There are pages on pages of information on how to be HIPPA compliant. Reading through all of this information can be a bit time consuming and at times very confusing. Here is a basic break down of what needs to be setup in order to meet the basic HIPPA laws for your IT and network structure.
1: Every computer on your network has to have a password. The password should be on the med side of complexity. IE - smith!23. Without a password any staff or client can access your computer.
2: The PM (practice management) software has to have a user name and password that is unique to each staff member. In addition each staff memeber needs to log in using that information when using a computer and log out when not using the computer.
3: Any computer monitor in the office has to be placed so that other patients can not see the information on that monitor.
4: Each computer needs to have a up to date Anti virus/Anti malware software with nightly scans and updates ran. A paid suscribtion based software is going to offer you the best protection.
5: You need to have a Firewall router that provides content sucrity and AV protection. Most yearly subsrition routers like Sonicwall or WatchDog will provide this within the interface of the router. If you are using wireless your router needs to be able to assgin a seprate IP sceem outside of the range of your working LAN. So if your LAN is a 192.168.1.1 your WLAN or wirless nees to be 10.0.0.1.
6: Backup, if you are running a onsite backup to a removable device that is not encrypted or locked in a safe you will need to do so. If you are using a offiste or cloud storage and your data is going to a public data center then you are violating the HIPPA compliance. The data you backup has to be succured from theft or hackers. Even if your backup is going offsite that offiste company has to provide a HIPPA compliance sheet.
7: For every service tech that you bring into your office a Business Associate Contract should be filled out and kept onsite.
8: EMAIL!! - Yes we are all using e-mail almost on a min. by min. basis these days. However sending pateint information from your office to another office requires you to encrypt that email to protect the patients personal information. There are a few companies out there that offer a service that will provide this encryption for you. Rpost.com is one of those services. On top of that it is our recomindation that you do not use a gmail, sbcglobal, yahoo, aol or any free email service for your buisness email. Instead we recommend using a secure e-mail server that can be provided by your web host or web site provider. Your web site domain can be parked along side your e-mail within the same company making things a bit easier to manage.
9: Create a book for your office that oulines all the information above. Call it the HIPPA rule book or something you can direct a HIPPA audit agent to in case there is an audit.
For now these are the basics and I will be adding more if needed. If you have any further questions please feel free to call us.