[THIN] Re: OT: Audit boundaries

  • From: Magnus Hjorleifsson <magnus@xxxxxxxx>
  • To: "thin@xxxxxxxxxxxxx" <thin@xxxxxxxxxxxxx>
  • Date: Sun, 12 Sep 2010 23:34:37 -0400

I haven't been through a HIPAA audit although I have been through SOX and SAS 
audits (financial audits done by the SEC and FED for a few different 
countries). The only way we would be in compliance with segregation and 
ensuring secrecy laws and mandates couldn't be bypassed was the setting up of a 
separate domain in the same forest and reducing the acl's on the trust 

Sent from my iPhone

On Sep 12, 2010, at 23:19, Tom Sorenson <tsorenson99@xxxxxxxxx> wrote:

> Sorry for the OT post, but I'm hoping the great wisdom of this list can help 
> me settle a domain design argument currently going on at my employer.
> I work for a university.  The university also has a clinical (hospital) 
> component that is for the most part separate from the university with the 
> exception of the med school.
> I've argued for a 2 domain design that separates the clinical areas into 
> their own domain.  My logic being that our anticipated HIPAA audit would only 
> encompass the domain containing the clinical areas.
> There is a vocal camp that believes everything should reside in a single 
> domain and that the clinical areas should be in there own OU.  They reason 
> that any HIPAA audit would be limited to resources within that OU.
> I'm of the belief that if everything is in a single domain that the entire 
> domain becomes subject to a HIPAA audit.  
> Can anyone advise what their experience has been in a similar audit 
> situation, whether an audit would be limited to an OU or would the entire 
> domain and its resources be subject to audit?
> All opinions are welcome.
> Thanks!
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
Follow ThinList on Twitter
Thin List discussion is now available in blog format at:
Thinlist MOBILE Feed

Other related posts: