• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2031
  • Last Modified:

HIPAA requirements for a small doctor's office

I keep being asked by doctors (MDs and dentists) what they need to know about HIPAA and their PCs, network and data.

I know HIPAA doesn't have hard and fast rules, but was hoping to be able to point them to something on the web that would help on things like:

Windows logon passwords - how often do they need to expire (30, 60 90 days?), how many characters, etc.

Server - needs to be in a locked room?

Screen saver - kicks in after x minutes of idle time?

Backups - if they backup with Windows backup to an external hard drive, what do they need to be sure to do with that?  Can they take it offsite (it's unencrypted data)?  Keep under lock and key, etc.

5 Solutions
One of my clients is a large radiology firm. HIPAA is a big chunk of time. The rules are vague on purpose.  Passwords do need to expire in a resonable time period. It is up to the office to decide resonable.

Server needs to be in a room secured from the public, a locked room is good, but access should be controlled as well.

Screen Saver kicking in is the same as password. They key here is to make sure the office has documented poilcies and procedures. We make sure the policies are vague and as general as can be, and have procedures that back them The procedures are what we review often and measure against.

Are yoiu looking for specifics, a website?
I manage a few companies that have to comply with the HIPAA requirements. We have Windows Server domains at all these locations which each user has their own logon. We have them reset their password on a quarterly basis. We have the system lock timeout set to 15 minutes, but they rarely see this screen because they are always on the computer.
At all locations the server is kept in a separate room with a lock on it. I am not sure if this is required though because we already had it setup like this before these requirements.
We do encrypt all of the backups because they are taken off-site on a weekly basis.
As sliiconman stated make sure you keep these procedures documented. You only need a page or so about how your network is setup and how this data is secured.
I hope this helps. Good luck.
babaganooshAuthor Commented:
silicon - yes, a website / checklist / list of items to be sure to touch / address would be great.

Do you say to clients 'yes, you are hipaa compliant'?  do they ask you if they are based on what you are doing?  How do you answer?

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

HIPAA compliant is a mess. I often have an outside auditor come in to these sites to provide an audit as I am not qualified by any means. They provide a checklist of what is good/bad/ugly.

I would not trust any website as who knows whats changed.  You may want to look at http://www.hipaa.org/.

How do I ansswer the "Are you HIPAA Compliant?"  I don't - I am not an auditor or an expert on the rules.

When you have an external auditor come in the liability is off you as an expert. It is a world that I do not want to be the expert in. HIPAA is concerned with ePHI and everything else. ePHI being mostly what us IT fold focuse on.  Whent he auditor come in have they give me the rules and the good bad ugly. From there I work with the client to review and remediate. At $25000 a fine this is usually not a big deal to the customer.  Nobody wants the OIG in their office auditing on their terms.  
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now