HIPAA network and hosting

ITsolutionWizard used Ask the Experts™
our company is required to have HIPAA hosting and network. I understood we can consult with HIPAA consultant but we first want to learn what a company should do if the company wants to be HIPAA.

Our company has small office with just 10 employees. Only PC. no server. Physically, it is very simple.
We have only one website as well. and of  course hope to get HIPAA protected as well.

If you have been in this situation, share with me what/how should get start will definitely help.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Principal Software Engineer
I understood we can consult with HIPAA consultant but we first want to learn what a company should do if the company wants to be HIPAA.

That's why you need a professional, highly paid HIPAA consultant with a contract - to find out what your company should do if you want to be HIPAA compliant.

HIPAA is not like "What's best practice for LAN wiring?"  It drags in legal issues, and most of us are not lawyers.  If ever legal push comes to legal shove you will need to show that from day one, you used the best available sources.  So get your legal department involved immediately before going further on the technical side because things that look perfectly reasonable to a technician or engineer might be abominations from a legal standpoint.  Again, best available sources.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

In general I agree with Dr. Klahn.  HIPAA is a VAGUE set of rules regarding protecting PHI in your possession.  Things like ensuring only authorized people have access to things (you bookkeeper almost certainly doesn't need access to someone's medical records).  You need to make sure you take all "reasonable" precautions and security measures to protect the data.  That includes things like using complex passwords, encrypting laptops, using a REAL firewall.  And it's unlikely you'll ever find any of this stuff in an "official" checklist.  (HIPAA consultants may have a generalized checklist, but no "official" checklist exists).  If you have a breach and can prove you took reasonable precautions to protect the data and in turn report the breach and notify affected individuals, you are generally compliant as I understand it.  Problem is, what's reasonable?  If attorneys suing you don't think you took reasonable precautions and can prove that, you lose.  There's no checklist.  Was it reasonable?  Having a $500,000 firewall and intrusion prevention system for a company of 10 with annual revenues of $1,000,000 wouldn't necessarily be reasonable.  But neither would having a $50 linksys router and turning off the firewalls on all PCs because it's easier to connect that way.  (Servers make a lot of this stuff EASIER but do require additional skills).

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial