The first place to start is to look at NIST 800-66, which is dedicated to your specific questions and any organization that needs to be compliant with HIPAA.
Human Health Services have produced some guidelines on what HIPAA is actually asking of you.
National Institute of Health has some guidelines and tools to use for these purposes.
The SANS organization has some of the top security professionals in the industry talking about these items in webcasts.
Other sites with guidelines, templates and direction:
- HIPAA Advisory
- Siemens Health Services
- U.S. Department of Health & Human Services
Hope these help!
This was first published in August 2005