@YeOldeStonecat
I'm not arguing anything about what you've said in regard to HIPAA, but if
@Velvis does NOT sign on as their HIPAA compliance officer, and, in fact, put it in writing that he is not such, that should cover him.
Note: Anyone who's thinking of doing IT in environments that require HIPAA compliance, and particularly those who are not willing to accept responsibility for compliance, should have the contractual language drawn up by a lawyer. It should be boilerplate, but it's well worth having professionally drawn up boilerplate that's ironclad in insulating you from that role and responsibility.
One of the reasons I refuse to take any of this on is because it is well-nigh impossible to ensure that there is, in actuality, full compliance. And even those who take on the role of HIPAA compliance officer as a third party will often put it in the contract that they are not responsible if the client fails to follow any one of the recommendations that they make.
If someone who doesn't "do HIPAA compliance" for a living gets involved in IT where it's necessary, there had better be contractual language that holds them harmless for compliance violations.
I have hated HIPAA as both a former healthcare provider and as an IT person because virtually no one really understands what compliance really entails and even those who do cannot be held responsible if those "on the ground" work around certain things (e.g., exactly what's being talked about here). It's all a freakin' house of cards! I honestly doubt that virtually any healthcare organization would pass a strict audit for HIPAA compliance and primarily because it's unreasonable to expect that there will be no shared workstations where logins to the workstations themselves isn't going to be at the invidual level. I've never worked in a healthcare setting where things like labs are involved where walk-up workstations are not the norm and no one ever logs in to them with an individual user ID.
