[THIN] OT: Audit boundaries
- From: Tom Sorenson <tsorenson99@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Sun, 12 Sep 2010 22:19:56 -0500
Sorry for the OT post, but I'm hoping the great wisdom of this list can help me settle a domain design argument currently going on at my employer. I work for a university. The university also has a clinical (hospital) component that is for the most part separate from the university with the exception of the med school. I've argued for a 2 domain design that separates the clinical areas into their own domain. My logic being that our anticipated HIPAA audit would only encompass the domain containing the clinical areas. There is a vocal camp that believes everything should reside in a single domain and that the clinical areas should be in there own OU. They reason that any HIPAA audit would be limited to resources within that OU. I'm of the belief that if everything is in a single domain that the entire domain becomes subject to a HIPAA audit. Can anyone advise what their experience has been in a similar audit situation, whether an audit would be limited to an OU or would the entire domain and its resources be subject to audit? All opinions are welcome. Thanks!