HIPAA network and hosting

our company is required to have HIPAA hosting and network. I understood we can consult with HIPAA consultant but we first want to learn what a company should do if the company wants to be HIPAA.

Our company has small office with just 10 employees. Only PC. no server. Physically, it is very simple.
We have only one website as well. and of  course hope to get HIPAA protected as well.

If you have been in this situation, share with me what/how should get start will definitely help.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
I understood we can consult with HIPAA consultant but we first want to learn what a company should do if the company wants to be HIPAA.

That's why you need a professional, highly paid HIPAA consultant with a contract - to find out what your company should do if you want to be HIPAA compliant.

HIPAA is not like "What's best practice for LAN wiring?"  It drags in legal issues, and most of us are not lawyers.  If ever legal push comes to legal shove you will need to show that from day one, you used the best available sources.  So get your legal department involved immediately before going further on the technical side because things that look perfectly reasonable to a technician or engineer might be abominations from a legal standpoint.  Again, best available sources.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee W, MVPTechnology and Business Process AdvisorCommented:
In general I agree with Dr. Klahn.  HIPAA is a VAGUE set of rules regarding protecting PHI in your possession.  Things like ensuring only authorized people have access to things (you bookkeeper almost certainly doesn't need access to someone's medical records).  You need to make sure you take all "reasonable" precautions and security measures to protect the data.  That includes things like using complex passwords, encrypting laptops, using a REAL firewall.  And it's unlikely you'll ever find any of this stuff in an "official" checklist.  (HIPAA consultants may have a generalized checklist, but no "official" checklist exists).  If you have a breach and can prove you took reasonable precautions to protect the data and in turn report the breach and notify affected individuals, you are generally compliant as I understand it.  Problem is, what's reasonable?  If attorneys suing you don't think you took reasonable precautions and can prove that, you lose.  There's no checklist.  Was it reasonable?  Having a $500,000 firewall and intrusion prevention system for a company of 10 with annual revenues of $1,000,000 wouldn't necessarily be reasonable.  But neither would having a $50 linksys router and turning off the firewalls on all PCs because it's easier to connect that way.  (Servers make a lot of this stuff EASIER but do require additional skills).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.