[THIN] OT: Audit boundaries

  • From: Tom Sorenson <tsorenson99@xxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Sun, 12 Sep 2010 22:19:56 -0500

Sorry for the OT post, but I'm hoping the great wisdom of this list can help
me settle a domain design argument currently going on at my employer.

I work for a university.  The university also has a clinical (hospital)
component that is for the most part separate from the university with the
exception of the med school.

I've argued for a 2 domain design that separates the clinical areas into
their own domain.  My logic being that our anticipated HIPAA audit would
only encompass the domain containing the clinical areas.

There is a vocal camp that believes everything should reside in a single
domain and that the clinical areas should be in there own OU.  They reason
that any HIPAA audit would be limited to resources within that OU.

I'm of the belief that if everything is in a single domain that the entire
domain becomes subject to a HIPAA audit.

Can anyone advise what their experience has been in a similar audit
situation, whether an audit would be limited to an OU or would the entire
domain and its resources be subject to audit?

All opinions are welcome.


Other related posts: