|
|
Line 1: |
Line 1: |
| ==31. Data integrity==
| |
|
| |
|
| {|
| |
| | STYLE="vertical-align:top;"|
| |
| {| class="wikitable collapsible" border="1" cellpadding="10" cellspacing="0" width=80%
| |
| |-
| |
| ! colspan="1" style="text-align:left; padding-left:20px; padding-top:10px; padding-bottom:10px;"|
| |
| |-
| |
| ! style="color:brown; background-color:#ffffee;"|Requirement and response
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''31.1''' System functionality should support ALCOA principles.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''31.2''' The system shall protect entered data so as to prevent it from being obscured by new data, keeping both the old and current data available for review.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''31.3''' The system shall maintain a true, readable copy of an instrument's original (raw) data for on-demand review.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''31.4''' The system shall have a mechanism to securely retain data in the system for a specific time period and enable protections that ensure the accurate and ready retrieval of that data throughout the records retention period.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''31.5''' The system shall accurately reflect the system date and time in its use of electronic record time stamps.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''31.6''' The system shall require each and every user to be assigned a unique user ID.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''31.7''' The system shall prevent the modification, deletion, or disabling of its audit trail, as well as record such attempts.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''31.8''' The system shall be capable of identifying instances of audit processing failure (e.g., write errors, general failure of the audit tool, etc.), sending alerts or notifications to appropriate personnel in such cases.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| |}
| |
| |}
| |
|
| |
| ==32. Configuration management==
| |
|
| |
| {|
| |
| | STYLE="vertical-align:top;"|
| |
| {| class="wikitable collapsible" border="1" cellpadding="10" cellspacing="0" width=80%
| |
| |-
| |
| ! colspan="1" style="text-align:left; padding-left:20px; padding-top:10px; padding-bottom:10px;"|
| |
| |-
| |
| ! style="color:brown; background-color:#ffffee;"|Requirement and response
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.1''' The system shall provide tools to enter and manage user-configurable lookup or master data.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.2''' The system shall allow authorized users to configure the specification limits for sample and instrument tests.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.3''' The system shall allow system nomenclature to be configured to use specific data code sets—such as the International Classification of Diseases or the Healthcare Common Procedure Coding System—or mandated terminology to support regulatory requirements.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.4''' The system should allow authorized personnel to configure the review and approval of multiple tests at the sample, batch, project, and experiment levels.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.5''' The system should allow warning and material specification limits to be entered and configured so as to allow their comparison against entered results and determinations for determining whether the results meet those specifications or limits.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.6''' The system should provide a configurable means of allowing the system to automatically save after each entry to help meet ALCOA, CGMP, and other requirements to contemporaneously record data into records.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.7''' The system should provide a configurable (based on sample, test, or both) means of permitting electronic signatures for both entered results and approved reports.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.8''' The system should be capable of providing a complete list of all tests loaded in the system, the amount of material required for each test, and to which location the samples are to be sent for testing.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.9''' The system shall support configurable laboratory workflows based on appropriate laboratory process and procedure.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.10''' The system shall allow authorized personnel to assign status values for purposes of tracking sample progress or other portions of laboratory workflow.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.11''' The system should allow authorized personnel to perform revision control of lookup or master data.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.12''' The system should provide a means for importing lookup or master data.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.13''' The system shall be able to define the number of significant figures (i.e., set rounding rules) for reported numeric data.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.14''' The system should allow calculated limits to be created and managed based on test results and relevant metadata.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.15''' The system should provide a clear alert or notification upon entry of out-of-specification results.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.16''' The system shall allow authorized personnel to update static and dynamic data.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.17''' The system should allow workflow events and status changes to trigger one or more user-defined actions.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.18''' The system should provide an interface for administrative access that permits approved users to configure the system without extra programming or manipulation of data storage systems.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.19''' The system should allow administrators to programmatically customize system modules or build calculations within the application.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.20''' The system should provide a multiuser interface that can be configured to local user needs, including display language, character sets, and time zones.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.21''' The system should support rules governing electronic records and electronic signatures in regulated environments.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.22''' The system shall provide a security interface usable across all modules of the system that secures data and operations and prevents unauthorized access to data and functions.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.23''' The system shall be able to granularly define access control down to the object level, role level, physical location, logical location, network address, and chronometric restriction level for the protection of regulated, patented, confidential, and classified data, methods, or other types of information.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.24''' The system should support single sign-on such that a user can log in once and access all permitted functions and data.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.25''' The system shall provide initial login access using at least two unique identification components, e.g., a user identifier and password, or biometric information linked to and used by the genuine user.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.26''' The system shall prevent the same combination of identification components from being used across more than one account.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.27''' The system shall allow the administrator to define a time period in days after which a user will be prompted to change their password.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.28''' The system shall allow the administrator to define a time period of inactivity for a user identifier, after which it will be disabled and archived.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.29''' The system shall allow the administrator or authorized personnel to configure the allowance or prevention of multiple concurrent active sessions for one unique user.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.30''' The system shall allow the administrator or authorized personnel to configure approved system use (e.g., "you are accessing a restricted information system," "system use indicates consent to being monitored, recorded, and audited") and other types of notifications to appear before or after a user logs in to the system. These notifications should remain on the screen until acknowledged by the user.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.31''' The system shall keep an accurate audit trail of login activities, including failed login attempts and electronic signings.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.32''' The system shall allow the administrator or authorized personnel to define the number of failed login attempts before the system locks the user out.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.33''' The system shall require at least one unique identification component for additional electronic signings (beyond initial login) during a single, continuous session.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.34''' The vendor shall provide training materials emphasizing the importance of not sharing unique identification components with other individuals and promoting compliance review for ensuring such practices are followed.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.35''' The system shall support the ability to initially assign new individual users to system groups, roles, or both.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.36''' The system shall force a user's electronic signature to be unique and traceable to a specific user's account.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.37''' The system shall prevent the reuse or reassignment of a user's electronic signature.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.38''' When the system generates a complete and accurate copy of an electronically signed record, it shall also display the printed name of the signer, the date and time of signature execution, and any applicable meaning associated with the signature. This shall be applicable for both electronically displayed and printed copies of the electronic record.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.39''' The system should provide a means to migrate static data into the system.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.40''' The system should provide a means for automatically authenticating if a user's proposed password meets the length, complexity, minimum number of changed characters, and other requirements as configured by the administrator or another authorized system user.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''32.41''' The system should provide a means for obscuring authentication feedback as it is entered into the system, e.g., displaying asterisks rather than the typed password or displaying actual typed feedback for a distinctly short period of time before obscuring it.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| |}
| |
| |}
| |
|
| |
| ==33. System validation and commission==
| |
|
| |
| {|
| |
| | STYLE="vertical-align:top;"|
| |
| {| class="wikitable collapsible" border="1" cellpadding="10" cellspacing="0" width=80%
| |
| |-
| |
| ! colspan="1" style="text-align:left; padding-left:20px; padding-top:10px; padding-bottom:10px;"|
| |
| |-
| |
| ! style="color:brown; background-color:#ffffee;"|Requirement and response
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''33.1''' The vendor should be able to demonstrate the use of software development standards, secure coding practices, formal change control, and software revision control within its development practices. The vendor should also document its staff's skills and certifications.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''33.2''' The vendor should be willing to provide access to source code through a suitable escrow.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''33.3''' The system should be able to document a summary and evaluation of enterprise performance markers and processes.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''33.4''' The system should be well documented by the vendor in comprehensive training material for all aspects of system use, including administration, operation, and troubleshooting.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''33.5''' The system shall be validated initially and periodically, with those validation activities being documented, to ensure the accuracy, consistency, and reliability of system performance and its electronic records.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''33.6''' The documentation associated with system validation shall discuss all applicable steps of the life cycle, justify applied methods and standards, and include change control records and observed deviations during validation, if applicable.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| |}
| |
| |}
| |
|
| |
| ==34. System administration==
| |
|
| |
| {|
| |
| | STYLE="vertical-align:top;"|
| |
| {| class="wikitable collapsible" border="1" cellpadding="10" cellspacing="0" width=80%
| |
| |-
| |
| ! colspan="1" style="text-align:left; padding-left:20px; padding-top:10px; padding-bottom:10px;"|
| |
| |-
| |
| ! style="color:brown; background-color:#ffffee;"|Requirement and response
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.1''' The system shall provide administrators with a configurable period of time to apply to user access or inactivity before again prompting a user for authentication credentials.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.2''' The system should provide a means for modifying personnel data in a batch.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.3''' The system should support the storage of standard and industry-specific data formats.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.4''' The system shall support the ability to define, record, and change the level of access for individual users to system groups, roles, machines, processes, and objects based on their responsibilities, including when those responsibilities change. The system should be able to provide a list of individuals assigned to a given system group, role, machine, process, or object.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.5''' The vendor should provide maintenance agreements and support services for its applications and services.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.6''' The vendor shall provide help desk, training, and installation support, as well as high-quality system documentation. The documentation should be reviewed to ensure that user requirements are fulfilled.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.7''' The vendor shall restrict logical access to database storage components to authorized individuals. If providing a hosted service, the vendor should also restrict physical access to database storage components to authorized individuals. (In the case of an on-site solution, the buyer is responsible for limiting physical access to database storage components to meet 21 CFR Part 11, HIPAA, and CJIS guidelines.)<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.8''' The system shall be able to tag and document an individual, group, and system account as having been validated for regulatory purposes, and remind the administrator or authorized personnel on a configurable schedule when the account should be validated again.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.9''' The system should provide a means of integrating with an enterprise personnel security directory, as well as physical security systems.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.10''' The vendor should provide timely upgrades and patches, with complete documentation, that have been tested before installation and can be rolled back.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.11''' The system shall provide a means for migrating data to a new release upon system upgrade.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.12''' The system should be expedient with the retrieval of stored items.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.13''' The system shall allow the printing of stored electronic records in a complete, accurate, and human-readable format.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.14''' The system should provide some sort of support for use on mobile technologies, particularly for the purpose of receiving notifications and monitoring processes.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''34.15''' The system shall be able to install an upgrade into a test environment for testing purposes before upgrading the actual production environment.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| |}
| |
| |}
| |
|
| |
| ==35. Cybersecurity==
| |
|
| |
| {|
| |
| | STYLE="vertical-align:top;"|
| |
| {| class="wikitable collapsible" border="1" cellpadding="10" cellspacing="0" width=80%
| |
| |-
| |
| ! colspan="1" style="text-align:left; padding-left:20px; padding-top:10px; padding-bottom:10px;"|
| |
| |-
| |
| ! style="color:brown; background-color:#ffffee;"|Requirement and response
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''35.1''' The system should use secure communication protocols like SSL/TLS over Secure Hypertext Transfer Protocol with 256 bit encryption.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''35.2''' The system should support database encryption and be capable of recording the encryption status of the data contained within.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''35.3''' The system should be able to support multifactor authentication.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''35.4''' The system should support Office of the National Coordinator for Health Information Technology (ONC) transport standards and protocols for the reception and distribution of personal health information.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''35.5''' The system should provide a means for authenticating an individual seeking to access any embedded cryptographic module within the system, as well as the individual's role in performing services within the module.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''35.6''' The system should prevent connected collaborative computing devices (e.g., cameras, microphones, interactive whiteboards) from being activated without explicit permission from the end user, and it should provide a clear indication of any activation to the end user.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| |}
| |
| |}
| |
|
| |
| ==36. Information privacy==
| |
|
| |
| {|
| |
| | STYLE="vertical-align:top;"|
| |
| {| class="wikitable collapsible" border="1" cellpadding="10" cellspacing="0" width=80%
| |
| |-
| |
| ! colspan="1" style="text-align:left; padding-left:20px; padding-top:10px; padding-bottom:10px;"|
| |
| |-
| |
| ! style="color:brown; background-color:#ffffee;"|Requirement and response
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''36.1''' The system shall comply with privacy protection compliance like that found in HIPAA provisions.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''36.2''' The system should be provisioned with enough security to prevent personally identifiable information in the system from being compromised.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''36.3''' The system shall allow authorized individuals to de-identify select data in the system, including but not limited to names, geographic locations, dates, government-issued identification numbers, telephone numbers, email addresses, full-face photos, and other personal identifiers.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| | style="padding:10px; background-color:white;" |'''36.4''' The system shall be able to verify and ensure that users authorized to view de-identified data are also not a member of a role that permits access to information that re-identifies the data, i.e., segregate duties.<br /> <br /><div align="center"><hr width=60%></div><br/>'''RESPONSE''': <br /> <br />
| |
| |-
| |
| |}
| |
| |}
| |