{"id":3968,"date":"2025-11-16T22:48:19","date_gmt":"2025-11-16T22:48:19","guid":{"rendered":"https:\/\/medindex.am\/accounts\/?page_id=3968"},"modified":"2025-11-16T22:51:10","modified_gmt":"2025-11-16T22:51:10","slug":"hipaa-requirements-if-medical-website-is-only-inside-the-office-and-not-accessible-from-the-public-internet","status":"publish","type":"page","link":"https:\/\/medindex.am\/accounts\/hipaa-requirements-if-medical-website-is-only-inside-the-office-and-not-accessible-from-the-public-internet\/","title":{"rendered":"HIPAA requirements if medical website is only inside the office and not accessible from the public Internet"},"content":{"rendered":"\n

If your OpenEMR (or medical website\/software)<\/strong> is ONLY inside your office<\/strong>, not accessible from the public Internet<\/strong>, and does not transmit PHI outside the clinic<\/strong>, then your HIPAA requirements are much simpler<\/em> \u2014 but still real<\/strong>.<\/p>\n\n\n\n

Below is the correct<\/strong> and practical<\/strong> HIPAA requirements list for an on-premise, office-only EMR system<\/em>.<\/p>\n\n\n\n

\n\n\n\n
\u2705 If your system is only on an office computer (no Internet access for PHI)<\/strong><\/h6>\n\n\n\n

You still<\/strong> must follow HIPAA Security Rule<\/strong> requirements because PHI is stored electronically (ePHI).
BUT you do NOT need HIPAA-compliant web hosting<\/strong> or external BAA.<\/p>\n\n\n\n

You must secure:<\/p>\n\n\n\n

\n\n\n\n

1. Physical Safeguards (Required)<\/strong><\/h4>\n\n\n\n

These protect access to the physical computer.<\/p>\n\n\n\n

\u2714 Locked office & controlled access<\/h6>\n\n\n\n
    \n
  • Only authorized staff can enter rooms with PHI computers.<\/li>\n<\/ul>\n\n\n\n
    \u2714 Secure workstation placement<\/h6>\n\n\n\n
      \n
    • Computer screens cannot face patients or public areas.<\/li>\n<\/ul>\n\n\n\n
      \u2714 A backup process<\/h6>\n\n\n\n
        \n
      • Local encrypted backup (USB, external HDD, NAS).<\/li>\n\n\n\n
      • Device must be locked up when not in use.<\/li>\n<\/ul>\n\n\n\n
        \u2714 Device disposal<\/h6>\n\n\n\n
          \n
        • If old PCs\/HDDs are replaced, drives must be wiped with secure erase.<\/li>\n<\/ul>\n\n\n\n
          \n\n\n\n

          2. Technical Safeguards (Required)<\/strong><\/h4>\n\n\n\n

          These protect PHI on the device.<\/p>\n\n\n\n

          \u2714 Full-disk encryption<\/h6>\n\n\n\n

          Use BitLocker (Windows)<\/strong> or FileVault (Mac)<\/strong>.
          HIPAA requires encryption or documented justification<\/strong>.<\/p>\n\n\n\n

          \u2714 User authentication & access control<\/h6>\n\n\n\n
            \n
          • Each staff member must have their own login<\/strong> (Windows + OpenEMR).<\/li>\n\n\n\n
          • Strong passwords<\/strong> required.<\/li>\n\n\n\n
          • Automatic logout<\/strong> after inactivity.<\/li>\n<\/ul>\n\n\n\n
            \u2714 Audit logs<\/h6>\n\n\n\n

            OpenEMR already provides this.
            You must keep logs for access and changes to PHI.<\/p>\n\n\n\n

            \u2714 Role-based access<\/h6>\n\n\n\n

            Receptionist \u2260 Doctor \u2260 Biller<\/p>\n\n\n\n

            \u2714 Network isolation<\/h6>\n\n\n\n

            If your EMR computer is on the same LAN as Wi-Fi, ensure:<\/p>\n\n\n\n

              \n
            • Wi-Fi is secure WPA3 or WPA2-Enterprise<\/strong><\/li>\n\n\n\n
            • Guest Wi-Fi is separate<\/strong><\/li>\n\n\n\n
            • No port forwarding \/ no remote access<\/li>\n<\/ul>\n\n\n\n
              \n\n\n\n

              3. Administrative Safeguards (Required)<\/strong><\/h4>\n\n\n\n

              Policies and procedures you must follow.<\/p>\n\n\n\n

              \u2714 HIPAA training for staff<\/h6>\n\n\n\n

              Every employee must get yearly HIPAA training.<\/p>\n\n\n\n

              \u2714 Risk assessment (simple version)<\/h6>\n\n\n\n

              You must document:<\/p>\n\n\n\n

                \n
              • Where PHI is stored<\/li>\n\n\n\n
              • Who uses the system<\/li>\n\n\n\n
              • What risks exist (theft, power outage, virus, etc.)<\/li>\n\n\n\n
              • What measures you take to reduce these risks<\/li>\n<\/ul>\n\n\n\n
                \u2714 Incident response plan<\/h6>\n\n\n\n

                Write down:<\/p>\n\n\n\n

                  \n
                • What you do if a computer is stolen<\/li>\n\n\n\n
                • What you do if a virus hits<\/li>\n\n\n\n
                • Who is contacted<\/li>\n<\/ul>\n\n\n\n
                  \u2714 Backup & recovery plan<\/h6>\n\n\n\n
                    \n
                  • At least one encrypted<\/strong> backup<\/li>\n\n\n\n
                  • Verify backups monthly<\/li>\n\n\n\n
                  • A way to restore OpenEMR within reasonable time<\/li>\n<\/ul>\n\n\n\n
                    \n\n\n\n
                    \ud83d\uded1 NO HIPAA REQUIRED<\/strong> for things you are NOT doing<\/h6>\n\n\n\n

                    Because the system is not on the Internet<\/strong>, you do NOT<\/strong> need:<\/p>\n\n\n\n

                    \u274c HIPAA hosting<\/h6>\n\n\n\n
                    \u274c A Business Associate Agreement (unless 3rd-party IT has access)<\/h6>\n\n\n\n
                    \u274c SSL certificates (for public access)<\/h6>\n\n\n\n
                    \u274c Cloud storage<\/h6>\n\n\n\n
                    \u274c External server hardening<\/h6>\n\n\n\n
                    \u274c Public website security compliance for PHI<\/h6>\n\n\n\n
                    \n\n\n\n
                    \u26a0 BUT\u2026 You still need BAA with your IT company<\/h6>\n\n\n\n

                    If any IT person or maintenance provider can access the system or see PHI, they are a Business Associate<\/strong> and must sign a BAA<\/strong>.<\/p>\n\n\n\n

                    Examples needing a BAA:<\/p>\n\n\n\n

                      \n
                    • Managed IT company<\/li>\n\n\n\n
                    • Remote tech support<\/li>\n\n\n\n
                    • Contracted system administrator<\/li>\n\n\n\n
                    • Cloud backup vendors (if used)<\/li>\n<\/ul>\n\n\n\n
                      \n\n\n\n
                      \ud83d\udc68\u200d\u2695\ufe0f If your setup is like this, you are OK<\/h6>\n\n\n\n

                      Example safe setup:<\/p>\n\n\n\n

                        \n
                      • OpenEMR installed on office desktop\/server<\/li>\n\n\n\n
                      • PHI\/Data only accessible inside the office<\/li>\n\n\n\n
                      • No remote access<\/li>\n\n\n\n
                      • Staff use the office LAN only<\/li>\n\n\n\n
                      • Daily encrypted local backup<\/li>\n\n\n\n
                      • BitLocker enabled<\/li>\n\n\n\n
                      • Password-protected logins<\/li>\n\n\n\n
                      • Staff trained in HIPAA basics<\/li>\n<\/ul>\n\n\n\n

                        This is completely compliant<\/strong> for a 1\u20135 doctor practice if maintained properly.<\/p>\n\n\n\n

                        <\/p>\n","protected":false},"excerpt":{"rendered":"

                        If your OpenEMR (or medical website\/software) is ONLY inside your office, not accessible from the public Internet, and does not transmit PHI outside the clinic, then your HIPAA requirements are much simpler \u2014 but still real. Below is the correct and practical HIPAA requirements list for an on-premise, office-only EMR system. \u2705 If your system […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"slim_seo":{"title":"HIPAA requirements if medical website is only inside the office and not accessible from the public Internet - Medindex","description":"If your OpenEMR (or medical website\/software) is ONLY inside your office , not accessible from the public Internet , and does not transmit PHI outside the clini"},"footnotes":""},"class_list":["post-3968","page","type-page","status-publish","hentry"],"_hostinger_reach_plugin_has_subscription_block":false,"_hostinger_reach_plugin_is_elementor":false,"_links":{"self":[{"href":"https:\/\/medindex.am\/accounts\/wp-json\/wp\/v2\/pages\/3968","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/medindex.am\/accounts\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/medindex.am\/accounts\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/medindex.am\/accounts\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/medindex.am\/accounts\/wp-json\/wp\/v2\/comments?post=3968"}],"version-history":[{"count":0,"href":"https:\/\/medindex.am\/accounts\/wp-json\/wp\/v2\/pages\/3968\/revisions"}],"wp:attachment":[{"href":"https:\/\/medindex.am\/accounts\/wp-json\/wp\/v2\/media?parent=3968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}