|
|
| Regulation, Specification, or Guidance
|
Requirement
|
45 CFR Part 164 Subpart E
ASTM E1578-18 S-5-1
|
36.1 The system shall comply with privacy protection compliance like that found in HIPAA provisions.
|
|
45 CFR Part 164.105
45 CFR Part 164 Subpart C
45 CFR Part 170.315 (d)
ASTM E1578-18 S-5-2
|
36.2 The system should be provisioned with enough security to prevent personally identifiable information in the system from being compromised.
|
| 45 CFR Part 164.514
|
36.3 The system shall allow authorized individuals to de-identify select data in the system, including but not limited to names, geographic locations, dates, government-issued identification numbers, telephone numbers, email addresses, full-face photos, and other personal identifiers.
|
| 45 CFR Part 164 Subpart E
|
36.4 The system shall be able to verify and ensure that users authorized to view de-identified data are also not a member of a role that permits access to information that re-identifies the data, i.e., segregate duties.
|
|
