Sample Small Medical Office Computer Security Policy

This policy covers a variety of topics, including general staff responsibilities, authorization, communication, authentication, system integrity, confidentiality, mobile security, and disaster recovery.

Written by a IT security expert, who also happens to be an internist in private practice.



    • All employees must read, understand and sign an acknowledgment of this Policy upon employment.
    • As an employee, your computer system use may be monitored at any time.
    • Administrator will educate employees at least quarterly on maintaining the Confidentiality, Integrity, and Availability of computer data and systems.
    • Any intrusion or suspected breach of security should be privately and immediately reported to the Administrator.


    • No employee, vendor, or IT personnel may install software or “inappropriate files” on a computer or local network device in this office without prior, written permission from the network Administrator. The Administrator for this practice is: ______________________
    • “Inappropriate files” include non-business-related MP3s, GIF files, games, executables, document files, and any other employee-installed software not approved by the Administrator. Not only do such files consume valuable storage space and bandwidth, but they can also introduce damaging viruses into the network.


    • All emails from patients will be printed and placed in the chart.  Employees are not permitted to email patients in response. Instead, employees should promptly contact the patient by telephone.
    • Employees are not permitted to send, receive or view personal email while at work.
    • Instant messaging, chat, and Peer-to-Peer (P2P) file sharing programs are prohibited.


    • All desktop computers in this office will run the most recent version of Windows XP Pro unless otherwise authorized by the Administrator.
    • Each machine will have an “Administrator” account that is set up and accessed only by the Administrator. For security reasons, employees may not use the Administrator account.
    • Employees must use a restricted Windows logon account as defined by the Administrator.
    • Each account must be set to auto-logoff to screen saver after 20 minutes.
    • Screen savers must be password protected.
    • Only the default Windows screen savers are allowed.
    • The administrator will define and enforce the use of strong passwords and periodic password changes.

System Integrity

    • Employees may be responsible for updating service packs, antivirus updates, firewall updates, and vendor patches whenever they are reminded. Reminders typically come via pop-up message on the screen, by verbal reminder, or by an email memo.
    • Web browsing is not permitted unless required for patient care. The Internet Explorer security zone must be set to Highest at all times.
    • Each machine will run antivirus software set to update and scan at least biweekly.
    • Each machine will run a spyware and/or adware checker set to update at least biweekly.
    • Each machine will have an enabled, updated personal firewall.
    • Each machine will have auto-updating enabled for Windows patches.
    • Administrator will perform a full security policy audit of each networked machine in the office at least quarterly.


    • Patient data may not be stored, removed or transmitted from the office by any media, without prior written permission from the Administrator.
    • Transcriptionists will only email transcription in a secure format. The required format is Microsoft Word documents that have been zipped and encrypted with WinZip ( using the 256-bit AES strong encryption setting.
    • Employees must leave the built-in hard drives of scanners, copiers, fax machines disabled.

Mobile Security

    • Personal Data Assistants and mobile computing devices (PDAs, Smartphones, Laptop/Notebooks, etc.) are not permitted in the office without prior written approval from the Administrator. External drives of any kind or size are forbidden, unless approved in advance by the Administrator.
    • All wireless and/or mobile devices will run security software equivalent to desktop computers in the office (including antivirus, firewall, and encryption).
    • Wireless Access Points and wireless routers are not permitted in the office without prior written approval from the Administrator.

Disaster Recovery 

    • Employees who are responsible for the patient database must be back up the database once per week on a machine separate from the server.
    • Each computer will have a recovery disk and all required software available next to its location at all times. Employees may not remove this software.
    • The one of the duties of the medical office manager will also store a backup CD-ROM of the database in the office safe every month.
    • Every quarter, both the Administrator and office manager will store an encrypted, backup copy of the database off site (at least 5 miles away).
    • Every 6 months, the office will participate in a data disaster recovery drill. This will involve restoring the database from scratch after a simulated, complete system crash.

©2006 Cyrus Peikari, M.D.

Topics #hipaa #hipaa email #physician computer #physician email