HIPAA audit: The 42 questions HHS might ask

They cover everything from security to employee status to Internet use

1 2 Page 2
Page 2 of 2

HHS also had a slew of other requests:

  1. Please provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
  2. Please provide a list of terminated employees.
  3. Please provide a list of all new hires.
  4. Please provide a list of encryption mechanisms use for ePHI.
  5. Please provide a list of authentication methods used to identify users authorized to access ePHI.
  6. Please provide a list of outsourced individuals and contractors with access to ePHI data, if applicable. Please include a copy of the contract for these individuals.
  7. Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.
  8. Please provide organizational charts that include names and titles for the management information system and information system security departments.
  9. Please provide entity wide security program plans (e.g System Security Plan).
  10. Please provide a list of all users with access to ePHI data. Please identify each user's access rights and privileges.
  11. Please provide a list of systems administrators, backup operators and users.
  12. Please include a list of antivirus servers, installed, including their versions.
  13. Please provide a list of software used to manage and control access to the Internet.
  14. Please provide the antivirus software used for desktop and other devices, including their versions.
  15. Please provide a list of users with remote access capabilities.
  16. Please provide a list of database security requirements and settings.
  17. Please provide a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
  18. Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.

Copyright © 2007 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon