HHS also had a slew of other requests:
- Please provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
- Please provide a list of terminated employees.
- Please provide a list of all new hires.
- Please provide a list of encryption mechanisms use for ePHI.
- Please provide a list of authentication methods used to identify users authorized to access ePHI.
- Please provide a list of outsourced individuals and contractors with access to ePHI data, if applicable. Please include a copy of the contract for these individuals.
- Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.
- Please provide organizational charts that include names and titles for the management information system and information system security departments.
- Please provide entity wide security program plans (e.g System Security Plan).
- Please provide a list of all users with access to ePHI data. Please identify each user's access rights and privileges.
- Please provide a list of systems administrators, backup operators and users.
- Please include a list of antivirus servers, installed, including their versions.
- Please provide a list of software used to manage and control access to the Internet.
- Please provide the antivirus software used for desktop and other devices, including their versions.
- Please provide a list of users with remote access capabilities.
- Please provide a list of database security requirements and settings.
- Please provide a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
- Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.