HIPAA requirements for a small doctor's office

Posted on 2008-11-04
Last Modified: 2012-05-05
I keep being asked by doctors (MDs and dentists) what they need to know about HIPAA and their PCs, network and data.

I know HIPAA doesn't have hard and fast rules, but was hoping to be able to point them to something on the web that would help on things like:

Windows logon passwords - how often do they need to expire (30, 60 90 days?), how many characters, etc.

Server - needs to be in a locked room?

Screen saver - kicks in after x minutes of idle time?

Backups - if they backup with Windows backup to an external hard drive, what do they need to be sure to do with that?  Can they take it offsite (it's unencrypted data)?  Keep under lock and key, etc.

Question by:babaganoosh
    LVL 5

    Accepted Solution

    One of my clients is a large radiology firm. HIPAA is a big chunk of time. The rules are vague on purpose.  Passwords do need to expire in a resonable time period. It is up to the office to decide resonable.

    Server needs to be in a room secured from the public, a locked room is good, but access should be controlled as well.

    Screen Saver kicking in is the same as password. They key here is to make sure the office has documented poilcies and procedures. We make sure the policies are vague and as general as can be, and have procedures that back them The procedures are what we review often and measure against.

    Are yoiu looking for specifics, a website?
    LVL 24

    Assisted Solution

    I manage a few companies that have to comply with the HIPAA requirements. We have Windows Server domains at all these locations which each user has their own logon. We have them reset their password on a quarterly basis. We have the system lock timeout set to 15 minutes, but they rarely see this screen because they are always on the computer.
    At all locations the server is kept in a separate room with a lock on it. I am not sure if this is required though because we already had it setup like this before these requirements.
    We do encrypt all of the backups because they are taken off-site on a weekly basis.
    As sliiconman stated make sure you keep these procedures documented. You only need a page or so about how your network is setup and how this data is secured.
    I hope this helps. Good luck.

    Author Comment

    silicon - yes, a website / checklist / list of items to be sure to touch / address would be great.

    Do you say to clients 'yes, you are hipaa compliant'?  do they ask you if they are based on what you are doing?  How do you answer?

    LVL 5

    Assisted Solution

    HIPAA compliant is a mess. I often have an outside auditor come in to these sites to provide an audit as I am not qualified by any means. They provide a checklist of what is good/bad/ugly.

    I would not trust any website as who knows whats changed.  You may want to look at

    How do I ansswer the "Are you HIPAA Compliant?"  I don't - I am not an auditor or an expert on the rules.

    When you have an external auditor come in the liability is off you as an expert. It is a world that I do not want to be the expert in. HIPAA is concerned with ePHI and everything else. ePHI being mostly what us IT fold focuse on.  Whent he auditor come in have they give me the rules and the good bad ugly. From there I work with the client to review and remediate. At $25000 a fine this is usually not a big deal to the customer.  Nobody wants the OIG in their office auditing on their terms.  
    LVL 6

    Assisted Solution

    LVL 6

    Assisted Solution


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now