HIPAA requirements for a small doctor's office

I keep being asked by doctors (MDs and dentists) what they need to know about HIPAA and their PCs, network and data.

I know HIPAA doesn't have hard and fast rules, but was hoping to be able to point them to something on the web that would help on things like:

Windows logon passwords - how often do they need to expire (30, 60 90 days?), how many characters, etc.

Server - needs to be in a locked room?

Screen saver - kicks in after x minutes of idle time?

Backups - if they backup with Windows backup to an external hard drive, what do they need to be sure to do with that?  Can they take it offsite (it's unencrypted data)?  Keep under lock and key, etc.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

One of my clients is a large radiology firm. HIPAA is a big chunk of time. The rules are vague on purpose.  Passwords do need to expire in a resonable time period. It is up to the office to decide resonable.

Server needs to be in a room secured from the public, a locked room is good, but access should be controlled as well.

Screen Saver kicking in is the same as password. They key here is to make sure the office has documented poilcies and procedures. We make sure the policies are vague and as general as can be, and have procedures that back them The procedures are what we review often and measure against.

Are yoiu looking for specifics, a website?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I manage a few companies that have to comply with the HIPAA requirements. We have Windows Server domains at all these locations which each user has their own logon. We have them reset their password on a quarterly basis. We have the system lock timeout set to 15 minutes, but they rarely see this screen because they are always on the computer.
At all locations the server is kept in a separate room with a lock on it. I am not sure if this is required though because we already had it setup like this before these requirements.
We do encrypt all of the backups because they are taken off-site on a weekly basis.
As sliiconman stated make sure you keep these procedures documented. You only need a page or so about how your network is setup and how this data is secured.
I hope this helps. Good luck.
babaganooshAuthor Commented:
silicon - yes, a website / checklist / list of items to be sure to touch / address would be great.

Do you say to clients 'yes, you are hipaa compliant'?  do they ask you if they are based on what you are doing?  How do you answer?

The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

HIPAA compliant is a mess. I often have an outside auditor come in to these sites to provide an audit as I am not qualified by any means. They provide a checklist of what is good/bad/ugly.

I would not trust any website as who knows whats changed.  You may want to look at http://www.hipaa.org/.

How do I ansswer the "Are you HIPAA Compliant?"  I don't - I am not an auditor or an expert on the rules.

When you have an external auditor come in the liability is off you as an expert. It is a world that I do not want to be the expert in. HIPAA is concerned with ePHI and everything else. ePHI being mostly what us IT fold focuse on.  Whent he auditor come in have they give me the rules and the good bad ugly. From there I work with the client to review and remediate. At $25000 a fine this is usually not a big deal to the customer.  Nobody wants the OIG in their office auditing on their terms.  
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.