• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2015
  • Last Modified:

HIPAA requirements for a small doctor's office

I keep being asked by doctors (MDs and dentists) what they need to know about HIPAA and their PCs, network and data.

I know HIPAA doesn't have hard and fast rules, but was hoping to be able to point them to something on the web that would help on things like:

Windows logon passwords - how often do they need to expire (30, 60 90 days?), how many characters, etc.

Server - needs to be in a locked room?

Screen saver - kicks in after x minutes of idle time?

Backups - if they backup with Windows backup to an external hard drive, what do they need to be sure to do with that?  Can they take it offsite (it's unencrypted data)?  Keep under lock and key, etc.

5 Solutions
One of my clients is a large radiology firm. HIPAA is a big chunk of time. The rules are vague on purpose.  Passwords do need to expire in a resonable time period. It is up to the office to decide resonable.

Server needs to be in a room secured from the public, a locked room is good, but access should be controlled as well.

Screen Saver kicking in is the same as password. They key here is to make sure the office has documented poilcies and procedures. We make sure the policies are vague and as general as can be, and have procedures that back them The procedures are what we review often and measure against.

Are yoiu looking for specifics, a website?
I manage a few companies that have to comply with the HIPAA requirements. We have Windows Server domains at all these locations which each user has their own logon. We have them reset their password on a quarterly basis. We have the system lock timeout set to 15 minutes, but they rarely see this screen because they are always on the computer.
At all locations the server is kept in a separate room with a lock on it. I am not sure if this is required though because we already had it setup like this before these requirements.
We do encrypt all of the backups because they are taken off-site on a weekly basis.
As sliiconman stated make sure you keep these procedures documented. You only need a page or so about how your network is setup and how this data is secured.
I hope this helps. Good luck.
babaganooshAuthor Commented:
silicon - yes, a website / checklist / list of items to be sure to touch / address would be great.

Do you say to clients 'yes, you are hipaa compliant'?  do they ask you if they are based on what you are doing?  How do you answer?

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

HIPAA compliant is a mess. I often have an outside auditor come in to these sites to provide an audit as I am not qualified by any means. They provide a checklist of what is good/bad/ugly.

I would not trust any website as who knows whats changed.  You may want to look at http://www.hipaa.org/.

How do I ansswer the "Are you HIPAA Compliant?"  I don't - I am not an auditor or an expert on the rules.

When you have an external auditor come in the liability is off you as an expert. It is a world that I do not want to be the expert in. HIPAA is concerned with ePHI and everything else. ePHI being mostly what us IT fold focuse on.  Whent he auditor come in have they give me the rules and the good bad ugly. From there I work with the client to review and remediate. At $25000 a fine this is usually not a big deal to the customer.  Nobody wants the OIG in their office auditing on their terms.  

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Tackle projects and never again get stuck behind a technical roadblock.
Join Now