Networks

Very simple.. If it leaves your building it needs to be in a secure package.

That means if you transmit patient info to any remote site outside your building you need to have a secure means of transmission. That could be using SSH or SSL connections or utilizing a VPN/IPSEC solution. Internal network connections are treated as being part of your enterprise and the thought is that within your building you can control physical access to your network and guarantee that no one is eavesdropping on your network. You'll also have to beef up your desktop security so that someone cannot just walk up to a machine and view patient information. Usually just setting the screen saver to one minute with a password will suffice to lock out casual observers. You may also want to show your staff how to lock the screen when they step away.


ALM

http://www.wedi.org/snip/
http://www.hipaadvisory.com/regs/finalsecurity/

The final security regulations, while tough reading, can be deciphered.

You can solve 80% of your problems by simply creating low-cost solutions: Create policies and procedures, and conduct training. For example, I was alone in a room at my doc's office the other day waiting to have bloodwork. Sitting on the computer screen was information about another patient. Big HIPAA no-no. Training employee's to log off computers or lock their workstations (Windows XP/2000/NT) would solve that issue.

Conduct a risk analysis of your weaknesses. Then develop a plan to become compliant. Then is there is ever an issue, you can say, "This is what we used to be like, this is how we are now, this is what we plan to do in the future." You must be showing a "good faith" effort that you are attempting to comply. You are not being asked to remedy all issues overnight.

Try this:

http://www.hhs.gov/ocr/hipaa/
http://www.hhs.gov/ocr/hipaa/finalreg.html
http://www.hipaadvisory.com/action/faqs/Road%20to%20Compliance.htm
http://www.healthinschools.org/focus/2002/no4.htm

Good Luck Lee

as long as patient data is not transmitted outside of site, everyone has their own password. sharing is not allowed, patients do not have access to pcs...