Does the HIPAA Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
No. The Security Rule was written to allow flexibility for covered entities to select the technology that best fits their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems with electronic protected health information (PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security.
Related Questions
- Do the HIPAA Security Rule requirements for access control, such as automatic logoff, apply to employees who telecommute or have home-based offices if the employee accesses electronic PHI?
- Does the HIPAA Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
- What are the minimum computer requirements for the FP32 Software used in both Systems?
