HIPAA log requirements clarificationIn response to yesterday's diary we have received quite the flurry of emails asking for clarification of the six-year HIPAA log retention requirement. This may seem a bit convoluted if you're not used to rummaging around inside US Federal statutes...here goes. The specific language in HIPAA introduces the six year window in two places: "An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested.." and, with regard to "Security Standards for the Protection of Electronic Protected Health Information": "(i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later." This part pertains to records that: "(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form;: and "(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment." Regarding the above patient right to receive notification: "disclosures" is a tough word, as such PHI (Protected Health Information) disclosure can be intentional, accidental, malicious, etc. To exercise due diligence in the protection of PHI we (I and others) conduct security audits, penetration tests, policy reviews, etc. Should a covered entity NOT retain system logs for 6 years and it be later revealed that PHI was disclosed but system records of that disclosure are no longer available, especially at the request of the patient, there is a problem. As for the second bit, it is much clearer that you must record and maintain recoreds about policies & procedures & their enforcement. This has little to do with system and network logs. Even the Office of the Secretary of HHS waffled when asked about retaining system logs. From Federal Register / Vol. 68, No. 34 - q. Comment: One commenter asked that data retention be addressed more specifically, since this will become a significant issue over time. It is recommended that a national work group be convened to address this issue. Response: The commenter s concern is noted. While the documentation relating to Security Rule implementation must be retained for a period of 6 years (see § 164.316(b)(2)), it is not within the scope of this final rule to address data retention time frames for administrative or clinical records. As is indicated here, the six year standard need not be taken literally for all system and network logs. However, as the language is deliberately vague, there is the possibility of later court "interpretation". For now, you need to weigh the costs of storage vs. the risk of a hungry litigator & willing court. For fileserver access logs, this is probably wise. For router, IDS/IPS/firewall logs, you are less likely to run into troubles. The final rule can be read at: http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf Mozilla foundation discloses and fixes three vulnsMark Dowd of the discovered a GIF library overflow condition that could be used to execute arbitrary code with the rights of the browser or mail client process. According to ISS:
Firefox 1.0.2, Thunderbird 1.0.2, and Mozilla Suite 1.7.6 address this and two other less serious bugs. Mozilla advisories are at: http://www.mozilla.org/security/announce/mfsa2005-32.html http://www.mozilla.org/security/announce/mfsa2005-31.html http://www.mozilla.org/security/announce/mfsa2005-30.html And for goodness sake, folks, always ski in control! Cheers! g |
George 25 Posts Mar 24th 2005 |
| Thread locked Subscribe |
Mar 24th 2005 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
