| HIPAA requirement | Vendor responsibility in | ||
---|---|---|---|---|
SaaS | PaaS | IaaS | ||
1 | Security Management Process: Review permission setting and correct access rights | Yes | No | No |
2 | Assigned Security Responsibility: Identify the security official who is responsible for the development and implementation of the policies and procedures. | Yes | No | No |
3 | Workforce Security: Ensure that only authorized workforce members have access to Electronic Protected Health Information | Yes | Yes | No |
4 | Information Access Management: Implement policies and procedures for accessing Electronic Protected Health Information | Yes | Yes | No |
5 | Access Control: Allow access only to the authorized workforce | Yes | Yes | Yes |
6 | Audit Control: Record and examine activities for Electronic Protected Health Information | Yes | Yes | Yes |