Well, I inferred from the original post the following:
1) It was a small clinic; if it was a large clinic, they'd have an IT person already. Perhaps a new doctor, or one that hadn't networked as of yet.
2) That the original poster didn't have a lot of network experience, and had even less dealings with HIPAA and so forth.
I deal with HIPAA regulations every day, and GLBA regularly as well. HIPAA doesn't care HOW you network, as long as it's secure, and the protected information is secured.
I write a security report for a bank every year. I have to document any changes to the network, especially if it means communicating with the outside world. I not only have to understand myself exactly what every piece of software is doing (for example, the Internet Banking section), but I also have to get the *board* to understand it. The FDIC examiners won't settle with "Yeah, Greg says it's secure, we don't really know how it works, but he says it's OK." They have to actually understand (in general terms) themselves.
Let's look at it this way. Suppose that you installed a network at a clinic (as is being discussed). You dropped in a cable modem or DSL so they'd have e-mail and such. Through user carelessness or whatever someone was able to drop a back-door into one of the machines.
Next thing you know, a patient is calling the clinic, because they have AIDS, and now that information, along with *EVERY OTHER PATIENT'S* protected information is posted on a news group on the Internet.
Guess who's responsible? The patient? Nope. The clinic? Well, they'll probably have the pants sued off of them and go out of business. And then, guess who they're coming after? Yup. The person who installed the network, who didn't make sure that it was HIPAA compliant, had intrusion detection and proper anti-virus protection.
Oh, sorry, you didn't have Errors and Omissions Insurance? You're *personally* sued.
Sooooooooo.... let's put this into perspective.
1) The patients who's information got posted - well, their lives are shot. They can't get a job, because now everyone knows they have AIDS.
2) The clinic. They got sued for hundreds of thousands of dollars by each patient who's information was compromised. If they're lucky, it will end up as a class-action suit instead for a few million, instead of having to answer x-number of suits individually. Either way, they're out of business. Even if their insurance covers the damages, their reputation is ruined, and the insurance will probably drop them anyway. The doctor himself may even lose his license.
3) YOU. Do you really think the clinic isn't going to drag you into this? YOU allowed all those lives to be ruined, through neglegence and not understanding the regulations governing health care industry. If you survive the lawsuit, your reputation is also ruined, and you'll be lucky if someone hires you to set up their new computer from now on.
Well, that's enough ranting from me for now. I understand the excitement about getting a "regular gig", especially if you're just trying to break into the business and make a name for yourself. But here's another thought for you. When one of the banks I consult for first wanted to set up their Internet Banking, they asked if I could do it for them. Now, I've got 20+ years of computer experience, and yes, I probably could have gotten it all working. But I decided not to. I suggested the bank outsource it to a company that did it as a business. Why? Because I couldn't absolutely guarantee that the information would ONLY be shown to the eyes of the account holder. I couldn't guarantee that the privacy of the customers would be upheld. And even though I figured I probably *could* do a pretty good job at securing all of that, I wasn't ready to literally bet everything I owned on it.
Just my $0.02
"In order to start solving a problem, one must first identify its owner." --Me
--Greg
