Even more specific, is this the place I should be asking? I'm a nephrologist, the "techie" in a group of 4 docs who share 6 employees. We all have computers on our desks, and we have a peer-to-peer LAN that basically provides shared internet and printer access. Our staff retrieve reports from our hospitals and labs (on a one-by-one, not "pushed" basis). The docs do remote access to the full-featured (Kaiser Health Connect) or rudimentary (everyone else) EHRs of the hospitals and dialysis clinics where we practice. Our computers currently run an assortment of XP Home, XP Pro, Vista Home, Vista Business, and Mac OS X operating systems. We use a paper appointment book, and we have paper charts (although all our patient encounter notes are and have been MS Word docs for several years). I've been nudging us towards increased use of IT tools. My first targets include the following: Enabling secure access to our patient records from within the office and external locations; e.g., home, hospitals, dialysis clinics Creating a vehicle for secure messaging that will allow us, our own staff, and our external associates (nurses and dietitians in the dialysis clinics, other docs, IT staff and management of the dialysis company where I serve as the end-user consultant) to communicate in compliance with HIPAA Scheduling Integration of "push" reporting of results from commercial labs e-prescribing Why not just buy a "solution" from a vendor? Same reason that fewer than 5% of docs outside of Kaiser use EHRs in their office practice -- 1/3 of ALL the docs in the US who have fully implemented EHR are on Kaiser's "Health Connect" implementation of the EPIC platform: WAY too expensive, or WAY too feeble, and at this moment even if we could afford it we'd be akin to buying an electric vehicle before the country decides on "plug it in at home" vs. "electricity filling stations" vs. "battery swap stations." So, assuming this is the correct place to ask (if it's not, I'd be grateful for suggestions where I should be doing so), here are my first questions: Does it make sense to use Windows Server 2008 Small Busiiness Edition as the hardware platform to enable this? If so, will the individual docs in our office be forced to give up the autonomy they now have to add or change what programs and data they keep on their own desktop and laptop workstations? Will they be able to keep their private information private from the server administrator (likely me)? If all we do to start is use the server as a repository for our chart notes (the idea here is that if I see a patient of one of my partners in the hospital or emergency department nights or weekends, I'd have access to the patient's prior records from our office), do we even NEED a server OS? Could I just host a secure website on a workstation in our office? Assuming it makes sense to establish client-server networking in our office, will Windows Server 2008 permit access from hospital and dialysis center workstations if we provide proper logon credentials from those machines? (Of course the hospital IT departments have them fairly securely "locked down" so that we wouldn't be able to establish VPN connections to our server? (There are plenty of workstations in most hospital locations that permit physicians access to the WWW, and even the worst of the luddites in my office can remember an "https" URL, username, and password). Can we use the Exchange Server in Windows Server 2008 Small Business to set up secure messaging between us and external associates? Again, if any readers know of a better place to discuss this, I'd be grateful for leads. I've purchased a few books on Windows Server 2008; they're very complete on the specifics of setting things up, but short on descriptions of just how one can use the network once one has done so. Thanks so much, Jim Robertson

Hello Jim, See my responses inline Does it make sense to use Windows Server 2008 Small Busiiness Edition as the hardware platform to enable this? Yes, Windows Server 2008 Small Business will be a good start for your small Medical office. Atleast,it will get you going with a domain and Microsoft Exchange mail service. If so, will the individual docs in our office be forced to give up the autonomy they now have to add or change what programs and data they keep on their own desktop and laptop workstations? Will they be able to keep their private information private from the server administrator (likely me)? Not necessarily, but it will by a better idea to have a common IT policy in place for documents etc. such as storing office documents in server and have a centralize backup etc. If one of your doctors pc/harddrive crashes, then he/she may lost everything, vice versa If all we do to start is use the server as a repository for our chart notes (the idea here is that if I see a patient of one of my partners in the hospital or emergency department nights or weekends, I'd have access to the patient's prior records from our office), do we even NEED a server OS? Could I just host a secure website on a workstation in our office? Yes, a secure website should do, but it might be more private if you host your own server..No, You can't host a secure website on your workstation, you will need a server for this Assuming it makes sense to establish client-server networking in our office, will Windows Server 2008 permit access from hospital and dialysis center workstations if we provide proper logon credentials from those machines? (Of course the hospital IT departments have them fairly securely "locked down" so that we wouldn't be able to establish VPN connections to our server? (There are plenty of workstations in most hospital locations that permit physicians access to the WWW, and even the worst of the luddites in my office can remember an "https" URL, username, and password). Yes and it will depend on the web applications Can we use the Exchange Server in Windows Server 2008 Small Business to set up secure messaging between us and external associates? Yes, Exchange might be a perfect mail tool for your officeIsaac Oben MCITP:EA, MCSE

Isaac, thanks for your detailed response. I'm in the very early part of the learning curve here (for example, discovering the hardware requirements of Windows Server 2008 Small Business that result from its availability only in a 64-bit version). I hope you won't mind elaborating a bit. For example, my reading about the means of accessing information stored on the server (our chart notes in doc or docx or pdf format, for example) might require using "remote workplace." If I'm in my local hospital's emergency department and I use a workstation there to log on to my office server, I'm fairly certain I wouldn't be able to install the ActiveX component needed to establish a Remote Workplace connection. I hope I'm correct in inferring from your response that I could configure the server to allow me and my partners access via a simple https connection not involving Remote Workplace. My assumption is that the interface we'd see wouldn't be as robust as it would if we did have Remote Workplace available, but for the implementation to be useful to us we must meet the twin goals of not being able to configure the remote workstations while attempting to comply with HIPAA goals regarding "protected health information" (PHI). Only individuals who would have workstations on our LAN would be logging on from remote locations, and of course they wouldn't physically be in the office when doing so. Am I correct that connecting remotely would not require separate CALs? What I've read about Exchange Server thus far prompts another question (again quite basic): One of my biggest HIPAA concerns is that colleagues and external associates want to communicate with us by e-mail, and quite often they send us unencrypted e-mail messages that contain PHI. We always respond that we cannot communicate in that fashion, but we would love to be able to enable HIPAA-compliant communications with such people; e.g., social workers and nurses at dialysis centers where our patients go for treatment, or other docs in other practices who also see our patients. Short of providing such people accounts and e-mail addresses on our system (which would be extraordinarily expensive, and which I guess they'd use via Outlook Web Access) is there some way that the Exchange Server can allow us to communicate securely with such people? Ideally, we'd create a solution that would permit them to use their own preferred e-mail client software. Once again, I realize that my questions are extraordinarily basic, but most of the things I'm able to find via Wikipedia, Googling, or browsing tech books via my Safari Books Online account are quite robust in discussing the "how" but quite meager in addressing the "why" of tech topics. Jim Robertson

Hello Jim,Please see inline for my response.Only individuals who would have workstations on our LAN would be logging on from remote locations, and of course they wouldn't physically be in the office when doing so. Am I correct that connecting remotely would not require separate CALs?Two options I can think of at the moment. First you can have a secure VPN (Virtual Private Network) which will alllow you or others with authorized access to remotelyconnect into your network and domain from anywhere. Secondly, you can have a secure web interface (if your data are stored in a database) with secure anthentication configuration where you or anyone with access can securely and remotely connect to your network to retrieve or update data etcWhat I've read about Exchange Server thus far prompts another question (again quite basic): One of my biggest HIPAA concerns is that colleagues and external associates want to communicate with us by e-mail, and quite often they send us unencrypted e-mail messages that contain PHI. We always respond that we cannot communicate in that fashion, but we would love to be able to enable HIPAA-compliant communications with such people; e.g., social workers and nurses at dialysis centers where our patients go for treatment, or other docs in other practices who also see our patients. Short of providing such people accounts and e-mail addresses on our system (which would be extraordinarily expensive, and which I guess they'd use via Outlook Web Access) is there some way that the Exchange Server can allow us to communicate securely with such people? Ideally, we'd create a solution that would permit them to use their own preferred e-mail client software.I am not sure it will be possible for you to guarantee encrypted messages from others that use an unencrypted mail service. For example, you can setup and guarantee secure email communication between anyone within your domain namespace using Exchange, but it will be hard to do so if someone is using a mail service that is outside your control. A suggestion for you might be to create a sucure web interface or a simple secure FTP service (youcan do this as wellwith your windows 2008 sbs) that will allow your clients to login and then upload secure documents etc.For server hardware, you can just tell your intended manufacturer what you need and they can advice on what kind of processor, hard disk, etc that you will need.Hope my response did help, please feel free to ask more questions or clarification.Isaac Oben MCITP:EA, MCSE