ARRA Q&A: Are imaging costs recoupable under the HITECH act?

I got the following question from Brandon about the need to have a domain controlled network in order to comply with HIPAA.

I am currently trying to implement an EMR system in a small practice. I am trying to convince the parties involved that it is necessary to transition to a domain controlled network for security reasons even though this type of network is not required for our EMR system or its server. My understanding of HIPAA is that simply having a firewall does not qualify as a “secured network”. Am I right on this?

Brandon,
You are correct that just having a firewall does not likely qualify as a “secured network.” However, that doesn’t necessarily mean that you need to have a domain controlled network to meet the HIPAA security standards. You could still manually apply the domain security policies on to individual computers and achieve the same level of security.

Of course, the key word in that statement is the word “manually.” If you have less than 10 computers, then this probably isn’t a huge deal and can be done manually. Once you pass 10 computers (or somewhere in that range) you probably want to consider using active directory to manage the security policies on your computers. It’s much easier to apply policies on a large number of computers using active directory. Plus, you can know that the policy was applied consistently across your network.

You also shouldn’t ignore the other benefits of a domain controlled network. I’ve written previously about the benefits of things like shared drives as a nice companion to an EMR. Active Directory makes adding these shared drives trivial. It’s also a nice benefit to have a universal login that’s managed by the domain and can work on every computer in the office.

Plus, if your EMR runs on SQL Server and you buy a nice but inexpensive server with Windows Small Business Server, then you already have the software for active directory. So, it’s really an easy decision to use it. I’ve implemented it at a site with 5 computers and it’s been a great thing to have even if it’s a bit of overkill.