Book Online

HIPAA requirements if medical website is only inside the office and not accessible from the public Internet

If your OpenEMR (or medical website/software) is ONLY inside your office, not accessible from the public Internet, and does not transmit PHI outside the clinic, then your HIPAA requirements are much simpler โ€” but still real.

Below is the correct and practical HIPAA requirements list for an on-premise, office-only EMR system.

โœ… If your system is only on an office computer (no Internet access for PHI)

You still must follow HIPAA Security Rule requirements because PHI is stored electronically (ePHI).
BUT you do NOT need HIPAA-compliant web hosting or external BAA.

You must secure:

1. Physical Safeguards (Required)

These protect access to the physical computer.

โœ” Locked office & controlled access
  • Only authorized staff can enter rooms with PHI computers.
โœ” Secure workstation placement
  • Computer screens cannot face patients or public areas.
โœ” A backup process
  • Local encrypted backup (USB, external HDD, NAS).
  • Device must be locked up when not in use.
โœ” Device disposal
  • If old PCs/HDDs are replaced, drives must be wiped with secure erase.

2. Technical Safeguards (Required)

These protect PHI on the device.

โœ” Full-disk encryption

Use BitLocker (Windows) or FileVault (Mac).
HIPAA requires encryption or documented justification.

โœ” User authentication & access control
  • Each staff member must have their own login (Windows + OpenEMR).
  • Strong passwords required.
  • Automatic logout after inactivity.
โœ” Audit logs

OpenEMR already provides this.
You must keep logs for access and changes to PHI.

โœ” Role-based access

Receptionist โ‰  Doctor โ‰  Biller

โœ” Network isolation

If your EMR computer is on the same LAN as Wi-Fi, ensure:

  • Wi-Fi is secure WPA3 or WPA2-Enterprise
  • Guest Wi-Fi is separate
  • No port forwarding / no remote access

3. Administrative Safeguards (Required)

Policies and procedures you must follow.

โœ” HIPAA training for staff

Every employee must get yearly HIPAA training.

โœ” Risk assessment (simple version)

You must document:

  • Where PHI is stored
  • Who uses the system
  • What risks exist (theft, power outage, virus, etc.)
  • What measures you take to reduce these risks
โœ” Incident response plan

Write down:

  • What you do if a computer is stolen
  • What you do if a virus hits
  • Who is contacted
โœ” Backup & recovery plan
  • At least one encrypted backup
  • Verify backups monthly
  • A way to restore OpenEMR within reasonable time
๐Ÿ›‘ NO HIPAA REQUIRED for things you are NOT doing

Because the system is not on the Internet, you do NOT need:

โŒ HIPAA hosting
โŒ A Business Associate Agreement (unless 3rd-party IT has access)
โŒ SSL certificates (for public access)
โŒ Cloud storage
โŒ External server hardening
โŒ Public website security compliance for PHI
โš  BUTโ€ฆ You still need BAA with your IT company

If any IT person or maintenance provider can access the system or see PHI, they are a Business Associate and must sign a BAA.

Examples needing a BAA:

  • Managed IT company
  • Remote tech support
  • Contracted system administrator
  • Cloud backup vendors (if used)
๐Ÿ‘จโ€โš•๏ธ If your setup is like this, you are OK

Example safe setup:

  • OpenEMR installed on office desktop/server
  • PHI/Data only accessible inside the office
  • No remote access
  • Staff use the office LAN only
  • Daily encrypted local backup
  • BitLocker enabled
  • Password-protected logins
  • Staff trained in HIPAA basics

This is completely compliant for a 1โ€“5 doctor practice if maintained properly.