copies and preferably three of all data in scope for HIPAA compliance.When creating backups over a network to a cloud provider, all traffic needs to be encrypted. Data transfers – All data transmitted over a public network needs to be encrypted to protect it from unauthorized access.This includes backups, which should be encrypted when they are created. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |